Google Knew About Heartbleed and Didn’t Tell the Government

Federal systems remained vulnerable to hackers even after researchers identified the bug.

The Heartbleed logo provided through heartbleed.com 
National Journal
Brendan Sasso
April 14, 2014, 11:31 a.m.

Google knew about a crit­ic­al flaw in In­ter­net se­cur­ity, but it didn’t alert any­one in the gov­ern­ment.

Neel Me­hta, a Google en­gin­eer, first dis­covered “Heart­bleed” — a bug that un­der­mines the widely used en­cryp­tion tech­no­logy OpenSSL — some time in March. A team at the Finnish se­cur­ity firm Code­nomi­con dis­covered the flaw around the same time. Google was able to patch most of its ser­vices — such as email, search, and You­Tube — be­fore the com­pan­ies pub­li­cized the bug on April 7.

The re­search­ers also no­ti­fied a hand­ful of oth­er com­pan­ies about the bug be­fore go­ing pub­lic. The se­cur­ity firm Cloud­Flare, for ex­ample, said it fixed the flaw on March 31.

But the White House said Fri­day that no one in the fed­er­al gov­ern­ment knew about the prob­lem un­til April. The ad­min­is­tra­tion made the state­ment to deny an earli­er Bloomberg re­port that the Na­tion­al Se­cur­ity Agency had been ex­ploit­ing Heart­bleed for years.

“Re­ports that NSA or any oth­er part of the gov­ern­ment were aware of the so-called Heart­bleed vul­ner­ab­il­ity be­fore April 2014 are wrong. The Fed­er­al gov­ern­ment was not aware of the re­cently iden­ti­fied vul­ner­ab­il­ity in OpenSSL un­til it was made pub­lic in a private sec­tor cy­ber­se­cur­ity re­port,” Caitlin Hay­den, a White House spokes­wo­man, said in a state­ment.

“If the fed­er­al gov­ern­ment, in­clud­ing the in­tel­li­gence com­munity, had dis­covered this vul­ner­ab­il­ity pri­or to last week, it would have been dis­closed to the com­munity re­spons­ible for OpenSSL.”

Hay­den emailed to cla­ri­fy that the “private sec­tor cy­ber­se­cur­ity re­port” refers to the April 7 an­nounce­ment. 

Asked wheth­er Google dis­cussed Heart­bleed with the gov­ern­ment, a com­pany spokes­wo­man said only that the “se­cur­ity of our users’ in­form­a­tion is a top pri­or­ity” and that Google users do not need to change their pass­words.

Com­pan­ies of­ten wait to pub­li­cize a se­cur­ity flaw so they can have time to patch their own ser­vices. But keep­ing the bug secret from the U.S. gov­ern­ment may have left fed­er­al sys­tems vul­ner­able to hack­ers. The IRS said it’s not aware of any vul­ner­ab­il­it­ies in its sys­tem, but oth­er agen­cies that use OpenSSL could have been leak­ing private in­form­a­tion to hack­ers. 

The gov­ern­ment en­cour­ages com­pan­ies to re­port cy­ber­se­cur­ity is­sues to the U.S. Com­puter Emer­gency Read­i­ness Team, which is housed in the Home­land Se­cur­ity De­part­ment. US-CERT has a 24-hour op­er­a­tions cen­ter that re­sponds to se­cur­ity threats and vul­ner­ab­il­it­ies.

Chris­toph­er Sog­hoi­an, the prin­cip­al tech­no­lo­gist for the Amer­ic­an Civil Liber­ties Uni­on, said the U.S. gov­ern­ment only has it­self to blame if tech com­pan­ies don’t trust it to handle sens­it­ive se­cur­ity in­form­a­tion.

He said that be­cause gov­ern­ment agen­cies of­ten share in­form­a­tion with each oth­er, there’s no way for a com­pany to be sure the NSA won’t get in­form­a­tion shared with an­oth­er agency and use it to hack in­to private com­mu­nic­a­tions.

“I sus­pect that over the past eight months, many com­pan­ies have taken a real hard look at their ex­ist­ing policies about tip­ping off the U.S. gov­ern­ment,” he said. “That’s the price you pay when you’re act­ing like an out-of-con­trol of­fens­ive ad­versary.”

×