Obama reportedly lets NSA keep some security flaws secret

While saying that most vulnerabilities should be revealed, the White House allows some flaws to be kept secret in the event of "a clear national security or law enforcement need," the New York Times reports.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

April 13, 2014 9:55 a.m. PT

2 min read

National Security Agency headquarters, Fort Meade, Md. CBS

While President Obama has decided that the National Security Agency should reveal most major flaws it discovers in Internet security, a loophole exists that could allow the agency to exploit flaws for surveillance purposes, The New York Times reported Saturday.

After a three-month review of recommendations made by a presidential task force on how to reform the agency, Obama decided that some flaws could be kept secret in the event of "a clear national security or law enforcement need," senior administration officials told the newspaper.

While the president's decision has never been publicly detailed, the exception came to light Friday when the White House denied a report that it knew of the Heartbleed bug for at least two years, keeping it secret to gather intelligence. The bug, which was introduced into OpenSSL more than two years ago by a developer, allows sensitive data to be scraped from affected servers.

In its denial Friday, the Office of the Director of National Intelligence said it learned of the vulnerability's existence when it was made public in a cybersecurity report last week. The office also said the president's review of the task force's recommendations had led to a "reinvigorated" process for deciding when to publicly disclose vulnerabilities.

"Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities," the office said in a statement.

However, the NSA has reportedly spent millions acquiring such flaws. Citing documents leaked by former NSA contractor Edward Snowden, the Washington Post reported last August that for 2013, the NSA allocated $25.1 million for "additional covert purchases of software vulnerabilities" from private malware vendors.

The agency has also been accused of encouraging the creation of such flaws. Snowden documents leaked to Reuters last December, that the NSA paid security firm RSA $10 million to implement, flaws in its encryption tokens. The company denied that it intentionally provided the agency with backdoors.

An NSA spokesperson declined to comment on the report.