WASHINGTON — In a rare insight into the government’s thinking on the use of cyberweapons, the White House on Monday published a series of questions it asks in deciding when to make public the discovery of major flaws in computer security or whether to keep them secret so that American intelligence agencies can use them to enable surveillance or an attack.
The discussion came not in a presidential policy directive or a speech, like the kind President Obama gave when describing the criteria for conducting drone attacks, but in a blog post on the White House website. The item was posted by Michael Daniel, the White House cybersecurity coordinator, and appeared to be distilled from a far more detailed classified document giving guidance to the National Security Agency, the F.B.I. and others who often exploit flaws in Internet security.
Mr. Daniel repeated the N.S.A.’s declaration several weeks ago that “we had no prior knowledge of the existence of Heartbleed,” a security vulnerability that created widespread fears that passwords or other delicate information transmitted by millions of computer users may have been revealed. But he acknowledged that the Heartbleed incident had cast a light on a balancing test the White House has until now declined to discuss in any detail: When should the government reveal flaws that it discovers, and when should it use them for its still-unacknowledged “stockpile” of flaws that would help it penetrate foreign computer networks?