You’ve heard the quip–the N.S.A–“No such agency.” And that was indeed the case when Truman commissioned the N.S.A. It’s existence was a secret. White House Special Assistant to the President and Cybersecurity Coordinator, Michael Daniel, recently described the evolution of the N.S.A and its relationship to cybersecurity in a blog post about when to share information about compromised security protocols. He digs into the complicated risk/benefit balancing the government undertakes when determining whether to make public cyber vulnerabilities like Heartbleed. On the one hand there are the real and serious concerns about openness, commercial enterprise, economic growth at issue. On the other hand, as Daniel explains:
Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.
Daniel discusses the multi-disciplinary, multi-agency approach that the White House, the N.S.A. and other key decision-makers employ when deciding whether to share key information. And while the specifics of it are beyond the scope of this post, I’ll summarize briefly. It involves the same risk-based analysis that the FTC, the banking prudential regulators and others recommend. Information security managers, lawyers, and c-suite professionals are going to be looking at information, categorizing it, asking themselves what function is serves in the organization housing it, what risk it poses, and then making decisions about how to secure it and whether to share it. These discussions will become more prevalent, not less. More and more third parties like auditors and law firms will be brought to the table to bring their experience to the fore.
I enjoyed Mr. Daniel’s post not because it lifted the curtain a bit into the decisions made at such a secretive agency, but because it confirmed what I’ve suspected. That is, that information security and disclosure questions are very similar whether you’re making them at the White House or the Waffle House. They are not easy and involve the careful weighing of multiple interests.