NSC backs disclosing software vulnerabilities

Apr 13, 2014

Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public unless there is a clear national security or law enforcement need, President Barack Obama's National Security Council said Saturday.

The statement of White House policy came after a computer bug called "Heartbleed" caused major security concerns across the Internet and affected a widely used encryption technology, the variant of SSL/TLS known as OpenSSL, that was designed to protect online accounts. Major Internet services worked this week to insulate themselves against the bug.

The NSC, which Obama chairs, advises the president on and foreign policy matters. Its spokeswoman, Caitlin Hayden, said in a statement Saturday that the federal government was not aware of the Heartbleed vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The federal government relies on OpenSSL to protect the privacy of users of government websites and other online services, she said.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet," she said. "If the , including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

The president's Review Group on Intelligence and Communications Technologies, which Obama appointed last year to review National Security Agency surveillance programs and other intelligence and counterterrorism operations, recommended in December that U.S. policy should generally move to ensure that previously unknown vulnerabilities "are quickly blocked, so that the underlying vulnerabilities are patched on U.S. government and other networks."

"The White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process," Hayden said. "Unless there is a clear national security or need, this process is biased toward responsibly disclosing such vulnerabilities."

Explore further: NSA denies exploiting 'Heartbleed' vulnerability

2.5 /5 (2 votes)
add to favorites email to friend print save as pdf

Related Stories

What you need to know about the Heartbleed bug

Apr 09, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the ...

'Heartbleed' bug a critical Internet illness

Apr 11, 2014

The "Heartbleed" flaw in Internet security is as critical as the name implies and wider spread than first believed. Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website o ...

Recommended for you

Misinformation diffusing online

1 hour ago

The spread of misinformation through online social networks is becoming an increasingly worrying problem. Researchers in India have now modeled how such fictions and diffuse through those networks. They described details ...

Many tongues, one voice, one common ambition

2 hours ago

There is much need to develop energy efficient solutions for residential buildings in Europe. The EU-funded project, MeeFS, due to be completed by the end of 2015, is developing an innovative multifunctional and energy efficient ...

Chinese man brings gay conversion therapy lawsuit

3 hours ago

(AP)—A gay Chinese man said Thursday he was suing a psychological clinic for carrying out electric shocks intended to turn him straight, as well as the search engine giant Baidu for advertising the center.

Panasonic, Tesla to build big US battery plant

3 hours ago

(AP)—American electric car maker Tesla Motors Inc. is teaming up with Japanese electronics company Panasonic Corp. to build a battery manufacturing plant in the U.S. expected to create 6,500 jobs.

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

alfie_null
not rated yet Apr 13, 2014
If the federal government wants to help, one contribution would be to make FIPS 140-2 certification less tortuous, less expensive. I'd warrant many use openssl in part because of its FIPS certification. It's certainly not by far the easiest to incorporate into your software. There are alternative TLS libraries that are better designed, but lack the resources to obtain FIPS certification.
Doug_Huffman
not rated yet Apr 13, 2014
FIPS - Federal Information Processing Standards? Certified by FedGov NSA and DHS as

DEFECTIVE BY DESIGN

Thanks, no, I'll stay with FOSS.
PoppaJ
5 / 5 (1) Apr 13, 2014
Phys.org fails again! How dare you allow this title. it need to be "NSC Prohibits disclosing software vulnerabilities" WHY?! because the the first paragraph states.
""""Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public UNLESS there is a clear national security or law enforcement need, President Barack Obama's National Security Council said Saturday."""

Stop playing the deception game with them.
thatsitalright
not rated yet Apr 14, 2014
Good point PoppaJ

"vulnerabilities shouldn't be withheld from the public unless there is a security or law enforcement need"


Basically.