The NSA has its own guidelines to follow on whether or not to disclose vulnerabilities to interested parties
The NSA’s building is so big because it’s full of secrets even though the agency will never actually admit to even a portion of them.In a rare move, however, the White House has chosen to disclose more about the way the NSA works and how it deals with bugs such as Heartbleed.
As you will probably remember, everyone guffawed when the NSA said it had no prior knowledge of Heartbleed a few weeks back, when the OpenSSL vulnerability was exposed. That’s because if there’s one thing that Edward Snowden’s leaks have taught us is that finding bugs of this size is one of the agency’s main jobs, especially given the widespread use of the affected OpenSSL versions.
Since Heartbleed had been around for two years, it was even harder to believe that the intelligence agency really had no idea about the issue. What made matters even worse was the idea that the spies did know about the bug, but chose not to share the information with the public.
“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area,” writes Michael Daniel, White House cybersecurity coordinator.
The decision to share more information about how the agency works came after Heartbleed was exposed, actually.
The agency said that it considered several things before deciding on whether to share the information it had on bugs and more specifically how the White House decided which vulnerabilities were withheld from the public.
Firstly, the agency analyzes how much the vulnerable system is used in the core Internet infrastructure, in other critical infrastructure systems, in the United States economy and in national security systems.
Then, they assess whether the vulnerability, if left unpatched brings significant risk and just how much harm could an adversary nation or criminal group do with the knowledge of the bug.
“How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it?” Daniel writes.
Other questions relate to whether or not the agency can exploit the bug for a short period before disclosing it and whether anyone else is likely to spill the beans before them.
“Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation. We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake,” Daniel wrote.
Basically, the White House and the NSA are once more playing “God” and deciding whether something should be known by the public or not even if their online safety is at risk. Even worse, the US government admits that it sometimes withholds information so it can exploit the bug on its own.
While the NSA has denied knowing about Heartbleed, it does seem likely that others have caught on the bug and exposed it while the intelligence agency was still exploiting it for information.