When news first broke of the devastating Heartbleed bug in the OpenSSL encryption standard, speculation immediately arose that governments had known about the flaw and taken advantage of it for their own surveillance efforts. A new report from Bloomberg claims that the US National Security Agency has been exploiting Heartbleed for at least two years.
An NSA spokesperson declined to comment to Bloomberg on the allegations.
Update: The NSA has issued a statement on Twitter.
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
— NSA/CSS (@NSA_PAO) April 11, 2014
While the report lacks any hard evidence that the NSA did indeed know about the issue, OpenSSL would have been one of the agency’s primary targets because of its broad reach and the sensitive information it protects. Intelligence agencies have been said to hunt for and even purchase software bugs that can be used in their efforts.
For what it’s worth, the developer responsible for the bug has denied putting it there on purpose and disavowed any connection with the NSA.
As Bloomberg points out, any decision on the NSA’s part to leave such a critical component of the Internet unprotected would have undermined its efforts to defend and protect the citizens it serves.
Update 2: The National Security Council has also issued a denial:
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
➤ NSA Said to Have Used Heartbleed Bug, Exposing Consumers [Bloomberg]