Is Exploiting Heartbleed Ever Appropriate?
Obama Administration Outlines the CircumstancesDeciding whether the U.S. government should exploit flaws in Internet encryption, such as Heartbleed, for national security purposes is a matter of risk assessment.
See Also: JAPAC | Secure Your Applications: Learn How to Prevent AI-Generated Code Risk
In its report about National Security Agency surveillance activities,The President's Review Group on Intelligence and Communications Technologies noted: "The central task is one of risk management; multiple risks are involved, and all of them must be considered." (See Panel Recommends Limits on NSA Surveillance).
Over the weekend,The New York Times, citing administration officials, reported that President Obama has decided that the federal government should not exploit encryption flaws in most instances unless there's "a clear national security or law enforcement need," a loophole that could allow the National Security Agency to continue to manipulate security flaws to crack encryption on the Internet and to design cyberweapons.
The news comes a week after revelation of the Internet bug known as Heartbleed that exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as Web, e-mail, instant messaging and some virtual private networks (see Vulnerability Exposes Widely Used OpenSSL Tool).
Let's Not Be Naïve
Do we want the federal government to exploit vulnerabilities such as Heartbleed?
Let's not be naïve. We need the federal government to protect us against those who would do us harm, whether in the physical or cyber worlds; it's a prime responsibility of government. Yet, the government should not take steps to prevent really bad things from happening if that means we must sacrifice fundamental rights, such as privacy and civil liberties as well as conducting commerce, a central facet of our society.
Exploiting encryption, even to foil serious harm to the nation's physical and cyber infrastructure, has consequences. American technology providers have complained to the White House that efforts to circumvent encryption and evade individuals' privacy rights have made it more difficult for U.S. companies to market their wares abroad (see President Confronts NSA Critics). "People won't use technology they don't trust," Microsoft General Counsel Brad Smith says. "Governments have put this trust at risk, and governments need to help restore it." (See Online Firms Blast NSA's Tactics.)
Still, circumstances exist when exploitation could be deemed appropriate, such as zero day flaws, so called because they lurk in a system and when they become known, developers have no time - zero days - for patching. The presidential panel wrote:
"When an urgent and significant national security priority can be addressed by the [exploitation] of a zero day [flaw], an agency of the U.S. government may be authorized to use temporarily a zero day instead of immediately fixing the underlying vulnerability. Before approving use of the zero day rather than patching a vulnerability, there should be a senior-level, interagency approval process that employs a risk management approach."
But the panel strongly suggested that zero-day exceptions be rare:
"The fact that officials can legally acquire information [through encryption exploits] does not mean that they should do so. In view of growing technological capacities, and the possibility (however remote) that acquired information might prove useful, it is tempting to think that such capacities should be used rather than ignored. The temptation should be resisted. Officials must consider all relevant risks, not merely one or a subset."
Administration Denies NSA Exploited Heartbleed
After reports surfaced late last week suggesting the NSA might have exploited Heartbleed, the administration issued a statement denying that was the case. National Security Council spokeswoman Caitlin Hayden issued a statement over the weekend saying the administration was unaware of Heartbleed until it became public last week, and that the NSA did not exploit it.
"When federal agencies discover a new vulnerability in commercial and open source software ... it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose," the statement says.
"In response to the recommendations of the President's Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."
It's encouraging that the president is biased toward disclosing, not exploiting, vulnerabilities. Still, the National Security staff statement provides no significant insight into the risk assessments the administration takes to assure it minimizes exploitation of encryption. How are "clear national security" and "law enforcement need" defined? Such language in the past has been used to conduct activities that eventually proved not in our national interest. Let's hope this isn't a loophole that allows the government to act in a questionable manner.