Obama leaves loophole open for NSA to exploit zero-day vulnerabilities

Filed Under: Featured, Law & order, Security threats

President Obama. Image courtesy of ShutterstockNo, the US White House didn't know about Heartbleed and didn't exploit the OpenSSL bug to snoop, it said on Friday.

According to a statement from the Office of the Director of National Intelligence, the government has a "bias" toward responsible bug disclosure:

This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

But that approach is squishy. The notion of responsible disclosure is more of a bias than a requirement, senior administration officials said on Saturday.

In fact, officials said that President Obama has left a huge loophole open in the form of an exception for "a clear national security or law enforcement need."

As Bloomberg reported on Monday, the White House's directive to limit US intelligence's exploitation of software bugs, if strictly implemented without loophole, would require elite spying units to empty out their pockets of thousands of exploits, according to intelligence professionals.

Those exploits include bugs found not just in software but also in industrial controllers, heating and cooling systems, printers, anti-virus software, video conferencing systems and encryption protocols.

But this responsible-disclosure exception loophole is just too fuzzy, says Jason Syversen, who formerly worked on cyberwar projects for the Pentagon and now runs a New Hampshire company called Siege Technologies that develops cyberwar tools.

Bloomberg quotes him:

[Limiting the use of such exploits] would hamstring the ability of the intelligence organizations to do their mission. That's like saying spies are only allowed to lie some of the time but still have to do their job.

The NSA's previous knowledge of Heartbleed came into question when Bloomberg reported that the agency knew about the flaw for at least two years and regularly used it to gather critical intelligence.

According to Richard Clarke, a member of a presidential panel set up to review NSA practices, the White House issued guidance on the issue of responsible disclosure to the entire intelligence community three weeks ago.

His guidance followed, more or less, the panel's earlier recommendation that bugs be exploited and computer users kept vulnerable and in the dark only rarely and only for the most important intelligence goals.

The presidential guidance was made public for the first time on Friday, in response to the Bloomberg News report that the NSA had been milking the Heartbleed bug.

The White House has up until now been mute on what decisions have been made in the wake of the presidential panel's recommendations, with the exception of last month, when it was announced that bulk data collection would stop, that data would be left in the hands of telecoms, and that the government would be able to get at it with court orders when needed.

But as the New York Times describes it, underneath this silence, there's a roaring debate within the intelligence agencies regarding such things as whether the NSA should hammer away at weakening commercial encryption systems or trying to build in back doors that facilitate the agency's communications cracking capabilities.

Iranian President Mahmoud Ahmadinejad visits the Natanz nuclear enrichment facilityGiving up the power to use zero-day vulnerabilities as a wedge to open up enemies' or targets' communications systems would mean giving up the power to create a weapon such as Stuxnet, the cyber attack on Iran's nuclear enrichment sites that the NSA reportedly built on top of four zero-day exploits.

Even those in the government who are sympathetic to broad reforms of the NSA can't quite imagine giving up that zero-day power. The NYT quoted one such, a senior White House official:

I can't imagine the president - any president - entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.

Image of President Obama courtesy of Shutterstock.

, , , , , , ,

You might like

3 Responses to Obama leaves loophole open for NSA to exploit zero-day vulnerabilities

  1. Andrew · 156 days ago

    Just don't trust the American Government or it's congress.

  2. I trust the US government on this. They are very clear. NSA is a spy agency, they are there to spy.

    The US tax payer should start complaining if and when the NSA is getting all that tax payers money and NOT spying.

    If you use google for mail, search, messaging, maps then you are subject to more surveillance than anything NSA is likely doing to you as an average person.

    NSA probably can access your email - they just can't see any reason to do it. Google does access your email - header and content, on access and whilst stored.

  3. Glen · 156 days ago

    Another Day, another Lie. It is hard to believe anything this President has to say.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.