White House Policy on Disclosing CyberflawsAfter Heartbleed, Daniel Outlines Administration Policy
Saying the administration had no advanced knowledge of the OpenSSL vulnerability known as Heartbleed, President Obama's top cybersecurity adviser has outlined circumstances in which the U.S. federal government would not disclose software vulnerabilities, though such conditions would be rare (see: Is Exploiting Heartbleed Ever Appropriate?).
Writing April 28 in a White House blog, Michael Daniel, a special assistant to the president, says the economy would not function without a reliable Internet and connected systems. "Our ability to project power abroad would be crippled if we could not depend on them," Daniel says. "... Disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else."
But legitimate reasons exist not to disclose vulnerabilities promptly, Daniel says, adding that withholding knowledge of some cyberflaws for a limited time can have significant consequences. "Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks," he says.
However, Daniel says stockpiling a huge amount of vulnerabilities that leave the Internet vulnerable and Americans unprotected would not be in the national interest. "That is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run," he says. "Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area."
Daniel says the Obama administration has established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. He says the interagency process is aimed to help ensure that all of the pros and cons of whether to disclose vulnerabilities are properly vetted. The presidential adviser offers nine questions officials ask in deciding whether to delay disclosing vulnerabilities:
- How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
Daniel says the administration, including the National Security Agency, is being more transparent, but doing so isn't necessarily easy. "Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation," he says. "We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list, we want everyone to understand what is at stake."