Confirmed: the NSA doesn't have to tell us when it finds security flaws like Heartbleed

The most controversial aspect of the rapidly developing story of Heartbleed – possibly the greatest security vulnerability in the history of the Internet – is the assertion made in a Bloomberg News report that the National Security Agency learned about the problem soon after it was introduced… but kept the knowledge to itself, leaving the American people exposed to a glitch that could compromise passwords and personal information on hundreds of thousands of websites, because the NSA wanted to exploit Heartbleed for its own cyber-warfare purposes.

Bloomberg News stated that the NSA did do this, but the agency strongly denies it.  Now we learn, courtesy of the New York Times, that it’s certainly possible for the NSA to keep a security threat like Heartbleed secret… because President Obama specifically gave them permission to do so.

Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.

But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he began a three-month review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.

Supposedly there is a “bias” in favor of disclosing security vulnerabilities when the NSA finds them, but the agency still has discretion to keep the really good stuff to itself.  One official said the notion of asking American cyber-war experts to put all their cards on the table immediately, while hostile hacker-happy powers such as China do it, would be comparable to unilateral nuclear disarmament.  

The White House continues to deny that the NSA knew about Heartbleed before the rest of America got the bad news a couple of weeks ago.  It’s interesting that President Obama’s secretive orders making it possible for the intelligence community to keep Internet security bugs under its hat were only revealed in the context of insisting that on this particular, potentially catastrophic occasion, the exemption was not invoked.