Latest cyber bug polarizes spy policies
- Article by: DAVID E. SANGER New York Times
- April 12, 2014 - 6:43 PM
WASHINGTON – When the Obama administration denied Friday that it had any prior knowledge of the Heartbleed bug, a new hole in Internet security that sent Americans scrambling to change their online passwords, it also offered some words of reassurance.
When the government discovers ways that Internet security can be pierced, the White House said, “it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.” But then the administration carved an exception — for moments when there is “a clear national security or law enforcement need” to keep the vulnerability secret, so that the National Security Agency, the Pentagon or the Justice Department can exploit it.
Behind that carefully worded statement lay a roaring debate inside the White House, and especially inside the security agency, which for years has been stockpiling flaws that are even more powerful than Heartbleed, to create the ability to turn them into sophisticated cyberweapons.
The internal debate was prompted by the presidential advisory committee created in the wake of the disclosures by Edward Snowden, the NSA leaker. While many of the headlines generated by the committee’s report in December focused on the recommendation that the government get out of the business of collecting bulk telephone data about the calls made by every American, two other recommendations created a major uproar within the security agency, with echoes of the Cold War battles that dominated this city a half-century ago.
One recommendation urged the agency to stop weakening commercial encryption systems or trying to build in “back doors” that would make it far easier for it to crack the communications of U.S. adversaries. Tempting as it was, the committee concluded, the practice would undercut trust in U.S. software and hardware products, which many nations around the world — from Germany to Brazil — were already shunning.
A second urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give an attacker access to a computer — and any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, “zero days” exist for the user of the computer system to fix them before hackers can take advantage of the accidental vulnerability.
The security agency used four “zero day” vulnerabilities in its attack on Iran’s nuclear enrichment sites. That operation managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table over its nuclear program.
Not surprisingly, officials at the security agency and at its military partner, the U.S. Cyber Command, warned that giving up the ability to exploit unknown vulnerabilities would amount to “unilateral disarmament,” a phrase taken from the battles over whether and how far to cut the U.S. nuclear arsenal.
“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.”
Even a senior White House official who was sympathetic to broad reforms after the NSA disclosures said that “I can’t imagine the president, any president, entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”
© 2015 Star Tribune