The White House today issued a statement -- in the form of a blog post -- by Special Assistant to the President and the Cybersecurity Coordinator Michael Daniel. The statement directly addressed the Heartbleed bug and how and when the government discloses critical vulnerabilities.
(It should be noted that I conducted an in-depth one-on-one interview with a senior NSA executive today on the same topic, and will be publishing that interview, in its entirety, within the next day or two.)
Daniel made a number of key points. On knowledge of Heartbleed:
...we had no prior knowledge of the existence of Heartbleed...
On vulnerability disclosure:
This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case.
On shared use of the Internet:
We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.
On the trade-offs of disclosing vulnerabilities:
Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.
Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.
On the inter-agency process for decision-making with regard to disclosing vulnerabilities, Daniel stated "there are no hard and fast rules," but he did mention a series of thought processes agencies go through if they were to consider withholding information.
On the overall challenge of cybersecurity and transparency:
Enabling transparency about the intersection between cybersecurity and intelligence and providing the public with enough information is complicated. Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation. We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake.
As you can imagine, this White House posting will appeal to some and anger and upset others. The reality is that protection is a hard game and sometimes it's not safe for citizens for a government intelligence agency to reveal its hand too early. That's a tough decision and that's why it's so important to elect leaders we consider responsible decision makers and hold them accountable for their actions.
The good news is that while most of our elected politicians are less than inspiring, the career government workers I've met in the various intelligence and defense agencies have been impressive and highly capable. They have a tough job and walk a very fine line.