President Obama wants NSA to come clean about Heartbleed-like bugs

Leak suggests NSA can keep schtum about software bugs that may benefit its activities, but must disclose details about everything else

Security exploits

President Barack Obama wants all major vulnerabilities found by the NSA to be disclosed to protect end users from cyber attacks.

The US president, however, has decreed any vulnerability the NSA could use for "a clear national security or law enforcement need" does not need to be disclosed.

The decision was leaked by senior officials in the Obama administration speaking anonymously to The New York Times.

Advertisement - Article continues below

The information came out after the US government denied any previous knowledge of Heartbleed, the widely reported OpenSSL bug that compromised two-thirds of the internet. The White House stated that it prefers to share the information with the tech industry to protect consumers.

"This process is biased toward responsibly disclosing such vulnerabilities," a spokeswoman for the National Security Council told the Times.

The president's policy allows American agencies to keep schtum about flaws they could use for the purposes of national security, a tool which has proved effective in the past.

Stuxnet, the malware designed by the United States and Israel, used four zero-day vulnerabilities to cripple Iran's nuclear program.

Officials at the NSA and United States Cyber Command said giving up these vulnerabilities would mean "unilateral disarmament," leaving the country exposed to other nation-states' cyber attacks.

Advertisement - Article continues below

"You are not going to see the Chinese give up on zero days' just because we do," said one senior official.

Advertisement - Article continues below

The latter are vulnerabilities in programs the developers have had "zero days" to patch. Google, Mozilla, PayPal and Facebook pay thousands of dollars each year to researchers to find and report them. Microsoft pays $150,000 for exploits in Windows, though you can get similar prices on the black market.

The president's policy also makes no mention of the United State's prolific purchasing of vulnerabilities from private researchers.

"You're basically selling commercial software," said one hacker who deals with multiple American agencies. "The only difference is that you sell one license, ever, and everyone calls you evil."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
cyber security

NSA hands serious flaw to Microsoft rather than use it

15 Jan 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020
Microsoft Windows

Microsoft puts Windows development on lockdown

25 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020