[Infowarrior] - POTUS: U.S. Should Reveal, Not Exploit, Internet Security Flaws

[Richard Forno]

Obama Decides U.S. Should Reveal, Not Exploit, Internet Security Flaws

By DAVID E. SANGER
APRIL 12, 2014

http://www.nytimes.com/2014/04/13/us/politics/after-heartbleed-bug-obama-decides-us-should-reveal-internet-security-flaws.html

WASHINGTON — Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security it should – in most circumstances — reveal them to assure they get fixed, rather than stockpile them for use in espionage or cyberattacks, senior administration officials said Saturday.

But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to build a cyberarsenal that it can use both to crack encryption on the Internet or design cyberweapons. The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he launched a three-month-long review of recommendations by a presidential advisory committee on actions warranted in response to recent disclosures about the National Security Agency.

But elements of it became evident on Friday when the White House denied that it had any prior knowledge of the “Heartbleed” bug, a new hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers.

Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosing whenever a security flaw is discovered in the Internet against the value of keeping the discovery secret for later use by the intelligence community. “This process is biased toward responsibly disclosing such vulnerabilities,” she said.

Until now the White House has declined to describe Mr. Obama’s action on this recommendation of his advisory committee, whose report is better known for its determination that the government get out of the business of collecting bulk telephone data about the calls made by every American. Mr. Obama announced last month that he would end the bulk collection, and leave the data in the hands of telecommunications companies, with a procedure for the government to obtain it with court orders.

But while the surveillance recommendations were noteworthy, inside the intelligence agencies other recommendations, concerning encryption and cyber operations, set off a roaring debate with echoes of the Cold War battles that dominated this city a half-century ago.

One recommendation urged the N.S.A. to get out of the business of weakening commercial encryption systems or trying to build in “back doors” that would make it far easier for the agency to crack the communications of America’s adversaries. Tempting as it was to create easy ways to break codes – the reason the N.S.A. was established by Harry Truman 62 years ago -- the committee concluded that the practice would undercut trust in American software and hardware products. In recent months Silicon Valley companies have urged the United States to abandon such practices, especially as Germany and Brazil, among other nations, have said they were considering shunning American-origin equipment and software. Their motives were hardly pure: foreign competitors see the N.S.A. disclosures as a way to bar American companies.

A second recommendation urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software like Microsoft Windows than can give an attacker access to a computer — and any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, “zero days” exist for the user of the computer system to fix them before hackers can take advantage of the accidental vulnerability.

The N.S.A. used four “zero day” vulnerabilities in its attack on Iran’s nuclear enrichment sites. That operation, code-named “Olympic Games,” managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table. Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit unknown vulnerabilities would amount to “unilateral disarmament” — a phrase taken from the battles over whether and how far to cut America’s nuclear arsenal.

“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any  president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”

At the center of that technology are the kinds of hidden gaps in the Internet — almost always made by mistake or oversight — that “Heartbleed” created. There is no evidence that the N.S.A. had any role in creating “Heartbleed,” or that it made use of it. When the White House denied knowledge of “Heartbleed” on Friday afternoon, it appeared to be the first time that the N.S.A. had ever said whether a flaw in the Internet was — or was not — in the secret library it keeps at Fort Meade, the headquarters of the agency and Cyber Command.

But documents released by Edward J. Snowden, the N.S.A. leaker, make it clear that two years before “Heartbleed” came into being, the N.S.A. was looking at ways to accomplish exactly what the flaw did by accident. A program code-named “Bullrun,” apparently named for the Civil War battle just outside Washington, was part of a decade-long effort to crack or circumvent encryption on the web. The documents do not make clear how well it succeeded, but it may well have been more effective than “Heartbleed” at enabling access to secret data. The United States government has become one of the biggest developers and purchasers of “zero days,” officials acknowledge Those flaws are big business — Microsoft pays up to $150,000 to those who find them and bring them to the company to fix — and other countries are snatching them up so fast that building an arsenal of them has become something of a modern-day arms race. Chief among those nations seeking them are China and Russia, and the Iranians and North Koreans are also in the market.

“Cyber as an offensive weapon will become bigger and bigger,” said Michael DeCesare, who runs the McAffee computer security operations of Intel Corporation. “I don’t think any amount of policy alone will stop them,” he said of the Russians, the Chinese and others, from doing what they are doing. “That’s why effective command and control strategies are absolutely imperative on our side.”

The presidential advisory committee did not urge the N.S.A. to get out of the business entirely. But it said that the president should make sure the N.S.A. does not “engineer vulnerabilities” into commercial encryption systems. And it said that if the United States finds a “zero day” it should patch it, not exploit it, with one exception: senior officials, could “briefly authorize using a zero day for high priority intelligence protection.”

---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.