NSC backs disclosing software vulnerabilities

Apr 13, 2014

Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public unless there is a clear national security or law enforcement need, President Barack Obama's National Security Council said Saturday.

The statement of White House policy came after a computer bug called "Heartbleed" caused major security concerns across the Internet and affected a widely used encryption technology, the variant of SSL/TLS known as OpenSSL, that was designed to protect online accounts. Major Internet services worked this week to insulate themselves against the bug.

The NSC, which Obama chairs, advises the president on and foreign policy matters. Its spokeswoman, Caitlin Hayden, said in a statement Saturday that the federal government was not aware of the Heartbleed vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The federal government relies on OpenSSL to protect the privacy of users of government websites and other online services, she said.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet," she said. "If the , including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

The president's Review Group on Intelligence and Communications Technologies, which Obama appointed last year to review National Security Agency surveillance programs and other intelligence and counterterrorism operations, recommended in December that U.S. policy should generally move to ensure that previously unknown vulnerabilities "are quickly blocked, so that the underlying vulnerabilities are patched on U.S. government and other networks."

"The White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process," Hayden said. "Unless there is a clear national security or need, this process is biased toward responsibly disclosing such vulnerabilities."

Explore further: NSA denies exploiting 'Heartbleed' vulnerability

2.5 /5 (2 votes)
add to favorites email to friend print save as pdf

Related Stories

What you need to know about the Heartbleed bug

Apr 09, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Heartbleed bug find triggers OpenSSL security advisory

Apr 08, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the ...

'Heartbleed' bug a critical Internet illness

Apr 11, 2014

The "Heartbleed" flaw in Internet security is as critical as the name implies and wider spread than first believed. Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website o ...

Recommended for you

China condemns 'cyber terrorism' in wake of Sony attack

22 minutes ago

China's foreign minister condemned all forms of "cyber terrorism" in talks with his American counterpart, a statement said Monday, as the US accused Beijing's ally North Korea with being behind a cyber attack on Sony Pictures.

BlackBerry rides with Boeing on self-destruct phone

33 minutes ago

The news from Reuters on Friday came as no shock to those who know Blackberry's strong rep for security (John Chen, the company's CEO, is not shy about promoting the company's branding message of safety. ...

US seeks China's help after cyberattack

Dec 21, 2014

The United States is asking China for help as it weighs potential responses to a cyberattack against Sony Pictures Entertainment that the U.S. has blamed on North Korea.

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

alfie_null
not rated yet Apr 13, 2014
If the federal government wants to help, one contribution would be to make FIPS 140-2 certification less tortuous, less expensive. I'd warrant many use openssl in part because of its FIPS certification. It's certainly not by far the easiest to incorporate into your software. There are alternative TLS libraries that are better designed, but lack the resources to obtain FIPS certification.
Doug_Huffman
not rated yet Apr 13, 2014
FIPS - Federal Information Processing Standards? Certified by FedGov NSA and DHS as

DEFECTIVE BY DESIGN

Thanks, no, I'll stay with FOSS.
PoppaJ
5 / 5 (1) Apr 13, 2014
Phys.org fails again! How dare you allow this title. it need to be "NSC Prohibits disclosing software vulnerabilities" WHY?! because the the first paragraph states.
""""Disclosing vulnerabilities in commercial and open source software is in the national interest and shouldn't be withheld from the public UNLESS there is a clear national security or law enforcement need, President Barack Obama's National Security Council said Saturday."""

Stop playing the deception game with them.
thatsitalright
not rated yet Apr 14, 2014
Good point PoppaJ

"vulnerabilities shouldn't be withheld from the public unless there is a security or law enforcement need"


Basically.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.