“I understand the need for the government to protect sources and methods of how they may have collected some of this information, some of this actionable intelligence,” said Shawn Henry, former executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch. “But U.S. corporations arguably have the most valuable intellectual property anywhere in the world, and that’s being systematically stolen.
“So the actionable intelligence that the government has — there’s a lot more of it to be shared with the private sector to make them safer.”
The government’s lack of information-sharing with companies was spotlighted last month in a report about the Heartbleed bug, a security flaw that allowed hackers to steal computer users’ passwords and other data.
The National Security Agency had known about Heartbleed for two years before private researchers discovered and repaired it in April, Bloomberg News reported. The NSA used the flaw to exploit computer networks and gain intelligence at the expense of businesses, Bloomberg reported.
Reports about Heartbleed compelled thousands of computer users to change their passwords, the Canadian government to suspend electronic tax filings, and computer companies such as Cisco Systems and Juniper Networks to provide patches to repair their systems.
Intelligence agencies’ ability to conduct cover operations conflicts with business needs to protect online assets and customer data, said Ashkan Soltani, an independent cybersecurity consultant.
“[This issue] highlights the problematic ‘dual missions’ of the NSA,” Mr. Soltani said in an email. “The NSA’s ‘Information Assurance’ division is tasked to defend the nation’s infrastructure and identify/patch vulnerabilities like Heartbleed that would do our infrastructure harm.
“The intelligence directorate’s offensive mission stockpiles these sorts of vulnerabilities in order to attack our adversaries — all the while leaving our unpatched systems exposed. Definitely a conflict of interest and one that’s problematic given that U.S. citizens rely on the same sorts of systems our adversaries do.”
Soon after the Bloomberg report, the Office of the Director of National Intelligence issued a statement denying that the intelligence community had known about the Heartbleed flaw. It said whenever the NSA uncovers a virus or flaw, it’s in the national interest to disclose the vulnerability rather than keep it secret.
However, the White House has said any online vulnerability should be disclosed unless “there is a clear national security or law enforcement need” to keep it under wraps.
Jonathan Katz, director of the Maryland Cybersecurity Center at the University of Maryland, said private companies should understand the occasional need for law enforcement agencies not to disclose information immediately, such as in an operation exploiting a vulnerability to catch a hacker when revealing that the flaw would expose the investigation.
But in light of Heartbleed and concern about other threats that authorities haven’t disclosed, the government “needs to regain the people’s trust and they have to work harder at convincing the private sector that their interests are aligned,” Mr. Katz said.
The FBI says it “routinely shares information” about cyberthreats with the private sector.