THE UNITED STATES National Security Agency (NSA) has advised the American people that although it knows that telling them about security issues is in the public interest, it will not always do that.
Following the exposure of the Heartbleed vulnerability in OpenSSL, the NSA explained its stance via the White House blog, sort of, and revealed that each security vulnerability that comes its way is assessed on a range of merits and will only be disclosed depending on its risk assessment.
White House cybersecurity coordinator Michael Daniel penned the blog post and explained the position. He said that if there is a chance of the US being exploited by terrorists or other opponents following disclosure then the NSA will not disclose the threat.
"There are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences," he said.
"Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks."
Daniel said that stockpiling vulnerabilities at the expense of the American people is not in the "national security interest", but it does appear that there is an element of that.
"Building up a huge stockpile of undisclosed vulnerabilities while leaving the internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run," he added.
"Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area."
Daniel also took the time to repeat the NSA position that it knew nothing of the infamous Heartbleed vulnerability, explained in the video below, before it hit the headlines earlier this month. µ
Watch this space
Hackers could erect man-in-the-middle attacks
Painted into a corner
What we'd call copying, Cupertino calls 'inspiration'