Recently reported by the New York Times, President Barack Obama has said that the NSA must reveal any Internet vulnerability that it finds. But there’s a catch. The security agency is not obligated to disclose vulnerabilities whenever there’s “a clear national security or law enforcement need”.
“This process is biased toward responsibly disclosing such vulnerabilities,” said Caitlin Hayden, the spokeswoman for the National Security Council. Despite the assurance, the exception is being widely viewed as a loophole that will likely allow the NSA to continue to exploit security vulnerabilities.
The decision was made by the President in January when he started working on NSA reforms, but it wasn’t publicly revealed until last Friday when the White House denied that it had any prior knowledge of Heartbleed, a security bug which has reportedly affected almost two-thirds of the internet, including Google, Facebook, Yahoo, and more.
There is already widespread concern that the security agency may have been secretly using the Heartbleed bug for years to serve its own purposes, something which the agency has denied. On the other hand, documents released by Snowden reveal that the security agency was already looking at ways to accomplish exactly what Heartbleed did through a program code-named ‘Bullrun’.
Thank you to the New York Times for providing us with this information.