He’s been studying the U.S. policy on keeping zero-days. He said the White House generally favors disclosing them if they affect widely used infrastructure, like Cisco products. But the U.S. tries to do this without diminishing its own intelligence-gathering efforts.
“We have to have a balance here, as much as I can get frustrated with the NSA keeping things to themselves,” Healey said.
It’s still not clear if the stolen hacking tools are actually from the NSA. Although the sample files do allude to past NSA-related codenames, security researchers say the documents could have been doctored.
Still, the fear is that the stolen hacking tools are real and that more zero-day vulnerabilities may be in the hands of malicious actors.
“I wouldn’t be surprised if Congress started asking some questions,” Schulman said. The recent hack against the Democratic National Committee, and this new dump of hacking tools, has caused enough controversy to warrant U.S. lawmakers to investigate, he said.
"If this may have happened once, are there other times this has happened?" Schulman asked. "What zero-days have been in those breaches?"
Sign up for CIO Asia eNewsletters.