In the wake of the recent Heartbleed bug that the NSA was rumored to be exploiting, the White House on Monday said that public disclosure of internet vulnerabilities is a complicated issue. Michael Daniel, Cybersecurity Officer and Special Assistant to the President, wrote a blog post explaining how the government decides when to publicly disclose major vulnerabilities.
"Heartbleed has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public. As with so many national security issues, the answer may seem clear to some, but the reality is much more complicated", Daniel said.
He also maintained that the National Security Agency had no prior knowledge of the existence of Heartbleed. The NSA was initially accused of exploiting the bug for intelligence purposes but the security agency denied the claims.
Disclosing a vulnerability could mean a lost opportunity to collect crucial intelligence, but building up a huge stockpile of undisclosed bugs could leave the Internet vulnerable and the American people unprotected, he said.
Daniel revealed that the government has established a "disciplined, rigorous and high-level" decision-making process for vulnerability disclosure. Although all the pros and cons are considered and weighed before deciding to withhold the knowledge of a vulnerability, there aren't any "hard and fast rules".
He then goes on to describe the conditions that might lead to a decision not to publish the details of a flaw. Some of the conditions include: how widespread the vulnerability might be in critical infrastructure systems; how much risk it imposes if left unpatched; how much harm an enemy nation or a criminal group could do with the knowledge of the vulnerability; how important is the intelligence that might be obtained exploiting the vulnerability; are there other ways to get the same intelligence, and more.
What do you think about the government's stance on public disclosure of internet vulnerabilities? Is it enough to fill the trust deficit?