April 30, 2014
In a rare move, the White House is opening up about its policies on going public — or not — with cyber-security issues and online vulnerabilities.
Presidential cyber-security co-ordinator Michael Daniel has written a surprisingly candid blog post in response to the ongoing belief that the National Security Agency had actually known about the HeartBleed bug for two years, but kept its mouth shut so it could use the flaw for its own purposes.
The Heartbleed bug — which went public a few weeks ago — was a massive vulnerability in OpenSSL, the open-source software package broadly used to encrypt Web communications.
“This case has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public,” Daniel wrote. “As with so many national security issues, the answer may seem clear to some, but the reality is much more complicated. One thing is clear: This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case.”
In most cases, Daniel said, disclosing vulnerabilities like HeartBleed to the public makes the most sense because it protects America’s economy and citizens, not to mention its power abroad.
However, in rare cases, going public with a flaw could be detrimental to the collection of “crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” Daniel said.
When determining if an agency like the NSA has the right to withhold such information from the public, Daniel said the Obama administration considers the following points:
- How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
“Enabling transparency about the intersection between cyber-security and intelligence and providing the public with enough information is complicated,” Daniel said “Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation. We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake.”
Jennifer Cowan is the Managing Editor for SiteProNews.