FISA: Reform

Did President Obama Accept Recommendation 30?

By Jack Goldsmith
Saturday, April 19, 2014, 5:22 AM

Richard Clarke and Peter Swire, two of the five members of the President’s Intelligence Review Group, argue at The Daily Beast that the NSA should rarely keep (as opposed to disclose, and allow patching of) software vulnerabilities, and that those rare circumstances should be decided in the White House rather than NSA.  The argument basically repeats the Review Group’s Recommendation 30:

We recommend that the National Security Council staff should manage an interagency process to review on a regular basis the activities of the US Government regarding attacks that exploit a previously unknown vulnerability in a computer application or system. These are often called “Zero Day” attacks because developers have had zero days to address and patch the vulnerability. US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.

The Review Group added: “We recommend that, when an urgent and significant national security priority can be addressed by the use of a Zero Day, an agency of the US Government may be authorized to use temporarily a Zero Day instead of immediately fixing the underlying vulnerability.”

Clarke and Swire go on to say:

The President, according to a White House statement last week, has decided to accept our recommendation. The Obama administration announced that, with very rare exceptions, when the U.S. government learns of a software vulnerability, it will work with the software companies involved and with users to patch the mistake as quickly as possible.

Clarke and Swire do not link to the White House statement, however, and it was different than they represent.  The “statement” was made by “senior administration officials” to David Sanger of the NYT.  According to Sanger, the officials said (these are his words, not the officials’): “President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks.”  If Sanger’s paraphrase of the USG policy is accurate, then (as I noted at the time) “it implies two important exceptions: (1) not every software vulnerability constitutes a ‘major flaw in Internet security,’ and thus those vulnerabilities that do not rise to that level need not be disclosed, and (2) the phrase ‘in most circumstances’ implies that sometimes the NSA will not reveal even a major flaw in Internet security.”  Moreover, the senior officials also stated that President Obama carved out “a clear national security or law enforcement need.”  These exceptions, taken together, appear to be quite a lot broader than Recommendation 30, which (among other things) presumes that all zero-day vulnerabilities will be disclosed (and not only those that constitute a major flaw in Internet security), and allows exceptions only for an urgent national security priority, not a law enforcement need.

Moreover, I think Sanger in this passage implies that the White House did not accept Recommendation 30:

Another recommendation [by the Review Group] urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give an attacker access to a computer — and to any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, the computer user has “zero days” to fix them before hackers can exploit the accidental vulnerability. . . .

Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit undisclosed vulnerabilities would amount to “unilateral disarmament” — a phrase taken from the battles over whether and how far to cut America’s nuclear arsenal.

“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”

Note, however, that the "senior administration officials" from earlier in the story were not cited in this discussion of Recommendation 30.  And of course Sanger’s story may itself be inaccurate or misleading, and Clarke and Swire may be right about what the White House has actually decided.  There is an easy way to find out.  Sanger or some other journalist can ask “senior administration officials” this question: “Did the President accept or reject Recommendation 30, and with what qualifications?”  I suspect that Sanger did ask that question, and that the officials declined to answer, or declined to answer on the record.