NSA Denies Prior Knowledge of Heart Bleed Bug
The National Security Agency has denied that it knew about, and exploited, the much-feared Heartbleed bug for two years without informing anyone. The unequivocal denial comes after a Bloomberg News report alleged that the spy agency used the security vulnerability to collect data.
Unfortunately for the NSA, it reflects badly on the agency whether it did actually know or was just as unaware as everyone else.
Bloomberg's Report
Bloomberg News published a report on Friday accusing the NSA of knowing about the Heartbleed bug and using that knowledge to gain the upper hand over tech companies in order to access private data with ease.
"Heartbleed" is the name given by cybersecurity experts to a flaw in a massively popular web security protocol called OpenSSL. It was discovered earlier this week by a Finnish security firm and has had internet technology companies scrambling to protect the potential millions of usernames, passwords, payment information, and other personal data that it turns out has been vulnerable to hackers for two years. It's a big problem, exposing the private keys -- referred to as the "crown jewels" of the secure internet -- for millions of people.
So when the Bloomberg report, based on "two people familiar with the matter," asserted that the NSA knew about Heartbleed for two years "and regularly used it to gather critical intelligence," it's a big charge.
The report further said that the U.S. digital spying agency had "more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified." According to Bloomberg, the NSA discovered Heartbleed "shortly after its introduction," and made it a "basic part of the agency's toolkit for stealing account passwords and other common tasks."
NSA Denies Knowledge of Heartbleed
The agency responded to Bloomberg's report with a flat, unequivocal denial that it had prior knowledge of the OpenSSL vulnerability. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cyber security report," said NSA spokesperson Vanee Vines, after Bloomberg published its report. "Reports that say otherwise are wrong."
The NSA went on further, according to NPR, emphasizing that the OpenSSL protocol is used on federal government websites and online systems -- making the point that having prior knowledge and not reporting it, even within the government, for two years would be against the interests of national security:
"If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL ... this process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased towards responsibly disclosing such vulnerabilities."
Damned If It Did, Damned If It Didn't
Putting questions of Bloomberg's accuracy aside (for now), it's not completely insane to suspect that the NSA might have known about the vulnerability. Previous reports, which were based on top-secret documents leaked by Edward Snowden, revealed that the NSA intentionally tried to compromise security standards to create "backdoors" in other systems.
In any case, the NSA is bound to look bad whether it did or didn't know about Heartbleed. If it did know, and exploited the flaw for data mining, it would point to massive negligence on the NSA's part, in favor of agency priorities. That would likely permanently damage any remaining cooperation from the technology industry.
But if the NSA didn't know until the rest of us found out this week, it puts into question the agency's technical ability to uncover and fix fundamental national cybersecurity vulnerabilities -- or at least the agency's priorities to do so.