Cybersecurity

NSA Knew About and Exploited Heartbleed---Unless it Didn't

By Benjamin Wittes
Friday, April 11, 2014, 11:07 PM

The other day, walking out of Aikido class, I was chatting with a friend about Heartbleed. I joked that the latest revelation reminded me of a scene from the classic Martin Scorsese movie, After Hours. In it, the hero, chased by an angry mob, runs up a fire escape, where--by coincidence--he watches a woman shoot her husband in an apartment across the alley. "I'll probably get blamed for that," he says fatalistically. That, I told my friend, is what they must be saying at Fort Meade today. That was Tuesday.

Bloomberg today reported:

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

NSA this evening denies it:

"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong," said agency spokeswoman Vanee Vines in a statement after Bloomberg released its story.

As does the DNI:

NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.

Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

When Federal agencies discover a new vulnerability in commercial and open source software---a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it---it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.

In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.