US Spy Policy May Put Public PCs At Risk

US government officials have flatly denied having any advance knowledge of the Heartbleed bug. The bug, which has already been exploited by hackers, has resulted in exposed social security numbers of the Canada Revenue Agency and other personal data. It's estimated that the bug affects approximately six percent of all websites world-wide.

Now, it's emerged that US spies who discover security bugs are sometimes allowed to exploit them, rather than warn the public of any imminent dangers.

A report by the Bloomberg news agency suggested the National Security Agency (NSA) knew about Heartbleed for up to two years. The NSA has already been in the headlines countless times in the last few years for its alleged breaches of Internet user privacy. (Source: bloomberg.com)

US Spies 'Did Not Know About Heartbleed'

Sources told Google that NSA staff had exploited Heartbleed as part of their investigations into suspects, gathering data from compromised sites. However, the agency categorically denied this, stating that "NSA was not aware of the recently identified ... Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," and that "reports that say otherwise are wrong."

Further investigation has revealed that even if the NSA did find out about Heartbleed, it wouldn't have to tell the public.

Following a review at the start of this year, President Obama made an official ruling on how government agencies should deal with zero-day flaws, including cases where a software or hardware manufacturer is not able to fix a bug before somebody else discovers it.

Government Agencies Can Keep Bugs Secret

The rules now say that government agencies which discover a security bug must follow a "Vulnerabilities Equities Process." It says that as a general principle, the agency should have the goal of making sure the bug is fixed as soon as possible, which means notifying the software or hardware firm involved immediately.

The logic here is that the quicker the bug is fixed, the more secure computer use will be for all government agencies. However, the rules also state that the government "may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments." (Source: arstechnica.com)

In other words: if the government knows about a bug in software, it can use it to gather confidential data, even if it means taking longer to get it fixed - thus increasing public exposure to the risk of hacking attacks.

It seems the new rules are only making official what staff were already doing. Last year the Washington Post reported that the NSA had paid $25 million to hackers for details of unpublicized bugs in software to make it easier to spy on suspects online.

What's Your Opinion?

Do you think the US government has found the proper balance between the needs of security agencies as well as the public? Do you believe all governments have a responsibility to protect the public from hackers by helping to get security bugs fixed as soon as possible? Or, do you think there are cases where it's justifiable to keep quiet about a bug so it can be used to secretly collect data on suspects?