In response to the revelation that the National Security Agency knew about and exploited the massive “Heartbleed” Internet security flaw, the White House has written a blog post justifying why it can keep such flaws a secret.
According to White House cybersecurity coordinator Michael Daniel, “there are no hard and fast rules” on when the government will or won’t disclose the discovery of a vulnerability.
“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” Daniel wrote.
The cybersecurity coordinator expressed agreement with critics like former agency contractor and leaker Edward Snowden, saying it’s not in the interest of U.S. national security to build a stockpile of such vulnerabilities while leaving the American people unprotected.
Snowden and cybersecurity experts have taken that argument even further, explaining that when agencies like NSA exploit bugs like Heartbleed, they risk revealing the exploit to third party entities and hackers that are then also able to take advantage of the flaw for malicious, theft-driven reasons beyond the NSA’s unethical, albeit simple, privacy invasion.
After the discovery of the Heartbleed bug earlier this month — which left up to two-thirds of all Internet traffic over at least the past two years unencrypted, unsecured and vulnerable to theft — sources close to the NSA claimed the signals intelligence agency was fully aware and took advantage of the bug for years, almost immediately after the software containing the bug hit the Web.
According to the unnamed sources, the agency left Americans’ sensitive Internet traffic including usernames, passwords, emails, credit cards, and more increasingly vulnerable while using the bug to help conduct bulk surveillance of domestic and international citizens — a violation of its core defense mission, according to cyber-experts.
The NSA has denied the allegation, and Daniel maintained the same denial in the White House post, saying, in no uncertain terms, “we had no prior knowledge of the existence of Heartbleed.”
Daniel wrote that several factors are taken into consideration when assessing whether or not to disclose a flaw, including the risk level it imposes, its potential importance to gathering intel, or whether it could be used for “a short period of time” before being revealed to the public.
“We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake,” Daniel said.
The cybersecurity coordinator broke down the decision-making process this way:
How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
Does the vulnerability, if left unpatched, impose significant risk?
How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
How likely is it that we would know if someone else was exploiting it?
How badly do we need the intelligence we think we can get from exploiting the vulnerability?
Are there other ways we can get it?
Could we utilize the vulnerability for a short period of time before we disclose it?
How likely is it that someone else will discover the vulnerability?
Can the vulnerability be patched or otherwise mitigated?
The post seemingly echoes an Obama administration message and philosophy the president has maintained since the Snowden leaks forced changes to intelligence gathering policy and procedure — there will always be an indefinite clause of gray language allowing national security to trump legality and privacy in cases and criteria decided by the administration itself.