This morning I wondered why the USG could not say more about its policy (assuming it had one) on stockpiling v. revealing computer software vulnerabilities. Today two senior administration officials told David Sanger of the NYT that President Obama decided in January that “when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks.” This statement implies two exceptions: (1) not every software vulnerability constitutes a “major flaw in Internet security,” and thus those vulnerabilities that do not rise to that level need not be disclosed, and (2) the phrase “in most circumstances” implies that sometimes the NSA will not reveal even a major flaw in Internet security. Also, the same officials told Sanger that the President “carved a broad exception for ‘a clear national security or law enforcement need,’” a loophole that Sanger says “is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.” Sanger also reports that NSC spokeswoman Caitlin Hayden says that “[t]his process is biased toward responsibly disclosing such vulnerabilities.”
It is impossible to tell from the Sanger story whether any of this is a change from prior practice, or whether the President’s January decision will have any effect on NSA capabilities and operations going forward. As Sanger notes, our adversaries will continue to develop or buy vulnerabilities. That fact makes me think that the President’s decision, with its seemingly large exceptions, will have no practical impact. But who knows?