TORONTO – In a bid to make citizens more confident about how the U.S. National Security Agency operates, the agency has revealed that some cyber vulnerabilities are kept secret in the interest of national security.
In a blog post, White House cybersecurity coordinator Michael Daniel discussed how the U.S. National Security Agency decides whether to keep a cyber security flaw secret, or disclose it to the public.
“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” read the blog.
The blog directly references reports that the NSA knew about and exploited the recently discovered Heartbleed bug – a flaw in OpenSSL which made it possible for hackers to snoop on encrypted Internet traffic.
In early April, Bloomberg reported that the NSA decided to keep the major vulnerability secret in the interest of national security. Both the White House and the NSA have denied these claims.
In the blog, Daniel said that building a “huge stockpile of undisclosed vulnerabilities” would not be in the interest of national security – or U.S. citizens – but, he goes on to say that collecting some vulnerabilities provides a way to conduct intelligence collection in order to protect national security.
“Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area,” the blog read.
What exactly are those principles?
In a rare move, Daniel disclosed a list of things he said he wants to know when an agency proposes withholding the knowledge of vulnerability from the public.
Those questions include; how much is the vulnerable system used in the core Internet infrastructure; if the vulnerability is left unpatched, does it impose significant risk; how likely is it that we would know if someone else was exploiting it; and how likely is it that someone else will discover the vulnerability?
According to the blog, the agency also weighs whether or not it could “utilize the vulnerability for a short period of time before we disclose it.”
The NSA took a huge hit to its reputation in June after Edward Snowden’s revelations of the cyber-surveillance conducted by the NSA.
“Enabling transparency about the intersection between cybersecurity and intelligence and providing the public with enough information is complicated,” he said.
“Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation.”