Heartbleed, a serious and historic programming flaw in OpenSSL, left federal officials stalled on legal details and many federal computing systems "_vulnerable for several days longer than necessary_, "according to a recent article published on the Federal News Radio website. According to the report, this delay was not caused by federal technologists' inability to fix the issue. Still, the lack of clarity to determine if their team had "_the legal authority_" to proceed.
The article indicates that because of Heartbleed's impact and estimations that it would "affect up to two-thirds of all Web servers\, "technology and_ security professionalsaround the globe, including those in federal government agencies, "_scrambled in the hours after to determine whether their systems were subject to the flaw and topatchthem if necessary."
According to the report, unlike the private sector, the federal government must follow a specific protocol before acting quickly. Unfortunately, inside the walls of the federal government, this action is not so easily initiated.
As the article states, the Department of Homeland Security (DHS)- responsible for "_protecting civilian agency IT systems_" does not automatically possess the "_clear legal authority to scan other agencies' networks, even though it had the technical ability to do so._" Phyllis Schneck, Deputy Undersecretary for Cybersecurity at DHS, reported to the Senate Appropriations Committee this week stating, "_So as fast as we could, we went door-to-door and got a letter of authorization from each agency, working with each lawyer, to make sure that we could scan their systems. That cost us five to six precious days in some cases_ ", according to her quote in the article. The article continued to quote Schneck by noting, "_The whole world knew about this vulnerability and all the information they could capture, while we were lawyering. If we had the clarification in law that this was our role, we would have gotten started a lot faster._"
Read more in the full article about how the response to the Heartbleed flaw played out behind the walls of the federal government and how the Department of Homeland Security aims to deal with situations like these that may come again in the future.