NSC backs disclosing software vulnerabilities

Apr 13, 2014

Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public unless there is a clear national security or law enforcement need, President Barack Obama's National Security Council said Saturday.

The statement of White House policy came after a computer bug called "Heartbleed" caused major security concerns across the Internet and affected a widely used encryption technology, the variant of SSL/TLS known as OpenSSL, that was designed to protect online accounts. Major Internet services worked this week to insulate themselves against the bug.

The NSC, which Obama chairs, advises the president on and foreign policy matters. Its spokeswoman, Caitlin Hayden, said in a statement Saturday that the federal government was not aware of the Heartbleed vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The federal government relies on OpenSSL to protect the privacy of users of government websites and other online services, she said.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet," she said. "If the , including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

The president's Review Group on Intelligence and Communications Technologies, which Obama appointed last year to review National Security Agency surveillance programs and other intelligence and counterterrorism operations, recommended in December that U.S. policy should generally move to ensure that previously unknown vulnerabilities "are quickly blocked, so that the underlying vulnerabilities are patched on U.S. government and other networks."

"The White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process," Hayden said. "Unless there is a clear national security or need, this process is biased toward responsibly disclosing such vulnerabilities."

Explore further: NSA denies exploiting 'Heartbleed' vulnerability

2.5 /5 (2 votes)
add to favorites email to friend print save as pdf

Related Stories

What you need to know about the Heartbleed bug

Apr 09, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the ...

'Heartbleed' bug a critical Internet illness

Apr 11, 2014

The "Heartbleed" flaw in Internet security is as critical as the name implies and wider spread than first believed. Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website o ...

Recommended for you

How we can each fight cybercrime with smarter habits

17 hours ago

Hackers gain access to computers and networks by exploiting the weaknesses in our cyber behaviors. Many attacks use simple phishing schemes – the hacker sends an email that appears to come from a trusted ...

Davos elites warned about catastrophic cyberattacks

Jan 24, 2015

Attacks on power plants, telecommunications and financial systems, even turning all of Los Angeles' traffic lights green: Davos elites were warned Saturday of the terrifying possibilities of modern cyber ...

Email scam nets $214 mn in 14 months: FBI

Jan 22, 2015

An email scam which targets businesses with bogus invoices has netted more than $214 million from victims in 45 countries in just over one year, an FBI task force said Thursday.

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

alfie_null
not rated yet Apr 13, 2014
If the federal government wants to help, one contribution would be to make FIPS 140-2 certification less tortuous, less expensive. I'd warrant many use openssl in part because of its FIPS certification. It's certainly not by far the easiest to incorporate into your software. There are alternative TLS libraries that are better designed, but lack the resources to obtain FIPS certification.
Doug_Huffman
not rated yet Apr 13, 2014
FIPS - Federal Information Processing Standards? Certified by FedGov NSA and DHS as

DEFECTIVE BY DESIGN

Thanks, no, I'll stay with FOSS.
PoppaJ
5 / 5 (1) Apr 13, 2014
Phys.org fails again! How dare you allow this title. it need to be "NSC Prohibits disclosing software vulnerabilities" WHY?! because the the first paragraph states.
""""Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public UNLESS there is a clear national security or law enforcement need, President Barack Obama's National Security Council said Saturday."""

Stop playing the deception game with them.
thatsitalright
not rated yet Apr 14, 2014
Good point PoppaJ

"vulnerabilities shouldn't be withheld from the public unless there is a security or law enforcement need"


Basically.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.