White House on Heartbleed: Disclosing Cyber Vulnerabilities Not Always Easy, Defends NSA
In light of recent cybersecurity scares such as Heartbleed and the recent Internet Explorer zero-day exploit, the White House revealed on Monday that disclosing some of these vulnerabilities to the public isn't always the easiest of choices to make.
In a rare transparent gesture, Special Assistant to the President and Cybersecurity Officer Michael Daniel wrote a White House blog post Monday titled "Heartbleed: Understanding When We Disclose Cyber Vulnerbilities."
In the post, Daniel writes how cybersecurity's importance has skyrocketed in recent years thanks to the relevance and reach of technology. Such new frontiers, he says, bring new challenges to weigh.
"But there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences," Daniel said.
"Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks."
Daniel also adamantly defends the NSA's official remark that it was not aware of Heartbleed before Finnish security firm Codenomicon unearthed it a couple weeks ago. The NSA was initially accused of exploiting Heartbleed for intelligence purposes by various reports but the agency has vehemently denied the claims.
"Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation," Daniel writes.
"We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake."
Daniel even outlines exactly how the government determines whether a cybersecurity threat. He writes that the following criteria are used:
- How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
The White House released a 39-page overarching plan for putting together cybersecurity protocols between firms and the public in February labeled the Cybersecurity Framework.
What do you think of the government's stance on disclosing cyber vulnerabilities to the public? Do you believe the NSA knew about Heartbleed? Let us know in the comments section below.
Subscribe to Latin Post!
Sign up for our free newsletter for the Latest coverage!