Looks like maybe the NSA did know about Heartbleed ...

Yesterday, concerning the Heartbleed bug affecting the security of any system that uses OpenSSL (which includes Web sites, routers, iPhones ... it's a long list), I wrote:

What I find so interesting about this vulnerability is that government agencies such as the NSA must have known about the flaw and said nothing to the world at large. You doubt this? Just think, if you''re in signals intelligence and you find out about a way to extract information from supposedly secure systems in a way that is undetectable, aren't you going to use it and keep quiet about it?! And if the NSA didn't know about Heartbleed then they should all be fired for incompetence.

Well, it turns out, according to unnamed sources that spoke to Bloomberg, of course the NSA knew about the bug. Moreover, the agency knew about the bug for two years!

nsa logo

Since the whole NSA brouhaha erupted following Snowden's revelations I've been surprised to find that people seem to be generally naive about the organization's mission and methods. In case you've missed my previous comments on this topic, allow me to reiterate: The US National Security Agency was founded in 1952 to do signals intelligence which Wikipedia defines as:

... intelligence-gathering by interception of signals, whether between people ("communications intelligence"-COMINT) or from electronic signals not directly used in communication ("electronic intelligence"-ELINT), or a combination of the two. As sensitive information is often encrypted, signals intelligence often involves the use of cryptanalysis. Also, traffic analysis-the study of who is signaling whom and in what quantity-can often produce valuable information, even when the messages themselves cannot be decrypted.

Snowden's revelations were surprising only insofar as revealing the range of the NSA's activities and their apparent willingness to cross legal boundaries without rigorous privacy safeguards. That they were able to collect so much data and mine it is something that, given their mission, should be admired although it's hard to justify the cost given how little impact their intelligence appears to have made in "the war on terror."

Be that as it may; as an agency tasked with protecting the interests of the United States you'd think that something like the Heartbleed bug would be up there with real world threats such as terrorist plots. Heartbleed will cost the economy billions of dollars and damage confidence in the safety of online business. 

Responding to the charge that the NSA knew about Heartbleed, White House national security spokeswoman Caitlin Hayden said:

Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet.

If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

Should the allegations be shown to be true then the NSA and the administration have some serious explaining to do.

Do you think the NSA knew? 'Splain below then follow me on TwitterApp.net, and Facebook.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10