While President Obama has decided that the National Security Agency should reveal most major flaws it discovers in Internet security, a loophole exists that could allow the agency to exploit flaws for surveillance purposes, The New York Times reported Saturday.
After a three-month review of recommendations made by a presidential task force on how to reform the agency, Obama decided that some flaws could be kept secret in the event of "a clear national security or law enforcement need," senior administration officials told the newspaper.
While the president's decision has never been publicly detailed, the exception came to light Friday when the White House denied a report that it knew of the Heartbleed bug for at least two years, keeping it secret to gather intelligence. The bug, which was introduced into OpenSSL more than two years ago by a developer, allows sensitive data to be scraped from affected servers.
In its denial Friday, the Office of the Director of National Intelligence said it learned of the vulnerability's existence when it was made public in a cybersecurity report last week. The office also said the president's review of the task force's recommendations had led to a "reinvigorated" process for deciding when to publicly disclose vulnerabilities.
"Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities," the office said in a statement.
However, the NSA has reportedly spent millions acquiring such flaws. Citing documents leaked by former NSA contractor Edward Snowden, the Washington Post reported last August that for 2013, the NSA allocated $25.1 million for "additional covert purchases of software vulnerabilities" from private malware vendors.
The agency has also been accused of encouraging the creation of such flaws. Snowden documents leaked to Reuters last December, that the NSA paid security firm RSA $10 million to implement, flaws in its encryption tokens. The company denied that it intentionally provided the agency with backdoors.
An NSA spokesperson declined to comment on the report.