recommended reading

Feds Would Have a Hard Time Keeping Zero-Days Under Wraps


If federal officials wanted to keep mum about the next cyber superbug to give the intelligence community time to exploit it, they have a plan for doing so -- but executing the plan could invite the kind of disclosures it aims to prevent.

The Obama administration strongly maintains it didn't hide the Heartbleed superbug -- the recently-reported defect in widely-used Web encryption technology -- from the public. However, speculation otherwise has prompted federal officials to reveal the thinking that would go into withholding information about such a vulnerability. So-called zero day bugs allow the intelligence community to spy on adversaries before the security holes are patched.

The administration has “established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure," White House cyber czar Michael Daniel wrote in a blog post this week. "This interagency process helps ensure that all of the pros and cons are properly considered and weighed."

That method could also allow agencies with different missions -- homeland security and cybercrime enforcement, for instance -- to let the cat out of the bag.

The risks are real, says retired Maj. Gen. Charles Dunlap, a former deputy judge advocate general of the Air Force.

"Agencies have different charters and interests, so there could be very strong yet honest disagreement in certain cases," he said. "Losers in such debates may not always go quietly. And let’s not forget that this kind of information would be extraordinarily valuable to every government and business on the planet -- not to mention the general public."

Dunlap, now a Duke University Law School professor, said the "interagency process" likely involves representatives from the various intelligence entities as well as all the Cabinet-level departments. The process "inevitably increases the possibility of an inadvertent or even deliberate disclosure of a decision not to publicize a particular cyber vulnerability," he said. 

Yet, even if a governmentwide negotiation on nondisclosure backfires, consensus probably is the best approach, Dunlap added.

"The interagency process Daniel discusses can ensure the airing of the widest range of views, and this can lead to better decision-making," he said. "In situations like this where the choice -- whichever way it goes -- will always be second guessed, it is usually better to be inclusive in the decision-making process, especially inside the Beltway."

Separately, on Wednesday, findings from the Pew Research Center show that about 30 percent of all Internet users feel their personal information was put at risk because of the Heartbleed bug.

When the Heartbleed zero-day became public early this month, some security experts questioned whether federal websites were immune because NSA -- a code-making and code-breaking Pentagon agency -- had provided them with secret protections.

Officials didn't address the accusations but said the government's main public sites, including, were safe from the threat, but later said they were taking steps to address Heartbleed issues and reset consumer passwords out of an abundance of caution.

Daniel, in his blog post, said that “building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.”

That does not mean the United States “should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run,” he added. “Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”

(Image via wwwebmeister/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.