POLITICS | NYT NOW
By DAVID E. SANGER - APRIL 12, 2014
WASHINGTON — Stepping into a heated debate within the nation’s
intelligence agencies, President Obama has decided that when the
National Security Agency discovers major flaws in Internet security, it
should — in most circumstances — reveal them to assure that they will be
fixed, rather than keep mum so that the flaws can be used in espionage or
cyberattacks, senior administration officials said Saturday.
But Mr. Obama carved a broad exception for “a clear national security
or law enforcement need,” the officials said, a loophole that is likely to
allow the N.S.A. to continue to exploit security flaws both to crack
encryption on the Internet and to design cyberweapons.
The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he began a three-month review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.
But elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers.
Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.
“This process is biased toward responsibly disclosing such vulnerabilities,” she said.
Until now, the White House has declined to say what action Mr. Obama had taken on this recommendation of the president’s advisory committee, whose report is better known for its determination that the government get out of the business of collecting bulk telephone data about the calls made by every American. Mr. Obama announced last month that he would end the bulk collection, and leave the data in the hands of telecommunications companies, with a procedure for the government to obtain it with court orders when needed.
But while the surveillance recommendations were noteworthy, inside the intelligence agencies other recommendations, concerning encryption and cyber operations, set off a roaring debate with echoes of the Cold War battles that dominated Washington a half-century ago.