White House on Heartbleed: 'Transparency is complicated'

White House on Heartbleed: 'Transparency is complicated'

Summary: The White House issues a statement that addresses the Heartbleed bug and how the government makes decisions with regard to disclosure of technical vulnerabilities.


The White House today issued a statement -- in the form of a blog post -- by Special Assistant to the President and the Cybersecurity Coordinator Michael Daniel. The statement directly addressed the Heartbleed bug and how and when the government discloses critical vulnerabilities.

(It should be noted that I conducted an in-depth one-on-one interview with a senior NSA executive today on the same topic, and will be publishing that interview, in its entirety, within the next day or two.)

Daniel made a number of key points. On knowledge of Heartbleed:

...we had no prior knowledge of the existence of Heartbleed...

On vulnerability disclosure:

This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case.

On shared use of the Internet:

We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.

On the trade-offs of disclosing vulnerabilities:

Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.

On the inter-agency process for decision-making with regard to disclosing vulnerabilities, Daniel stated "there are no hard and fast rules," but he did mention a series of thought processes agencies go through if they were to consider withholding information.

On the overall challenge of cybersecurity and transparency:

Enabling transparency about the intersection between cybersecurity and intelligence and providing the public with enough information is complicated. Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation. We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake.

My take

As you can imagine, this White House posting will appeal to some and anger and upset others. The reality is that protection is a hard game and sometimes it's not safe for citizens for a government intelligence agency to reveal its hand too early. That's a tough decision and that's why it's so important to elect leaders we consider responsible decision makers and hold them accountable for their actions.

The good news is that while most of our elected politicians are less than inspiring, the career government workers I've met in the various intelligence and defense agencies have been impressive and highly capable. They have a tough job and walk a very fine line.

See also:

Topics: Security, Government, Government US


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • There's more than "elected politicians" and "career government workers"

    There's also political appointees, some which require Congressional approval and others which do not. These individuals are almost always placed in high-level management positions amongst various government agencies. And some of these political appointees end up being "career government workers" when their benefactor leaves public office.

    Back on topic, while I'm not particularly happy with this stated policy, I can understand why it exists. However, as an example, were the five (5) vulnerabilities used in Stuxnet to damage the Iranian Natanz uranium enrichment facility justified? Stuxnet was not an intelligence-gathering operation. Instead, it was an offensive military action. [Note: Here I am assuming that the U.S. had a hand in Stuxnet.]
    Rabid Howler Monkey
  • I want to believe it, but credibility is lacking.

    As a tech professional working for the govt. in DC, I understand the patriotic good intentions that are typically present – if not always implemented – and I want to believe it. But the sad truth is the government is not know for disclosure of vulnerabilities. It probably has not been on anyone's radar to do so until now.

    The NSA and other fed agencies will have to build some credibility and demonstrate by their actions that they WILL disclose vulnerabilities, or they will never be trusted to do so. I look to the EOP to take the initiative here.