White House Outlines Parameters for Withholding Security Vulnerability Information
Why wouldn’t the government disclose a cybersecurity vulnerability? According to a White House blog post, it could mean foregoing “an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” writes White House cybersecurity coordinator Michael Daniel.
As vulnerabilities appear to be assessed on a case-by-case basis for disclosure, The Verge reports, Daniel writes that among the considerations when making that decision are the following nine questions:
- How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
This post comes after an allegation that the National Security Administration had prior knowledge of the Heartbleed security vulnerability and had taken advantage of it for two years. The NSA has vehemently denied that allegation, and the White House backs it within the blog.