NSA Exploited Heartbleed for Own Use
White House denial highlights 'fundamentally flawed' dual mission of government spy agency
Not only did the NSA know about the Heartbleed internet bug—found to have exposed the sensitive information of countless web users—but they exploited it for their own intelligence gathering purposes for years, sources charge.
Bloomberg News reported late Friday that the agency found Heartbleed shortly after its introduction in early 2012, according to a person "familiar with the matter," and rather than reporting or repairing the flaw, the NSA adopted it as "a basic part of they agency's toolkit for stealing account passwords and other common tasks."
Heartbleed, believed to be one of the biggest flaws in the Internet's history, is a vulnerability in OpenSSL protocol, which is used to encrypt communications between users and websites. The bug makes those supposedly secure sites an "open book," Bloomberg explains. The existence of Heartbleed was first made public on April 7.
By adding Heartbleed to their arsenal—as a means of obtaining passwords and other secure information—critics say the agency not only furthered their own controversial practice of stockpiling user information but they left vulnerable millions of users against outside attack.
After the allegations surfaced, the White House denied that they knew about Heartbleed prior to April 2012.
Regardless, Bloomberg's sources note that, in addition to Heartbleed, the NSA currently "has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers."
The incident highlights what many are saying are the "fundamentally incompatible" dual missions of the agency: securing cyber-infrastructure and gathering foreign intelligence.
"Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals," John Pescatore, director of emerging security trends at a cyber-security training firm, the SANS Institute, told Bloomberg.
Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research, wrote in October 2013:
Privacy and security advocates have long worried that in pursuit of the latter, increasingly dominant mission, the agency would learn about software and other vulnerabilities and rather than disclose or attempt to fix them, the agency would exploit them, thus compromising the former mission.
“The president has identified cyber threats as among the most critical dangers facing the nation,” added Cate. “Yet it is hard to take this claim too seriously when key responsibility for fighting those threats is given to the agency with the most to gain by hiding and exploiting them.”
Warning of this such abuse, in December 2013, President Obama's NSA review panel said the White House should not "undermine efforts to create encryption standards" and not "subvert, undermine, weaken or make vulnerable" commercial security software.
And as Julian Sanchez, founding editor of the Just Security blog, adds: "It's time to create an organization that's fully devoted to safeguarding the security of Internet users – even if that might make life harder for government hackers."