Click to Skip Ad
Closing in...

Why the NSA might not say anything about the next ‘Heartbleed’

Published Apr 29th, 2014 11:45PM EDT
BGR

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Secretive agencies like the National Security Agency will not hurry to disclose future Heartbleed-like security issues, or at least they won’t always be interested in doing so, The White House revealed in a blog post. It also reiterated the fact that the NSA did not actually know about this major security bug that affected 66% of the entire Internet, as it was previously rumored. After all, the NSA denied everything on Twitter — and soon after, the NSA released its own set of instructions telling the public how to deal with the security flaw.

“Earlier this month, the NSA sent out a Tweet making clear that it did not know about the recently discovered vulnerability in OpenSSL known as Heartbleed,” White House cybersecurity coordinator Michael Daniel wrote. “For an agency whose acronym was once said to stand for ‘No Such Agency,’ this step was unusual but consistent with NSA’s efforts to appropriately inform the ongoing discussion related to how it conducts its missions.”

Daniel further acknowledged that Heartbleed “re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public,” saying that the answer isn’t always clear in such cases.

“[…] there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences,” Daniel said. “Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”

Daniel also said that in an effort to “conduct intelligence collection,” as well as “better protect our country in the long-run,” a set of principles has been established to guide secret agencies in potential Heartbleed-like security flaws in the future.

“Enabling transparency about the intersection between cybersecurity and intelligence and providing the public with enough information is complicated,” Daniel said. “Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation. We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake. I hope this post will instill some confidence that your government is acting responsibly in the handling of this important issue.”

Chris Smith Senior Writer

Chris Smith has been covering consumer electronics ever since the iPhone revolutionized the industry in 2007. When he’s not writing about the most recent tech news for BGR, he closely follows the events in Marvel’s Cinematic Universe and other blockbuster franchises.

Outside of work, you’ll catch him streaming new movies and TV shows, or training to run his next marathon.