Zero-day exploits aren't as important to the NSA as you think

The head of the NSA's elite hacking unit explains.

The head of the National Security Agency's elite hacking arm, Tailored Access Operations, downplayed the importance of zero-day exploits during a talk at USENIX Enigma 2016 in San Francisco this week, as spotted by Vice. Zero-day security holes are secret (and usually short-lived) software vulnerabilities -- the vendor doesn't know about them (until it does). According to TAO chief Rob Joyce, zero-day exploits are a small part of the NSA's hacking agenda.

TAO chief Rob Joyce said, "I think a lot of people think the nation states, they're running on this engine of zero-days. You go out with your master skeleton key and unlock the door and you're in. It's not that. Take these big, corporate networks, these large networks, any large network -- I will tell you that persistence and focus will get you in, will achieve that exploitation, without the zero-days."

Joyce said that there are easier, safer and more productive ways to hack a nation-state than by taking advantage of a zero-day hole. The key is persistence and focus, Joyce said.

Another arm of the US government, the Federal Bureau of Investigation, recently revealed that it exploited zero-day vulnerabilities, though it preferred not to because the points of entry were usually short-lived. It sounds like the NSA and FBI are on the same page here.