Why the NSA might not say anything about the next ‘Heartbleed’

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://bgr.com/2014/04/29/white-house-on-heartbleed-security-flaw/

Secretive agencies like the National Security Agency will not hurry to
disclose futureHeartbleed-like security issues, or at least they won’t
always be interested in doing so, The White House revealed in a blog post.
It also reiterated the fact that the NSA did not actually know about this
major security bug that affected 66% of the entire Internet, as it was
previously rumored. After all, the NSA denied everything on Twitter — and
soon after, the NSA released its own set of instructions telling the public
how to deal with the security flaw.

“Earlier this month, the NSA sent out a Tweet making clear that it did not
know about the recently discovered vulnerability in OpenSSL known as
Heartbleed,” White House cybersecurity coordinator Michael Daniel wrote.
“For an agency whose acronym was once said to stand for ‘No Such Agency,’
this step was unusual but consistent with NSA’s efforts to appropriately
inform the ongoing discussion related to how it conducts its missions.”

Daniel further acknowledged that Heartbleed “re-ignited debate about
whether the federal government should ever withhold knowledge of a computer
vulnerability from the public,” saying that the answer isn’t always clear
in such cases.

“[...] there are legitimate pros and cons to the decision to disclose, and
the trade-offs between prompt disclosure and withholding knowledge of some
vulnerabilities for a limited time can have significant consequences,”
Daniel said. “Disclosing a vulnerability can mean that we forego an
opportunity to collect crucial intelligence that could thwart a terrorist
attack stop the theft of our nation’s intellectual property, or even
discover more dangerous vulnerabilities that are being used by hackers or
other adversaries to exploit our networks.”

Daniel also said that in an effort to “conduct intelligence collection,” as
well as “better protect our country in the long-run,” a set of principles
has been established to guide secret agencies in potential Heartbleed-like
security flaws in the future.

“Enabling transparency about the intersection between cybersecurity and
intelligence and providing the public with enough information is
complicated,” Daniel said. “Too little transparency and citizens can lose
faith in their government and institutions, while exposing too much can
make it impossible to collect the intelligence we need to protect the
nation. We weigh these considerations through a deliberate process that is
biased toward responsibly disclosing the vulnerability, and by sharing this
list we want everyone to understand what is at stake. I hope this post will
instill some confidence that your government is acting responsibly in the
handling of this important issue.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!