Rights group the Electronic Frontier Foundation has filed a Freedom of Information Act (FOIA) lawsuit against the NSA after it failed to reveal how it decides which zero day vulnerabilities to disclose.
The EFF FOIA request – which was also directed at the Office of the Director of National Intelligence (ODNI) – aimed to clarify the facts of a Bloomberg report back in April.
That report claimed that the NSA knew about the now infamous Heartbleed bug for two years, using it to exploit target systems and gather intelligence.
The report cited two people “familiar with the matter” as its source, but after declining to comment, the NSA then said it was not aware of the vulnerability prior to its public disclosure.
White House cybersecurity co-ordinator Michael Daniel was even more emphatic.
“One thing is clear: This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case,” he wrote in a blog post.
“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.”
He did, however, claim that withholding knowledge of a specific vulnerability could have benefits, for example providing “an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property”.
Despite receiving an assurance from the ODNI that it would expedite the EFF’s request, the rights group has so far not been handed any of the documents it requested nearly two months ago.
"This FOIA suit seeks transparency on one of the least understood elements of the US intelligence community's toolset: security vulnerabilities," EFF Legal Fellow Andrew Crocker said in a statement. "These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country."
Philip Lieberman, president of Lieberman software, argued that the EFF would be better served pressuring “repressive regimes” that use undisclosed vulnerabilities to target the West.
“This enters the space of sovereign rights of countries to use technology to advance a country’s interests for the ‘greater good’ of all their citizens,” he told Infosecurity.
“EFF certainly has the right to ask the question of the US Government, but they are being incredibly naïve by not considering the reality that other governments have the same methods and similar policies when it comes to zero-day vulnerabilities.”
Charles Sweeney, CEO of web filtering firm Bloxx, took a more positive tone.
“With its filing the EEF is probably hoping to capitalize on a political rhetoric in Washington that has conceded there needs to more transparency into how intelligence agencies operate,” he told Infosecurity.
“However in reality, whilst the zero day disclosure process isn’t all that ethical, this filing isn’t going to change much. But what it might do is kick start a debate that leads to greater collaboration between corporate and intelligence agencies in the future.”
Alert Logic VP of research and intelligence, Will Semple, argued that governance and trust lie at the heart of the issue.
Governance on the use of zero day vulnerabilities by governments and trust that they won't abuse the capability," he told Infosecurity. "There is also the reality that foreign nations and criminal groups will be carrying out the same research and activity with zero day vulnerabilities."