Technology News

latest updates from easySERVICE™

White House has offered an insight into how the NSA and others make decisions about when to reveal software bugs – and which to keep secret


The White House has provided some detail on how the NSA and other US government agencies make decisions around whether to publicise tech security flaws they have discovered — or whether to keep them under wraps for intelligence purposes.

The recent Heartbleed bug has put the spotlight back on zero day flaws — hitherto unknown and unfixed security flaws — and how they are used by the US government as part of secret surveillance projects. In a blog post White House cybersecurity coordinator Michael Daniel reiterated that the US government had no prior knowledge of the existence of Heartbleed, one of the most high profile IT security flaws of recent times, but he acknowledged that the case had re-ignited debate about whether the government should ever withhold knowledge of a computer vulnerability from the public — that is, whether the intelligence or military benefits of a vulnerability outweigh the benefit to the broader internet of making the problem public and getting it fixed.

“In the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” he said, but warned the downside of disclosure is that the US might “forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”

He added: “Building up a huge stockpile of undisclosed vulnerabilities while leaving the internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”

Daniel highlighted some of the issues he considers when an agency (the NSA or FBI, for example) wants to keep a vulnerability secret:

  • How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the US economy, and/or in national security systems?
  • Does the vulnerability, if left unpatched, impose significant risk?
  • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
  • How likely is it that US would know if someone else was exploiting it?
  • How badly does the US need the intelligence we think we can get from exploiting the vulnerability?
  • Are there other ways the US can get it?
  • Could the US utilize the vulnerability for a short period of time before we disclose it?
  • How likely is it that someone else will discover the vulnerability?
  • Can the vulnerability be patched or otherwise mitigated?

The US government has until now provided little detail about its use of previously unknown vulnerabilities are part of survellience, but following a number of revelations from former NSA contractor Edward Snowden it has been forced to respond.

Late last year President Obama’s Review Group on Intelligence and Communications Technologies recommended that the National Security Council should manage an a regular review of US government usage of zero day attacks and said: “In rare instances, US policy may briefly authorize using a zero day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.”

For the US it’s a tricky balancing act; the intelligence community would argue that its rivals around the globe will use similar flaws and that it can’t do its job without them. At the same time, undermining trust in internet techologies would be an economic disaster for the US.

However, it’s also hard to see how the interests of the US intelligence agencies and those of the wider internet community can be easily aligned.

Source: Associated Press



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: