Secretive agencies like the National Security Agency will not hurry to disclose future Heartbleed-like security issues, or at least they won’t always be interested in doing so, The White House revealed in a blog post. It also reiterated the fact that the NSA did not actually know about this major security bug that affected 66% of the entire Internet, as it was previously rumored. After all, the NSA denied everything on Twitter — and soon after, the NSA released its own set of instructions telling the public how to deal with the security flaw.
“Earlier this month, the NSA sent out a Tweet making clear that it did not know about the recently discovered vulnerability in OpenSSL known as Heartbleed,” White House cybersecurity coordinator Michael Daniel wrote. “For an agency whose acronym was once said to stand for ‘No Such Agency,’ this step was unusual but consistent with NSA’s efforts to appropriately inform the ongoing discussion related to how it conducts its missions.”
Daniel further acknowledged that Heartbleed “re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public,” saying that the answer isn’t always clear in such cases.
“[…] there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences,” Daniel said. “Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”
Daniel also said that in an effort to “conduct intelligence collection,” as well as “better protect our country in the long-run,” a set of principles has been established to guide secret agencies in potential Heartbleed-like security flaws in the future.
“Enabling transparency about the intersection between cybersecurity and intelligence and providing the public with enough information is complicated,” Daniel said. “Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation. We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake. I hope this post will instill some confidence that your government is acting responsibly in the handling of this important issue.”