Obama Tells NSA To Reveal, Not Exploit, Flaws… Except All The Times It Wants To Do The Opposite
from the a-bias? dept
Last week there was some confusion as Bloomberg published a story claiming that the NSA was well aware of the Heartbleed bug and had been exploiting it for “at least” two years. That seemed fairly incredible, given that the bug had only been around for slightly over two years. The NSA came out with a pretty strongly worded denial — which left out much of the usual equivocation and tricky wording that the NSA normally uses in denying things. The general consensus seems to be that it is, in fact, unlikely that the NSA knew about Heartbleed (though that makes some wonder if some team at the NSA is now in trouble for not figuring it out). If anything, it seems likely that the Bloomberg reporters got confused by other programs that the NSA is known to have to break parts of SSL, something it’s supposedly been able to do since around 2010.
However, the NY Times had a story this weekend about how this move has forced the administration to clarify its position on zero day exploits. It’s already known that the NSA buys lots of zero day exploits and makes the internet weaker as a result of it. Though, in the past, the NSA has indicated that it only makes use of the kinds of exploits that only it can use (i.e., exploits that need such immense computing power that anyone outside of the NSA is unlikely to be able to do anything). However, the NY Times article notes that, following the White House’s intelligence review task force recommendation that the NSA stop weakening encryption and other technologies, President Obama put in place an official rule that the NSA should have a “bias” towards revealing the flaws and helping to fix them, but leaves open a massive loophole:
But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
Amusingly, the NY Times initially had a title on its story saying that President Obama had decided that the NSA should “reveal, not exploit, internet security flaws,” but the title then changed to the much more accurate: “Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say.”
Of course, the cold war analogy used by people in the article seems… wrong:
“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.”
Except, it’s meaningless that no one expects the Chinese (or the Russians or anyone else) to give up zero days. The simple fact is that if the NSA were helping to stop zero days that would better protect everyone against anyone else using those zero days. In fact, closing zero days is just like disarming both sides, because it takes the vulnerability out of service. It’s not about us giving up our “weapons,” it’s about building a better defense for the world. And yet the NSA isn’t willing to do that. Because they’re not about protecting anyone — other than themselves.