Potentially catastrophic internet security exploits like Heartbleed should be publicized rather than covertly used for surveillance, President Obama has reportedly told the NSA and other intelligence divisions, although exceptions to the rule will still see the US rely on loopholes for its spying and monitoring. Heartbleed pitched the National Security Agency back into the headlines on Friday, after anonymous sources claimed it had discovered the OpenSSL flaw at least two years ago, but opted to keep it secret so as to use it for stealing passwords and other data.
The NSA swiftly denied the allegations, with a statement insisting that it had been unaware of Heartbleed until the bug was made public early last week.
Meanwhile, the security agency also said that, had it discovered Heartbleed itself as part of its regular efforts at locating potentially exploitable weak-spots, it would have disclosed that rather than kept the information to itself. “It is in the national interest to responsibly disclose the vulnerability,” the NSA said in a statement, “rather than to hold it for an investigative or intelligence purpose.”
That stance is one shared by President Obama, senior administration officials at the White House told the NYTimes today. Although no public commitment to internet safety research transparency has been made, Obama supposedly decreed that disclosure is the default route the NSA and others should take, though with a few caveats.
Should “a clear national security or law enforcement need” be found for an exploit, agencies could still keep the bugs hidden, Obama agreed. Exactly what constitutes a justifiable need is unspecified.
The guidance is another – hitherto undisclosed – aspect of Obama’s NSA reform plan, which was announced back in January in the aftermath of ongoing revelations about the extent of phone tapping and tracking being undertaken. Although the most notable focus of that plan has been around phone record access, it also contained directives around cyber-security research.
While the NSA has made limited use of “zero day” flaws for its own purposes in the past, the report argues that exploiting non-public vulnerabilities should be a last resort.