Northwest Arkansas Democrat-Gazette
Obama tells NSA to reveal most flaws in Internet security
WASHINGTON — President Barack Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure they will be fixed rather than keep mum so the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.
But Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a provision that is likely to allow the National Security Agency to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
The White House has never publicly detailed Obama’s decision, which he made in January as he began a threemonth review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.
But elements of the decision became evident Friday when the White House denied that it had any prior knowledge of the Heartbleed bug, a
In recent months, Silicon Valley companies have urged the United States to abandon such practices, while Germany and Brazil, among other nations, have said they were considering shunning American-made equipment and software.
new hole in Internet security that sent Americans scrambling last week to change their online passwords.
The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry officials and consumers.
“This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet,” said Caitlin Hayden, the spokesman for the National Security Council.
Hayden said the review of the advisory committee’s recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered against the value of keeping the discovery secret for later use by the intelligence community.
“This process is biased toward responsibly disclosing such vulnerabilities,” she said.
Until now, the White House has declined to say what action Obama had taken on this recommendation of the president’s advisory committee, whose report is better known for its determination that the government cease collecting bulk telephone data about the calls made by every American. Obama announced last month that he would end the bulk collection and leave the data in the hands of telecommunications companies, with a procedure for the government to obtain it with court orders when needed.
But while the surveillance recommendations were noteworthy, inside the intelligence agencies other recommendations — concerning encryption and cyberoperations — set off a roaring debate.
One recommendation urged the National Security Agency to get out of the business of weakening commercial encryption systems or trying to build in “back doors” that would make it far easier for the agency to crack the communications of U.S. adversaries.
Tempting as it was to create easy ways to break codes — the reason the National Security Agency was established by President Harry Truman 62 years ago — the committee concluded that the practice would undercut trust in American software and hardware products.
In recent months, Silicon Valley companies have urged the United States to abandon such practices, while Germany and Brazil, among other nations, have said they were considering shunning Americanmade equipment and software.
Another recommendation urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software such as Microsoft Windows that can give an attacker access to a computer — and to any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, the computer user has “zero days” to fix them before hackers can exploit the accidental vulnerability.
The National Security Agency made use of four “zero day” vulnerabilities in its attack on Iran’s nuclear enrichment sites. That operation, code-named Olympic Games, managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.
Officials at the National Security Agency and at its military partner, the U.S. Cyber Command, warned that giving up the capability to exploit undisclosed vulnerabilities would amount to “unilateral disarmament” — a phrase taken from the battles over whether and how far to cut the U.S. nuclear arsenal.
“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.”
Even a senior White House official who was sympathetic to broad overhauls after the National Security Agency disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”
At the center of that technology are the kinds of hidden gaps in the Internet — almost always created by mistake or oversight — that Heartbleed created. There is no evidence that the National Security Agency had any role in creating Heartbleed, or even that it made use of it.
When the White House denied prior knowledge of Heartbleed on Friday afternoon, it appeared to be the first time that the National Security Agency had ever said whether a particular flaw in the Internet was — or was not — in the secret library it keeps at Fort Meade, Md., the headquarters of the agency and Cyber Command.