NSC backs disclosing software vulnerabilities

Apr 13, 2014

Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public unless there is a clear national security or law enforcement need, President Barack Obama's National Security Council said Saturday.

The statement of White House policy came after a computer bug called "Heartbleed" caused major security concerns across the Internet and affected a widely used encryption technology, the variant of SSL/TLS known as OpenSSL, that was designed to protect online accounts. Major Internet services worked this week to insulate themselves against the bug.

The NSC, which Obama chairs, advises the president on and foreign policy matters. Its spokeswoman, Caitlin Hayden, said in a statement Saturday that the federal government was not aware of the Heartbleed vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The federal government relies on OpenSSL to protect the privacy of users of government websites and other online services, she said.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet," she said. "If the , including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

The president's Review Group on Intelligence and Communications Technologies, which Obama appointed last year to review National Security Agency surveillance programs and other intelligence and counterterrorism operations, recommended in December that U.S. policy should generally move to ensure that previously unknown vulnerabilities "are quickly blocked, so that the underlying vulnerabilities are patched on U.S. government and other networks."

"The White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process," Hayden said. "Unless there is a clear national security or need, this process is biased toward responsibly disclosing such vulnerabilities."

Explore further: NSA denies exploiting 'Heartbleed' vulnerability

2.5 /5 (2 votes)
add to favorites email to friend print save as pdf

Related Stories

What you need to know about the Heartbleed bug

Apr 09, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the ...

'Heartbleed' bug a critical Internet illness

Apr 11, 2014

The "Heartbleed" flaw in Internet security is as critical as the name implies and wider spread than first believed. Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website o ...

Recommended for you

Facebook sues law firms, claims fraud

10 hours ago

Facebook is suing several law firms that represented a man who claimed he owned half of the social network and was entitled to billions of dollars from the company and its CEO Mark Zuckerberg.

IBM 3Q disappoints as it sheds 'empty calories'

10 hours ago

IBM disappointed investors Monday, reporting weak revenue growth again and a big charge to shed its costly chipmaking division as the tech giant tries to steer its business toward cloud computing and social-mobile ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

alfie_null
not rated yet Apr 13, 2014
If the federal government wants to help, one contribution would be to make FIPS 140-2 certification less tortuous, less expensive. I'd warrant many use openssl in part because of its FIPS certification. It's certainly not by far the easiest to incorporate into your software. There are alternative TLS libraries that are better designed, but lack the resources to obtain FIPS certification.
Doug_Huffman
not rated yet Apr 13, 2014
FIPS - Federal Information Processing Standards? Certified by FedGov NSA and DHS as

DEFECTIVE BY DESIGN

Thanks, no, I'll stay with FOSS.
PoppaJ
5 / 5 (1) Apr 13, 2014
Phys.org fails again! How dare you allow this title. it need to be "NSC Prohibits disclosing software vulnerabilities" WHY?! because the the first paragraph states.
""""Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public UNLESS there is a clear national security or law enforcement need, President Barack Obama's National Security Council said Saturday."""

Stop playing the deception game with them.
thatsitalright
not rated yet Apr 14, 2014
Good point PoppaJ

"vulnerabilities shouldn't be withheld from the public unless there is a security or law enforcement need"


Basically.