Between Heartbleed And Homeland, NSA Treads Cybersecurity Gray Area

Amid controversy over the Heartbleed security bug, the White House clarified how U.S. intelligence agencies must handle such bugs. Bloomberg News cybersecurity reporter Michael Riley explains.

Copyright © 2014 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

MELISSA BLOCK, HOST:

News of the critical security bug Heartbleed sent people scurrying to change their online passwords last week. Days later came a report from Bloomberg News that the National Security Agency knew about the bug for at least two years, but the NSA denied having knowledge of the Heartbleed bug or exploiting it for their own spying purposes.

Now, the NSA does have an arsenal of software holes and vulnerabilities that it uses to hack computers and gain intelligence. In response to the Bloomberg story, the White House clarified new guidance on how and when U.S. intelligence agencies can take advantage of such flaws and when they must disclose them to software manufacturers and the public.

Here to talk more about this is Michael Riley. He's a cybersecurity reporter for Bloomberg News and Bloomberg Businessweek. Welcome to the studio, Michael.

MICHAEL RILEY: Thank you.

BLOCK: So help us understand just what kind of flaws we're talking about. Describe them.

RILEY: So, basically what happens is hackers use - a central part of hacking as you take unknown flaws - in some cases, known flaws - in computer software, and it allows you basically to break the machine in ways that it doesn't expect. That can give them control over a computer, over really anything that works with the help of a computer chip. But it's a very valuable thing to find something that isn't known to the manufacturer of the software and that can be exploited without anybody else knowing what's going on.

BLOCK: So what's the value of these flaws to the intelligence community? What's known about how they use them?

RILEY: Essentially, it's at the heart of both cyberspying, which the NSA does a lot of and is essential to its mission, as well as what we're moving towards, which is cyberwarfare. These flaws basically are central to allow NSA hackers to break into computers of very high intelligence value. The leadership of Russia, for example, the leadership of Pakistan, they can break into computers of nuclear smugglers. They can break into computers of terrorists. But to do it really stealthily and very carefully these zero days, as they're called, are really at the heart of everything.

BLOCK: And you call this a zero-day flaw. What exactly does that mean?

RILEY: It's a hacker term. It refers to there have been zero days since the attack that the flaw was used in and its disclosure. Simply it means that this is a flaw that nobody, including the manufacturer of the software, was aware of.

BLOCK: So what does the White House directive say about how the NSA and other intelligence agencies actually use these so-called zero day flaws?

RILEY: Essentially, the White House is building off of a recommendation that comes from a presidential panel that looked at what the NSA does and how it works after the Snowden leaks. The recommendation suggested that those zero day flaws, the stockpile that already exists and new flaws that are developed be used only for a very brief period if at all, and then disclosed so that they can help improve the computer security of everyone. Because, essentially, these are holes that not only the NSA could use, but other hackers could use, other intelligence agencies and other criminals.

BLOCK: What was the response from the tech community? I mean, is this actually seen as a fundamental change?

RILEY: You know, it's - there's one big loophole in this new guidance. Basically, they've handed the problem back to the NSA and said, all right, we want you to try and bias this process towards disclosure. In other words, rather than keep a hoard of these stockpiles, you should look at them all and decide to disclose most, if you can.

The one exception is don't disclose flaws if they're really important for national security purposes or law enforcement purposes. It's going to be a very difficult thing to unpack because basically any of the flaws that the NSA's elite cyber units have could essentially be justified for national security purposes.

What they do is hack into computers to steal intelligence that's really important to the U.S., but they use this tool kit, so to speak, of flaws and they're all kind of interconnected. It's not clear sort of how the process is going to resort from here but essentially they've given this problem to the new director of NSA, Admiral Mike Rogers.

AUDIE CORNISH, HOST:

And so, what's been the response within the intelligence community? You reported that they're saying there's going to be some challenges in complying with this new guidance.

RILEY: Absolutely. I mean, this has a created a good deal of debate. Although it wasn't the most widely known of the panel recommendations, it was the most controversial within the intelligence community, or one of them certainly. And that's because these zero days are so at the heart of what they do. I've talked to people in the intelligence community who talk about this as a sort of unilateral disarmament. Because even if we stopped using these laws or disclose the ones we found, other countries that do this - China, Russia, Israel, France - are not going to do this. And it will really change the way that this intelligence is gathered and make it slower, more detectable, less efficient. All sorts of problems that if you're an agency like the NSA and your job is to get this intelligence, you're really not very happy about.

CORNISH: Michael Riley, he's the cybersecurity reporter for Bloomberg News and Bloomberg Businessweek. Thanks so much for coming to speak with us.

RILEY: You bet.

Copyright © 2014 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.