By Chris Strohm and Michael Riley
WASHINGTON — The Obama administration is letting law enforcement keep computer-security flaws secret to further U.S. investigations of cyberspies and hackers.
The White House has carved out an exception for the FBI and other agencies to keep information about software vulnerabilities from manufacturers and the public. Until now, most debate has focused on how the National Security Agency stockpiles and uses new-found Internet weaknesses, known as zero-day exploits, for offensive purposes, such as attacking the networks of adversaries.
The law enforcement operations expose a delicate and complicated balancing act when it comes to agencies using serious security flaws in investigations versus disclosing them to protect all Internet users, according to former government officials and privacy advocates.
“You might have a bad guy using a zero-day to attack a nuclear facility,” Steven Chabinsky, a former deputy assistant director in the FBI’s cybersecurity division, said in a phone interview. “The FBI doesn’t disclose that vulnerability because they don’t want to tip their hand.”
President Obama’s administration is grappling with how to use Internet flaws for offensive and defensive purposes, and when they should be disclosed to software manufacturers or the public in order to be fixed. The debate became public after disclosures by Edward Snowden about NSA spying and intensified over questions whether the agency knew about the Heartbleed bug and kept it silent, which the government has denied.
Computer flaws that are unknown to software and hardware developers are referred to as zero-day, a reference to there having been no time yet to correct the vulnerabilities. When the Obama administration said April 11 that the U.S. government should disclose zero-day used in cyberspying, it left two exceptions including one for clear “law enforcement need.”
While the FBI doesn’t use zero-day, it does conduct extensive counter counterespionage, secretly watching the hackers of other nations as they attack U.S. computer networks, Chabinsky and other former agency cybersecurity officials said.
Law enforcement agencies should find ways to disclose zero-day flaws so they can be fixed and only keep them secret under extreme scenarios such as when it’s necessary to prevent the loss of lives, Jeremy Gillula, a staff technologist with the Electronic Frontier Foundation based in San Francisco, said in a phone interview.
“The default should be to disclose,” Gillula said. “If it’s super-important intelligence and the vulnerability isn’t much of a risk to the core Internet infrastructure, then maybe they could consider not disclosing it right away. I would say those scenarios are few and far between.”