White House explains ‘disciplined, rigorous’ NSA policy

The Obama administration is offering more details about a new policy shift for the way spies treat software glitches and bugs they come across.

Revelations that the National Security Agency (NSA) searched for and took advantage of the coding hiccups in order to get information led to calls for reform last year, but the White House never publicly addressed the issue until earlier this month, when denying that it knew about the massive “Heartbleed” vulnerability.

In a blog post on Monday, White House special cybersecurity assistant Michael Daniel explained that the administration now has a “disciplined, rigorous and high-level decisionmaking process” for letting companies know about software bugs.

{mosads}“This interagency process helps ensure that all of the pros and cons are properly considered and weighed,” he wrote, while adding that “there are no hard and fast rules” for deciding when to have a glitch fixed and when to take advantage of it.

Daniel’s post is the first formal explanation of the new policy, which online security advocates worried was shaped in secret by intelligence agency officials.

The NSA has routinely sought out flaws in common computer code so that it can take advantage of the glitches and snag information about suspected terrorists and criminals.

The practice has come under fire from Web activists, who say that it ends up making the Internet less safe and gives more room for hackers and foreign governments to come in and spy on the U.S. They called on the Obama administration to change its operations, but the issue seemed to have been sidelined as officials worked on other changes to the NSA’s surveillance programs.

Then the emergence of the Heartbleed bug raised new fears about online security and prompted one report that the NSA had known about the glitch and used it to get information for two years. The White House denied the report and in the process revealed that it had introduced a new policy for dealing with software vulnerabilities. 

“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest,” Daniel wrote on the White House blog.

“But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”

Under the new policy, spy agencies will determine whether to reveal a bug after considering how common the vulnerability is “in the core Internet infrastructure” and evaluating what risk it might pose if unaddressed and how likely criminals or foreign spies are to take advantage of it.

“Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation,” Daniel wrote. “We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake.”