Google Knew About Heartbleed and Didn’t Tell the Government

Federal systems remained vulnerable to hackers even after researchers identified the bug.

The Heartbleed logo provided through 
National Journal
Brendan Sasso
April 14, 2014, 11:31 a.m.

Google knew about a crit­ic­al flaw in In­ter­net se­cur­ity, but it didn’t alert any­one in the gov­ern­ment.

Neel Me­hta, a Google en­gin­eer, first dis­covered “Heart­bleed” — a bug that un­der­mines the widely used en­cryp­tion tech­no­logy OpenSSL — some time in March. A team at the Finnish se­cur­ity firm Code­nomi­con dis­covered the flaw around the same time. Google was able to patch most of its ser­vices — such as email, search, and You­Tube — be­fore the com­pan­ies pub­li­cized the bug on April 7.

The re­search­ers also no­ti­fied a hand­ful of oth­er com­pan­ies about the bug be­fore go­ing pub­lic. The se­cur­ity firm Cloud­Flare, for ex­ample, said it fixed the flaw on March 31.

But the White House said Fri­day that no one in the fed­er­al gov­ern­ment knew about the prob­lem un­til April. The ad­min­is­tra­tion made the state­ment to deny an earli­er Bloomberg re­port that the Na­tion­al Se­cur­ity Agency had been ex­ploit­ing Heart­bleed for years.

“Re­ports that NSA or any oth­er part of the gov­ern­ment were aware of the so-called Heart­bleed vul­ner­ab­il­ity be­fore April 2014 are wrong. The Fed­er­al gov­ern­ment was not aware of the re­cently iden­ti­fied vul­ner­ab­il­ity in OpenSSL un­til it was made pub­lic in a private sec­tor cy­ber­se­cur­ity re­port,” Caitlin Hay­den, a White House spokes­wo­man, said in a state­ment.

“If the fed­er­al gov­ern­ment, in­clud­ing the in­tel­li­gence com­munity, had dis­covered this vul­ner­ab­il­ity pri­or to last week, it would have been dis­closed to the com­munity re­spons­ible for OpenSSL.”

Hay­den emailed to cla­ri­fy that the “private sec­tor cy­ber­se­cur­ity re­port” refers to the April 7 an­nounce­ment. 

Asked wheth­er Google dis­cussed Heart­bleed with the gov­ern­ment, a com­pany spokes­wo­man said only that the “se­cur­ity of our users’ in­form­a­tion is a top pri­or­ity” and that Google users do not need to change their pass­words.

Com­pan­ies of­ten wait to pub­li­cize a se­cur­ity flaw so they can have time to patch their own ser­vices. But keep­ing the bug secret from the U.S. gov­ern­ment may have left fed­er­al sys­tems vul­ner­able to hack­ers. The IRS said it’s not aware of any vul­ner­ab­il­it­ies in its sys­tem, but oth­er agen­cies that use OpenSSL could have been leak­ing private in­form­a­tion to hack­ers. 

The gov­ern­ment en­cour­ages com­pan­ies to re­port cy­ber­se­cur­ity is­sues to the U.S. Com­puter Emer­gency Read­i­ness Team, which is housed in the Home­land Se­cur­ity De­part­ment. US-CERT has a 24-hour op­er­a­tions cen­ter that re­sponds to se­cur­ity threats and vul­ner­ab­il­it­ies.

Chris­toph­er Sog­hoi­an, the prin­cip­al tech­no­lo­gist for the Amer­ic­an Civil Liber­ties Uni­on, said the U.S. gov­ern­ment only has it­self to blame if tech com­pan­ies don’t trust it to handle sens­it­ive se­cur­ity in­form­a­tion.

He said that be­cause gov­ern­ment agen­cies of­ten share in­form­a­tion with each oth­er, there’s no way for a com­pany to be sure the NSA won’t get in­form­a­tion shared with an­oth­er agency and use it to hack in­to private com­mu­nic­a­tions.

“I sus­pect that over the past eight months, many com­pan­ies have taken a real hard look at their ex­ist­ing policies about tip­ping off the U.S. gov­ern­ment,” he said. “That’s the price you pay when you’re act­ing like an out-of-con­trol of­fens­ive ad­versary.”

{{ BIZOBJ (video: 4883) }}

What We're Following See More »
Reagan Families, Allies Lash Out at Will Ferrell
55 minutes ago

Ronald Reagan's children and political allies took to the media and Twitter this week to chide funnyman Will Ferrell for his plans to play a dementia-addled Reagan in his second term in a new comedy entitled Reagan. In an open letter, Reagan's daughter Patti Davis tells Ferrell, who's also a producer on the movie, “Perhaps for your comedy you would like to visit some dementia facilities. I have—I didn’t find anything comedic there, and my hope would be that if you’re a decent human being, you wouldn’t either.” Michael Reagan, the president's son, tweeted, "What an Outrag....Alzheimers is not joke...It kills..You should be ashamed all of you." And former Rep. Joe Walsh called it an example of "Hollywood taking a shot at conservatives again."

Clinton No Longer Running Primary Ads
3 hours ago

In a sign that she’s ready to put a longer-than-ex­pec­ted primary battle be­hind her, former Sec­ret­ary of State Hil­lary Clin­ton (D) is no longer go­ing on the air in up­com­ing primary states. “Team Clin­ton hasn’t spent a single cent in … Cali­for­nia, In­di­ana, Ken­tucky, Ore­gon and West Vir­gin­ia, while” Sen. Bernie Sanders’ (I-VT) “cam­paign has spent a little more than $1 mil­lion in those same states.” Meanwhile, Sen. Jeff Merkley (D-OR), Sanders’ "lone back­er in the Sen­ate, said the can­did­ate should end his pres­id­en­tial cam­paign if he’s los­ing to Hil­lary Clin­ton after the primary sea­son con­cludes in June, break­ing sharply with the can­did­ate who is vow­ing to take his in­sur­gent bid to the party con­ven­tion in Phil­adelphia.”

Movie Based on ‘Clinton Cash’ to Debut at Cannes
4 hours ago

The team behind the bestselling "Clinton Cash"—author Peter Schweizer and Breitbart's Stephen Bannon—is turning the book into a movie that will have its U.S. premiere just before the Democratic National Convention this summer. The film will get its global debut "next month in Cannes, France, during the Cannes Film Festival. (The movie is not a part of the festival, but will be shown at a screening arranged for distributors)." Bloomberg has a trailer up, pointing out that it's "less Ken Burns than Jerry Bruckheimer, featuring blood-drenched money, radical madrassas, and ominous footage of the Clintons."

Former Sen. Conrad Burns Dies in Montana
5 hours ago

Conrad Burns, the colorful livestock auctioneer and radio executive from Montana who served three terms as a senator, died on Thursday at age 81. Burns "was ousted from office in 2006 under the specter of scandal after developing close ties to "super-lobbyist" Jack Abramoff," although no charges were ever filed.

Biden Goes Max Biden at the Vatican
5 hours ago

In an exchange not ripped from the page of The Onion, Vice President Biden revealed to a Vatican cardinal that he's been betting reporters on which cars are faster. After meeting privately with Pope Francis, Biden met with Cardinal Pietro Parolin, the Vatican Secretary of State. Within moments of greeting one another, Biden said that he'd met with the pope and, gesturing to the press pool, "I've met with these guys too." Singling out reporter Gardiner Harris, who recounted the exchange, he said, "I had to pay this man $10. He's from the New York Times. We had a bet: which is the faster car, the newer Cadillac or the new [Tesla]. ... The Tesla's two tenths of a second faster. But I lost. I paid my $10." He joked that he's "seeking absolution."