In January 2014, in the midst of the NSA scandal, President Obama decided that the NSA must divulge any undisclosed flaws in Internet security that they were aware of. This means if the NSA is aware of software stack bugs like the recently discovered Heartbleed bug, they must publicly acknowledge the bug so that businesses and other organizations can take steps to ensure the security of their networks and applications.Â But detractors have noted that a major loophole exists in the policy as stated by Obama.Â According to the New York Times:
â€œPresident Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should – in most circumstances – reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.â€
This means that any flaws that have â€œa clear national security or law enforcementâ€ use can be kept secret and exploited which of course, opens a major loophole in the policy which by all appearances, gives the NSA the nod to continue hiding known holes and defects in application security protocols, as long as they can put those holes to good use. This allows the NSA even more power, beyond that of purposefully weakening commercial encryption systems and building â€œback doorsâ€ in software systems that would make it easier for the agency to crack Internet communications.
Thus far, the White House and NSA have denied that the spy agency had any knowledge of the Heartbleed flaw.