Heartbleed: Understanding When We Disclose Cyber Vulnerabilities

[Commentary] In early April, the National Security Agency sent out a Tweet making clear that it did not know about the recently discovered vulnerability in OpenSSL known as Heartbleed. While we had no prior knowledge of the existence of Heartbleed, this case has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public.

But there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:

• How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the US economy, and/or in national security systems?
• Does the vulnerability, if left unpatched, impose significant risk?
• How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
• How likely is it that we would know if someone else was exploiting it?
• How badly do we need the intelligence we think we can get from exploiting the vulnerability?
• Are there other ways we can get it?
• Could we utilize the vulnerability for a short period of time before we disclose it?
• How likely is it that someone else will discover the vulnerability?
• Can the vulnerability be patched or otherwise mitigated?

[Daniel is Special Assistant to the President and the Cybersecurity Coordinator]