When Does the White House Disclose Cyber Security Vulnerabilities?
Does the White House disclose cyber security vulnerabilities when they first know about them? Does it have an obligation to do so? Is there ever any justification for the government to knowingly withhold this knowledge from the public?
The Heartbleed security bug that recently dominated the headlines has apparently prompted the White House to shed some light on its policies regarding disclosing cyber vulnerabilities to the public.
Special Assistant to the President and Cybersecurity Coordinator Michael Daniel wrote on the White House blog, “As with so many national security issues, the answer may seem clear to some, but the reality is much more complicated.”
What would be a legitimate reason for not immediately disclosing a bug like Heartbleed? According to Daniel, there are pros and cons to the decision to disclose:
Disclosing vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.
Does this seem like a valid reason or the start of a slippery slope? The White House published a brief overview of guidelines to consider if a government agency proposes temporarily withholding knowledge of vulnerability:
- How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
Noting that the White House blog post is “a rare insight into the government’s thinking on the use of cyberweapons,” The New York Times reported that disclosing cyber security vulnerabilities “is a heated issue inside the N.S.A. and the Pentagon.”
What do you think?
