recommended reading

Feds Would Have a Hard Time Keeping Zero-Days Under Wraps


If federal officials wanted to keep mum about the next cyber superbug to give the intelligence community time to exploit it, they have a plan for doing so -- but executing the plan could invite the kind of disclosures it aims to prevent.

The Obama administration strongly maintains it didn't hide the Heartbleed superbug -- the recently-reported defect in widely-used Web encryption technology -- from the public. However, speculation otherwise has prompted federal officials to reveal the thinking that would go into withholding information about such a vulnerability. So-called zero day bugs allow the intelligence community to spy on adversaries before the security holes are patched.

The administration has “established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure," White House cyber czar Michael Daniel wrote in a blog post this week. "This interagency process helps ensure that all of the pros and cons are properly considered and weighed."

That method could also allow agencies with different missions -- homeland security and cybercrime enforcement, for instance -- to let the cat out of the bag.

The risks are real, says retired Maj. Gen. Charles Dunlap, a former deputy judge advocate general of the Air Force.

"Agencies have different charters and interests, so there could be very strong yet honest disagreement in certain cases," he said. "Losers in such debates may not always go quietly. And let’s not forget that this kind of information would be extraordinarily valuable to every government and business on the planet -- not to mention the general public."

Dunlap, now a Duke University Law School professor, said the "interagency process" likely involves representatives from the various intelligence entities as well as all the Cabinet-level departments. The process "inevitably increases the possibility of an inadvertent or even deliberate disclosure of a decision not to publicize a particular cyber vulnerability," he said. 

Yet, even if a governmentwide negotiation on nondisclosure backfires, consensus probably is the best approach, Dunlap added.

"The interagency process Daniel discusses can ensure the airing of the widest range of views, and this can lead to better decision-making," he said. "In situations like this where the choice -- whichever way it goes -- will always be second guessed, it is usually better to be inclusive in the decision-making process, especially inside the Beltway."

Separately, on Wednesday, findings from the Pew Research Center show that about 30 percent of all Internet users feel their personal information was put at risk because of the Heartbleed bug.

When the Heartbleed zero-day became public early this month, some security experts questioned whether federal websites were immune because NSA -- a code-making and code-breaking Pentagon agency -- had provided them with secret protections.

Officials didn't address the accusations but said the government's main public sites, including, were safe from the threat, but later said they were taking steps to address Heartbleed issues and reset consumer passwords out of an abundance of caution.

Daniel, in his blog post, said that “building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.”

That does not mean the United States “should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run,” he added. “Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”

(Image via wwwebmeister/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.