The recent discussion of whether the National Security Agency knew about and exploited the Heartbleed bug demonstrates a larger cybersecurity dilemma. The NSA has two missions: conducting foreign cyber spying operations and protecting key U.S. cyber networks from external breach. In carrying out these missions, there is an inherent tension whenever a vulnerability is discovered. "Zero-day vulnerabilities" are software defects that are unknown before they are exploited. When should they be exposed and eliminated, and when should they be preserved and exploited? Encryption protects privacy and communications security. When, if ever, should the NSA seek to subvert, undermine, or weaken the encryption systems of commercially available software?
- Paul Rosenzweig, former Deputy Assistant Secretary for Policy, U.S. Department of Homeland Security, and Principal, Red Branch Law and Consulting
- Chris Soghoian, Principal Technologist and Senior Policy Analyst, Speech, Privacy and Technology Project, American Civil Liberties Untion
- Moderator: Vincent J. Vitkowsky, Partner, Seiger Gfeller Laurie LLP