NSA isn't required to report all security flaws

With the Heartbleed bug causing havoc and Dropbox users jumping ship it’s been another week in which data security and privacy have been making headlines. Now the New York Times has shed light on the NSA’s responsibilities when it comes to security flaws like Heartbleed: The Agency must report any vulnerabilities that it finds, unless there is “a clear national security or law enforcement need” to keep it hidden.

Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday. But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

Read full article