The head of the National Security Agency's elite hacking arm, Tailored Access Operations, downplayed the importance of zero-day exploits during a talk at USENIX Enigma 2016 in San Francisco this week, as spotted by Vice. Zero-day security holes are secret (and usually short-lived) software vulnerabilities -- the vendor doesn't know about them (until it does). According to TAO chief Rob Joyce, zero-day exploits are a small part of the NSA's hacking agenda.
TAO chief Rob Joyce said, "I think a lot of people think the nation states, they're running on this engine of zero-days. You go out with your master skeleton key and unlock the door and you're in. It's not that. Take these big, corporate networks, these large networks, any large network -- I will tell you that persistence and focus will get you in, will achieve that exploitation, without the zero-days."
Joyce said that there are easier, safer and more productive ways to hack a nation-state than by taking advantage of a zero-day hole. The key is persistence and focus, Joyce said.
Another arm of the US government, the Federal Bureau of Investigation, recently revealed that it exploited zero-day vulnerabilities, though it preferred not to because the points of entry were usually short-lived. It sounds like the NSA and FBI are on the same page here.