NSA Reportedly Exploited Heartbleed For Spying — But Strongly Denies the Allegation

Because the agency hasn’t already reportedly done enough.

National Journal
Matt Berman and Dustin Volz
Add to Briefcase
See more stories about...
Matt Berman and Dustin Volz
April 11, 2014, 11:20 a.m.

When it bleeds, it pours.

The Na­tion­al Se­cur­ity Agency re­portedly knew of and ex­ploited the massive In­ter­net bug re­vealed to the pub­lic this week and known now as “Heart­bleed” in or­der to gath­er in­tel­li­gence in­form­a­tion on tar­gets.

This new rev­el­a­tion packs an ex­tra twist that oth­er re­cent NSA leaks have lacked: Re­gard­less of its pur­pose for in­tel­li­gence gath­er­ing, the NSA may have known for years about a his­tor­ic se­cur­ity flaw that may have af­fected up to two-thirds of the In­ter­net. In­stead of try­ing to re­pair that flaw—which has po­ten­tially im­pacted count­less people—the NSA re­portedly ma­nip­u­lated it in secret.

“Put­ting the Heart­bleed bug in its ar­sen­al, the NSA was able to ob­tain pass­words and oth­er ba­sic data that are the build­ing blocks of the soph­ist­ic­ated hack­ing op­er­a­tions at the core of its mis­sion, but at a cost,” Bloomberg first re­por­ted Fri­day, cit­ing two people “fa­mil­i­ar” with the mat­ter. “Mil­lions of or­din­ary users were left vul­ner­able to at­tack from oth­er na­tions’ in­tel­li­gence arms and crim­in­al hack­ers.”

In a state­ment late Fri­day af­ter­noon, the NSA denied the Bloomberg re­port. “NSA was not aware of the re­cently iden­ti­fied vul­ner­ab­il­ity in OpenSSL, the so-called Heart­bleed vul­ner­ab­il­ity, un­til it was made pub­lic in a private-sec­tor cy­ber­se­cur­ity re­port,” said agency spokes­wo­man Vanee Vines. “Re­ports that say oth­er­wise are wrong.”

In a fol­low-up state­ment, NSC Spokes­per­son Caitlin Hay­den said that the Obama ad­min­is­tra­tion “takes ser­i­ously its re­spons­ib­il­ity to help main­tain an open, in­ter­op­er­able, se­cure and re­li­able In­ter­net. If the Fed­er­al gov­ern­ment, in­clud­ing the in­tel­li­gence com­munity, had dis­covered this vul­ner­ab­il­ity pri­or to last week, it would have been dis­closed to the com­munity re­spons­ible for OpenSSL.”

Un­like pre­vi­ous state­ments about al­leged NSA activ­it­ies, the state­ments made by the NSA and White House today are defin­it­ive, with little room for dif­fer­ing in­ter­pret­a­tions.

The Heart­bleed bug was re­vealed pub­licly for the first time earli­er this week, and has been de­scribed by nu­mer­ous cy­ber­se­cur­ity ex­perts as one of the worst se­cur­ity glitches the web has ever en­countered. Heart­bleed is caused by a minor two-year-old flaw in soft­ware cod­ing of a pro­gram known as OpenSSL that is meant to provide ex­tra pro­tec­tion to web­sites.

Con­sid­er­able at­ten­tion has been paid to Heart­bleed’s po­ten­tial use by crim­in­al hack­ers to col­lect war chests filled with on­line pass­words, per­son­al in­form­a­tion and bank­ing data, but it re­mains un­clear wheth­er any such bad act­ors knew of or ex­ploited it pri­or to its dis­clos­ure. A fix was rolled out five days ago, but con­cerns per­sist that much of the In­ter­net’s se­cur­ity has been com­prom­ised.

Some In­ter­net free­dom and pri­vacy groups began spec­u­lat­ing that in­tel­li­gence agen­cies may have ex­ploited Heart­bleed for sur­veil­lance pur­poses shortly after news of the bug broke earli­er this week. The Elec­tron­ic Fron­ti­er Found­a­tion sug­ges­ted earli­er ex­ploit­a­tions of the bug de­tec­ted in Novem­ber of last year “makes a little more sense for in­tel­li­gence agen­cies than for com­mer­cial or life­style mal­ware.”

Earli­er Fri­day, the De­part­ment of Home­land Se­cur­ity is­sued guid­ance on Heart­bleed, say­ing that “every­one has a role to play to en­sur­ing [sic] our na­tion’s cy­ber­se­cur­ity.”

This post was up­dated Fri­day af­ter­noon after the NSA state­ment was re­leased.

What We're Following See More »
INCLUDES WAIVER FOR MATTIS
Congress Releases Stopgap Funding Bill
2 minutes ago
THE DETAILS

"Congressional negotiators released a stopgap spending bill Tuesday night to avert a partial government shutdown at midnight Friday and to fund federal agencies and programs through April 28." The 70-page continuing resolution includes $170 million to aid Flint, Michigan's water supply, and a waiver that would allow Ret. Gen. James Mattis to assume the role of secretary of Defense.

Source:
INTERSTATE COMPACT GAINING TRACTION
Democrats Explore Electoral College Changes
8 minutes ago
WHY WE CARE

"A number of Capitol Hill Democrats have revived proposals to reform or abolish the Electoral College," chief among Michigan's John Conyers, who "held a panel on Capitol Hill Tuesday to discuss options for eliminating the Electoral College and replacing it with a system where a national popular vote elects the president. ... The plan with the most support to reform the election college at the panel was the National Popular Vote Interstate Compact, a proposal first developed in 2001 that would give the national popular vote winner the majority of electoral college votes through an agreement between the states."

Source:
EFFORT LIKELY TO DIE IN COMMITTEE
Jordan Can’t Force a Floor Vote on Impeaching Koskinen
13 hours ago
THE LATEST
House Freedom Caucus Chairman Jim Jordan attempted to force a floor vote on impeaching IRS Commissioner John Koskinen, but "the House voted overwhelmingly to refer it to the Judiciary Committee. ... The committee will not be required to take up the resolution." Earlier, House Minority Leader Nancy Pelosi "made a motion to table the resolution, which the House voted against by a 180-235 margin, mostly along party lines."
Source:
AFTER THE VOTE FOR SPEAKER
Ryan: No Committee Assignments Until New Year
18 hours ago
THE DETAILS

House Speaker Paul Ryan has decreed that House members "won’t receive their committee assignments until January — after they cast a public vote on the House floor for speaker. "The move has sparked behind-the-scenes grumbling from a handful of Ryan critics, who say the delay allows him and the Speaker-aligned Steering Committee to dole out committee assignments based on political loyalty rather than merit or expertise." The roll call to elect the speaker is set for Jan. 3, the first vote of the new Congress.

Source:
EXPECTED TO FUND THE GOVERNMENT THROUGH SPRING
Funding Bill To Be Released Tuesday
1 days ago
THE LATEST

House Majority Leader Kevin McCarthy told reporters on Monday that the government funding bill will be released on Tuesday. The bill is the last piece of legislation Congress needs to pass before leaving for the year and is expected to fund the government through the spring. The exact time date the bill would fund the government through is unclear, though it is expected to be in April or May.

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login