Skip to content ↓ | Skip to navigation ↓

As the brouhaha continues in the wake of the disclosure of a vulnerability (CVE-2014-0160) affecting versions of OpenSSL dubbed Heartbleed, the National Security Agency denied allegations that they actively exploited the bug, President Obama has weighed in on the issue of whether the agency has a responsibility to report vulnerabilities that could undermine the security of millions.

The Administration has set a policy that allows the government may continue to exploit undisclosed vulnerabilities for intelligence gathering and the development of cyber attack methodologies if it can be demonstrated that there is a clearcut national security or law enforcement need, according to senior administration officials.

“The Federal government was not aware of the recently identified vulnerability in [the encryption software] OpenSSL until it was made public in a private sector cybersecurity report,” White House spokesperson Caitlin Hayden said Friday.

“This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.”

Hayden said policy makers had competed a review of the procedural recommendations, which had “reinvigorated” the process to weigh the value of vulnerability disclosures against the need to keep some discoveries classified for and available for use by intelligence agencies.

“Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities,” Hayden said.

In the case of Heartbleed, researchers have now confirmed that exploit code targeting the bug can force a vulnerable server to leak enough data to allow attackers to fully reconstruct private encryption keys, exposing sensitive data and communications.

“You are not going to see the Chinese give up on ‘zero days’ just because we do,” said a senior intelligence official, a senior White House official added, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”

Read More Here…