Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say
Obama Lets N.S.A. Exploit Some Internet Flaws, Officials
Say
By DAVID E. SANGERAPRIL 12, 2014
WASHINGTON — Stepping into a heated debate within the
nation’s intelligence agencies, President Obama has decided that when the
National Security Agency discovers major flaws in Internet security, it should
— in most circumstances — reveal them to assure that they will be fixed, rather
than keep mum so that the flaws can be used in espionage or cyberattacks,
senior administration officials said Saturday.
But Mr. Obama carved a broad exception for “a clear
national security or law enforcement need,” the officials said, a loophole that
is likely to allow the N.S.A. to continue to exploit security flaws both to
crack encryption on the Internet and to design cyberweapons.
The White House has never publicly detailed Mr. Obama’s
decision, which he made in January as he began a three-month review of
recommendations by a presidential advisory committee on what to do in response
to recent disclosures about the National Security Agency.
But elements of the decision became evident on Friday,
when the White House denied that it had any prior knowledge of the Heartbleed
bug, a newly known hole in Internet security that sent Americans scrambling
last week to change their online passwords. The White House statement said that
when such flaws are discovered, there is now a “bias” in the government to
share that knowledge with computer and software manufacturers so a remedy can
be created and distributed to industry and consumers.
Caitlin Hayden, the spokeswoman for the National Security
Council, said the review of the recommendations was now complete, and it had
resulted in a “reinvigorated” process to weigh the value of disclosure when a
security flaw is discovered, against the value of keeping the discovery secret for
later use by the intelligence community.
“This process is biased toward responsibly disclosing
such vulnerabilities,” she said.
Until now, the White House has declined to say what
action Mr. Obama had taken on this recommendation of the president’s advisory
committee, whose report is better known for its determination that the
government get out of the business of collecting bulk telephone data about the
calls made by every American. Mr. Obama announced last month that he would end
the bulk collection, and leave the data in the hands of telecommunications
companies, with a procedure for the government to obtain it with court orders when
needed.
But while the surveillance recommendations were
noteworthy, inside the intelligence agencies other recommendations, concerning
encryption and cyber operations, set off a roaring debate with echoes of the
Cold War battles that dominated Washington a half-century ago.
One recommendation urged the N.S.A. to get out of the
business of weakening commercial encryption systems or trying to build in “back
doors” that would make it far easier for the agency to crack the communications
of America’s adversaries. Tempting as it was to create easy ways to break codes
— the reason the N.S.A. was established by Harry S. Truman 62 years ago — the
committee concluded that the practice would undercut trust in American software
and hardware products. In recent months, Silicon Valley companies have urged
the United States to abandon such practices, while Germany and Brazil, among
other nations, have said they were considering shunning American-made equipment
and software. Their motives were hardly pure: Foreign companies see the N.S.A.
disclosures as a way to bar American competitors.
Another recommendation urged the government to make only
the most limited, temporary use of what hackers call “zero days,” the coding
flaws in software like Microsoft Windows that can give an attacker access to a
computer — and to any business, government agency or network connected to it.
The flaws get their name from the fact that, when identified, the computer user
has “zero days” to fix them before hackers can exploit the accidental
vulnerability.
The N.S.A. made use of four “zero day” vulnerabilities in
its attack on Iran’s nuclear enrichment sites. That operation, code-named
“Olympic Games,” managed to damage roughly 1,000 Iranian centrifuges, and by
some accounts helped drive the country to the negotiating table.
Not surprisingly, officials at the N.S.A. and at its
military partner, the United States Cyber Command, warned that giving up the
capability to exploit undisclosed vulnerabilities would amount to “unilateral
disarmament” — a phrase taken from the battles over whether and how far to cut
America’s nuclear arsenal.
“We don’t eliminate nuclear weapons until the Russians
do,” one senior intelligence official said recently. “You are not going to see
the Chinese give up on ‘zero days’ just because we do.” Even a senior White
House official who was sympathetic to broad reforms after the N.S.A.
disclosures said last month, “I can’t imagine the president — any president —
entirely giving up a technology that might enable him some day to take a covert
action that could avoid a shooting war.”
At the center of that technology are the kinds of hidden
gaps in the Internet — almost always created by mistake or oversight — that
Heartbleed created. There is no evidence that the N.S.A. had any role in
creating Heartbleed, or even that it made use of it. When the White House
denied prior knowledge of Heartbleed on Friday afternoon, it appeared to be the
first time that the N.S.A. had ever said whether a particular flaw in the
Internet was — or was not — in the secret library it keeps at Fort Meade, Md.,
the headquarters of the agency and Cyber Command.
But documents released by Edward J. Snowden, the former
N.S.A. contractor, make it clear that two years before Heartbleed became known,
the N.S.A. was looking at ways to accomplish exactly what the flaw did by
accident. A program code-named Bullrun, apparently named for the site of two
Civil War battles just outside Washington, was part of a decade-long effort to
crack or circumvent encryption on the web. The documents do not make clear how
well it succeeded, but it may well have been more effective than exploiting
Heartbleed would be at enabling access to secret data.
The government has become one of the biggest developers
and purchasers of information identifying “zero days,” officials acknowledge.
Those flaws are big business — Microsoft pays up to $150,000 to those who find
them and bring them to the company to fix — and other countries are gathering
them so avidly that something of a modern-day arms race has broken out. Chief
among the nations seeking them are China and Russia, though Iran and North
Korea are in the market as well.
“Cyber as an offensive weapon will become bigger and
bigger,” said Michael DeCesare, who runs the McAfee computer security
operations of Intel Corporation. “I don’t think any amount of policy alone will
stop them” from doing what they are doing, he said of the Russians, the Chinese
and others. “That’s why effective command and control strategies are absolutely
imperative on our side.”
The presidential advisory committee did not urge the
N.S.A. to get out of the business entirely. But it said that the president
should make sure the N.S.A. does not “engineer vulnerabilities” into commercial
encryption systems. And it said that if the United States finds a “zero day,”
it should patch it, not exploit it, with one exception: Senior officials could
“briefly authorize using a zero day for high priority intelligence protection.”
A version of this article appears in print on April 13,
2014, on page A8 of the New York edition with the headline: Obama Lets N.S.A.
Exploit Some Internet Flaws, Officials Say.
Comments
Post a Comment