By now, even casual Internet users may have received a message from at least one website encouraging them to change their passwords in the wake of the Heartbleed encryption flaw.
As troubling as the news of a major Internet security hole was, however, more troubling still was the allegation that the U.S. government’s security apparatus knew about the breach and kept the information to itself. The obvious question is: Does “NSA” stand for the National Security Agency - or the National Surveillance Agency?
If initial reports that the NSA knew about Heartbleed for years are true, the agency has given us the answer.
Last week, Bloomberg reported that two people familiar with the matter claimed that the NSA knew about the Heartbleed flaw at least two years prior to its public exposure. The anonymous sources alleged that the agency decided to keep the bug secret in pursuit of national security interests.
National Security Council Spokeswoman Caitlin Hayden responded to the Bloomberg report with a strong denial. In a statement, she said, “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong.” She also insisted that, had the intelligence community known about the bug, it would have disclosed that knowledge to the developers of OpenSSL, the widely used open-source Internet security protocol affected by Heartbleed. The NSA, too, issued a statement directly denying that it knew about the security flaw.
These denials would have been much easier to take at face value if they had come prior to Edward Snowden’s disclosures and the subsequent fallout in which evidence mounted that the NSA has significantly overstepped its bounds.
As Julian Sanchez, writing for The Guardian, recently observed, the “NSA’s two fundamental missions - one defensive, one offensive - are fundamentally incompatible, and… they can't both be handled credibly by the same government agency.”
If the NSA did know about Heartbleed, the agency presumably could have used the flaw to obtain passwords and other basic data, Bloomberg said. Such a decision would have prioritized intelligence gathering - offense - above the defense of millions of innocent and nonhostile Internet users in America and the rest of the world. The fact that we place our digital security in the hands of an agency that spends much of its time cracking such security is worrying, whether or not NSA mishandled Heartbleed. The agency’s inherently conflicting mandates helped give the Bloomberg report its initial credibility.
You would think that our toughest enemies use a higher level of security than a site like Pinterest. But if it turns out the NSA did not call attention to this gaping hole in a security protocol used by countless people here and elsewhere, the agency clearly put its own data-gathering priorities ahead of the commercial safety of the industrialized world. If that is what happened, Americans need to know about it.
As best we can tell, no criminal groups seem to have discovered the flaw in time to massively exploit it. But that was good luck, not good governance. While we are busy changing our passwords, we should also keep a close eye on our government’s ongoing response. The intelligence community may truly not have known about Heartbleed before the rest of us, but it has given Americans ample reason to take claims of its innocence with a healthy dose of skepticism.