The White House has felt the need to clarify how it stockpiles security vulnerabilities and threats through a blog post explaining at what stage it feels the need to inform the general public.
President Barack Obama’s residence penned a blog that looks at security vulnerabilities in the wake of the Heartbleed bug that apparently caught the National Security Agency [NSA] completely off guard.
“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest,” stated White House cyber security coordinator Michael Daniel.
That isn’t the half of it, as the NSA will continue to hold the ability to hoard certain vulnerabilities in order to help the US keep up its intelligence gathering efforts.
“[But] that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area,” Daniel added.
In addition to that, the White House has also devised a list of rules that, whilst they aren’t “hard and fast,” give agencies a list of nine questions to consider when dealing with threats, which are:
- How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
The White House will now, in all likelihood, inform the public of certain security threats before they are revealed by a third party.