latest updates from easySERVICE™
The White House has provided some detail on how the NSA and other US government agencies make decisions around whether to publicise tech security flaws they have discovered — or whether to keep them under wraps for intelligence purposes.
The recent Heartbleed bug has put the spotlight back on zero day flaws — hitherto unknown and unfixed security flaws — and how they are used by the US government as part of secret surveillance projects. In a blog post White House cybersecurity coordinator Michael Daniel reiterated that the US government had no prior knowledge of the existence of Heartbleed, one of the most high profile IT security flaws of recent times, but he acknowledged that the case had re-ignited debate about whether the government should ever withhold knowledge of a computer vulnerability from the public — that is, whether the intelligence or military benefits of a vulnerability outweigh the benefit to the broader internet of making the problem public and getting it fixed.
“In the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” he said, but warned the downside of disclosure is that the US might “forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”
He added: “Building up a huge stockpile of undisclosed vulnerabilities while leaving the internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”
Daniel highlighted some of the issues he considers when an agency (the NSA or FBI, for example) wants to keep a vulnerability secret:
The US government has until now provided little detail about its use of previously unknown vulnerabilities are part of survellience, but following a number of revelations from former NSA contractor Edward Snowden it has been forced to respond.
Late last year President Obama’s Review Group on Intelligence and Communications Technologies recommended that the National Security Council should manage an a regular review of US government usage of zero day attacks and said: “In rare instances, US policy may briefly authorize using a zero day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.”
For the US it’s a tricky balancing act; the intelligence community would argue that its rivals around the globe will use similar flaws and that it can’t do its job without them. At the same time, undermining trust in internet techologies would be an economic disaster for the US.
However, it’s also hard to see how the interests of the US intelligence agencies and those of the wider internet community can be easily aligned.
Source: Associated Press