The “New” White House Policy on Security Bugs Changes Nothing
Milagli / Shutterstock
Let’s take stock of where we are with the Heartbleed vulnerability.
We now know that it can be used to hijack the private keys used to encrypt traffic to vulnerable sites. Though it has been denied, the U.S. National Security Agency may have known about the vulnerability for about two years before the general public did.
Let’s assume for the moment that the NSA did know about Heartbleed. If so, it certainly didn’t share its knowledge with anyone else, and instead used the knowledge as one of many weapons in its sophisticated arsenal for compromising the systems of anyone it determined to be an adversary.
Now we have word from the White House — as detailed in today’s New York Times — that U.S. policy will now require the agency to disclose any major computer flaws it finds so that they can be fixed. However, President Obama has granted the NSA a major exception for carrying out missions in the interest of national security.
Historically, U.S. government agencies have at times been some of the most eager consumers of so-called Zero Day vulnerabilities, which are available on the black market; they are so named because they have never been disclosed, and thus give victims zero days to respond with a fix.
The most egregious case was with Stuxnet Worm, said to have been designed by the U.S. Central Intelligence Agency in a joint operation with Israel. It exploited four zero-day vulnerabilities in Microsoft Windows, which cost tens of millions of dollars to procure. The worm was used to seek out and sabotage a set of industrial-control computers in Iran that were connected to a series of nuclear centrifuges. Once control of those computers had been seized, the centrifuges were made to spin too fast, while indicating they were spinning at their normal speed. Many of them exploded, and Iranian nuclear weapons work was by some accounts set back by two years, though opinions on that are mixed.
The question of “disclose or not disclose,” is a complicated one in an era so dominated by the constant hum of cyber sabotage between the U.S., China, Russia and other countries. Upon learning of a newly disclosed weakness that would open the world’s systems up to attack, the temptation to keep quiet and use it as a weapon is, from a certain point of view, understandable.
How might the cyberwarriors of China or Russia have reacted to learning about Heartbleed? We don’t know, but we can guess. China has a division of its People’s Liberation Army, Unit 61398, that is devoted to economic warfare. Its hacking campaigns, as described by the security firm Mandiant (now part of FireEye), which disclosed its existence last year, targeted American, British and Canadian companies with the intent to steal confidential data on business plans and manufacturing procedures and the emails of high-ranking executives.
The NSA may have viewed Heartbleed — given its severity — as a sort of ace up its sleeve. However, it’s unclear if the NSA’s alleged abilities to detect the Heartbleed vulnerability are unique. It was probably discovered via a routine audit of the source code of OpenSSL, the open-source security software that lies at the heart of the bug. It’s hard to imagine that similar audits weren’t performed on the very same software by intelligence agencies all over the world, which stood a pretty good chance of yielding the same result.
If that’s the case — we don’t yet know — it seems that the most responsible course of action would have been to disclose the vulnerability to all concerned, so it could have been patched sooner. Instead, the world’s trust in the reliability and security of the Internet has been shaken to its core, and billions are being spent on mitigation and damage control.
Looking back on the mess created by the Heartbleed affair, it’s hard to see how the “new” view on security disclosures put forth by the White House will change anything. The temptation to justify keeping severe vulnerabilities secret and use them as weapons will almost always win out in the closed-door conversations at Fort Meade and at the White House.