The National Security Agency has been trying to explain under what circumstances it might keep cyber security vulnerabilities secret from the public, and today the White House has written a blog post attempting to clarify the situation even further. Unfortunately, the answer still isn't completely clear: White House cybersecurity coordinator Michael Daniel explains that "there are no hard and fast rules" on when the government will or won't disclose a vulnerability that it's discovered.
"Disclosing a vulnerability can mean that we forego an opportunity."
Instead, Daniel explains what federal agencies consider when confronted with such a situation. "Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks," he writes. At the same time, Daniel says that he also believes that it would also be in the interest of national security for the US to build up a stockpile of these vulnerabilities, because that would also leave Americans at risk.
Vulnerabilities appear to be assessed on a case-by-case basis when federal agencies propose withholding a discovered flaw. Daniel writes that among the considerations when making that decision are how significant of a risk the flaw poses, how important it currently is to use the flaw to gather intelligence, and whether the vulnerability could be used for "a short period of time" by the government before then disclosing it. "We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake," Daniel writes.
In total, Daniel details nine questions that are considered when deciding whether to withhold a flaw for the purpose of gathering intelligence:
- How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
The White House's elaboration comes just weeks after the major security vulnerability Heartbleed rocked the web in early April, putting as many as two out of every three servers at risk. Following its discovery, a report alleged that the NSA had knowledge of the flaw and had taken advantage of it for two years — nearly since the flaw's inception. The NSA vehemently denied that allegation, and the White House continues to do so here. "We had no prior knowledge of the existence of Heartbleed," Daniel writes.
Nonetheless, it appears to be clear to the White House that ongoing issues regarding the NSA's transparency have led to mounting concerns from the web security community. Daniel's is the latest attempt to bring further transparency to the government's thinking here. Still, as President Obama has done in the past, he makes it clear that there's a broad range of situations in which the government may be interested in withholding vulnerabilities.