President Barack Obama has deemed that when a cyber-security vulnerability has been discovered by any federal agency, it is the government’s duty to report the issue instead of exploiting it for intelligence gains.  However, there are exceptions to this ruling, such as in cases where national security is at stake or action from law enforcement agencies is required.  It means that if the U.S. National Security Agency (NSA) or any government agency finds a cyber vulnerability, they can exploit it with just cause.

Despite Obama’s public stance on security loopholes, the recent revelation of the Heartbleed bug has only spurred more skepticism from the public. Heartbleed allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of OpenSSL’s cryptographic software library, compromising the secret keys used to identify service providers and encrypted personal data. Did the National Security Agency know about the bug all along, leveraging it to spy on people?

The Office of the Director of National Intelligence (ODNI) denied the allegations stating that the “NSA or any other part of the government” had no prior knowledge of the Heartbleed vulnerability that caused many netizens to panic regarding the implications of the bug in question. The debacle prompted action from the White House, though its decision is unlikely to settle the nerves of worrisome web users. The ODNI shares the following statement:

“In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”

The statement is in line with the position by President Obama’s Review Group on Intelligence and Communications Technologies, merely reiterating the intended limitations on what the NSA can and cannot do to gain intel. The ODNI statement offers netizens no new information, and raises more questions about the security of web users.

The NSA denied any involvement or knowledge of the security flaw, though one report insinuates that the NSA is delving into practices that could lead to more vulnerabilities in the future.  The Washington Post writes that the agency designs most of its security implants, but devoted $25.1 million in 2013 to ‘additional covert purchases of software vulnerabilities’ from private malware vendors, a growing gray-market industry based largely in Europe.

photo credit: powtac via photopin cc