Skip to main content

Obama lets NSA legally exploit certain Internet security flaws

Whenever the National Security Agency discovers some big hole or exploit that could affect Internet security, President Obama has decided that the agency should inform the tech sector about the exploit... most of the time.

The details of Obama's decision, which he made this past January but hasn't been publicly revealed until now, charge the NSA with doing its part to ensure that key weaknesses and exploits can be fixed instead of manipulated. However, the President did leave a loophole open: In issues related to "a clear national security or law enforcement need," the NSA is not obligated to disclose the vulnerabilities it finds.

While the agency is tasked with biasing the common good most of the time — which would allow those in the tech sectors to quickly come up with remedies for widespread loopholes and exploits — the overall debate among Obama's presidential advisory committee rested on whether it might be better, in some instances, for the NSA to preserve this knowledge for use in future national security matters.

Take, for example, the "Olympic Games" operation that affected Iran's nuclear enrichment program in 2007 and 2010. The Stuxnet computer worm, crafted up by the NSA and deployed as part of a partnership with Israel's SIGINT intelligence service, took advantage of four zero-day vulnerabilities within the Windows operating system to affect nearly 1,000 centrifuges at Iran's nuclear enrichment facilities in Natanz.

Giving up the ability to exploit unknown vulnerabilities in the name of national security was described by some NSA officials as a kind of "unilateral disarmament," reports The New York Times.

"I can't imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war," said one unnamed White House official.

As for why this is all coming up now, questions have been posed to the White House regarding whether the NSA knew about the headline-grabbing Heartbleed bug prior to its 7 April disclosure by the OpenSSL project. The White House maintains that it did not, and that the NSA similarly had no knowledge of the exploit. Additionally, the NSA hadn't made use of the exploit in any particular fashion.

This was the first such instance, reports the Times, that the NSA has actually indicated whether or not a particular exploit rests in its digital bag of tricks. However, documents leaked by former NSA contractor Edward Snowden indicate that the NSA was, at one point, attempting to develop its own exploit that achieved pretty much what Heartbleed has managed to do. The program, dubbed "Bullrun," was being investigated by the NSA roughly two or so years ago.