Despite reports, feds deny NSA exploited "Heartbleed" bug
Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public unless there is a clear national security or law enforcement need, President Barack Obama's National Security Council said Saturday.
The statement of White House policy came after a computer bug called "Heartbleed" caused major security concerns across the Internet and affected a widely used encryption technology, the variant of SSL/TLS known as OpenSSL, that was designed to protect online accounts.
Bloomberg reported last week that the National Security Agency knew about the Heartbleed bug for two years, and regularly used it to gather intelligence. Citing two sources familiar with the matter, the news agency said the NSA kept the bug a secret for national security reasons.
The New York Times points out that a document leaked by former NSA contractor Edward Snowden revealed that the NSA was looking for vulnerability like Heartbleed. The program, called Bullrun, sought to crack encryption on the Web.
The NSC, which Obama chairs, advises the president on national security and foreign policy matters. Its spokeswoman, Caitlin Hayden, said in a statement that the federal government was not aware of the Heartbleed vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The federal government relies on OpenSSL to protect the privacy of users of government websites and other online services, she said.
"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet," she said. "If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."
The president's Review Group on Intelligence and Communications Technologies, which Obama appointed last year to review NSA surveillance programs and other intelligence and counterterrorism operations, recommended in December that U.S. policy should generally move to ensure that previously unknown vulnerabilities "are quickly blocked, so that the underlying vulnerabilities are patched on U.S. government and other networks."
"The White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process," Hayden said. "Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."