Feds Would Have a Hard Time Keeping Zero-Days Under Wraps


The White House has established an interagency process to vet the pros and cons of disclosing future vulnerabilities.

If federal officials wanted to keep mum about the next cyber superbug to give the intelligence community time to exploit it, they have a plan for doing so -- but executing the plan could invite the kind of disclosures it aims to prevent.

The Obama administration strongly maintains it didn't hide the Heartbleed superbug -- the recently-reported defect in widely-used Web encryption technology -- from the public. However, speculation otherwise has prompted federal officials to reveal the thinking that would go into withholding information about such a vulnerability. So-called zero day bugs allow the intelligence community to spy on adversaries before the security holes are patched.

The administration has “established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure," White House cyber czar Michael Daniel wrote in a blog post this week. "This interagency process helps ensure that all of the pros and cons are properly considered and weighed."

That method could also allow agencies with different missions -- homeland security and cybercrime enforcement, for instance -- to let the cat out of the bag.

The risks are real, says retired Maj. Gen. Charles Dunlap, a former deputy judge advocate general of the Air Force.

"Agencies have different charters and interests, so there could be very strong yet honest disagreement in certain cases," he said. "Losers in such debates may not always go quietly. And let’s not forget that this kind of information would be extraordinarily valuable to every government and business on the planet -- not to mention the general public."

Dunlap, now a Duke University Law School professor, said the "interagency process" likely involves representatives from the various intelligence entities as well as all the Cabinet-level departments. The process "inevitably increases the possibility of an inadvertent or even deliberate disclosure of a decision not to publicize a particular cyber vulnerability," he said. 

Yet, even if a governmentwide negotiation on nondisclosure backfires, consensus probably is the best approach, Dunlap added.

"The interagency process Daniel discusses can ensure the airing of the widest range of views, and this can lead to better decision-making," he said. "In situations like this where the choice -- whichever way it goes -- will always be second guessed, it is usually better to be inclusive in the decision-making process, especially inside the Beltway."

Separately, on Wednesday, findings from the Pew Research Center show that about 30 percent of all Internet users feel their personal information was put at risk because of the Heartbleed bug.

When the Heartbleed zero-day became public early this month, some security experts questioned whether federal websites were immune because NSA -- a code-making and code-breaking Pentagon agency -- had provided them with secret protections.

Officials didn't address the accusations but said the government's main public sites, including HealthCare.gov, were safe from the threat, but later said they were taking steps to address Heartbleed issues and reset consumer passwords out of an abundance of caution.

Daniel, in his blog post, said that “building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.”

That does not mean the United States “should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run,” he added. “Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”

(Image via wwwebmeister/Shutterstock.com)