Google Knew About Heartbleed and Didn’t Tell the Government

Federal systems remained vulnerable to hackers even after researchers identified the bug.

The Heartbleed logo provided through 
National Journal
Brendan Sasso
April 14, 2014, 11:31 a.m.

Google knew about a crit­ic­al flaw in In­ter­net se­cur­ity, but it didn’t alert any­one in the gov­ern­ment.

Neel Me­hta, a Google en­gin­eer, first dis­covered “Heart­bleed” — a bug that un­der­mines the widely used en­cryp­tion tech­no­logy OpenSSL — some time in March. A team at the Finnish se­cur­ity firm Code­nomi­con dis­covered the flaw around the same time. Google was able to patch most of its ser­vices — such as email, search, and You­Tube — be­fore the com­pan­ies pub­li­cized the bug on April 7.

The re­search­ers also no­ti­fied a hand­ful of oth­er com­pan­ies about the bug be­fore go­ing pub­lic. The se­cur­ity firm Cloud­Flare, for ex­ample, said it fixed the flaw on March 31.

But the White House said Fri­day that no one in the fed­er­al gov­ern­ment knew about the prob­lem un­til April. The ad­min­is­tra­tion made the state­ment to deny an earli­er Bloomberg re­port that the Na­tion­al Se­cur­ity Agency had been ex­ploit­ing Heart­bleed for years.

“Re­ports that NSA or any oth­er part of the gov­ern­ment were aware of the so-called Heart­bleed vul­ner­ab­il­ity be­fore April 2014 are wrong. The Fed­er­al gov­ern­ment was not aware of the re­cently iden­ti­fied vul­ner­ab­il­ity in OpenSSL un­til it was made pub­lic in a private sec­tor cy­ber­se­cur­ity re­port,” Caitlin Hay­den, a White House spokes­wo­man, said in a state­ment.

“If the fed­er­al gov­ern­ment, in­clud­ing the in­tel­li­gence com­munity, had dis­covered this vul­ner­ab­il­ity pri­or to last week, it would have been dis­closed to the com­munity re­spons­ible for OpenSSL.”

Hay­den emailed to cla­ri­fy that the “private sec­tor cy­ber­se­cur­ity re­port” refers to the April 7 an­nounce­ment. 

Asked wheth­er Google dis­cussed Heart­bleed with the gov­ern­ment, a com­pany spokes­wo­man said only that the “se­cur­ity of our users’ in­form­a­tion is a top pri­or­ity” and that Google users do not need to change their pass­words.

Com­pan­ies of­ten wait to pub­li­cize a se­cur­ity flaw so they can have time to patch their own ser­vices. But keep­ing the bug secret from the U.S. gov­ern­ment may have left fed­er­al sys­tems vul­ner­able to hack­ers. The IRS said it’s not aware of any vul­ner­ab­il­it­ies in its sys­tem, but oth­er agen­cies that use OpenSSL could have been leak­ing private in­form­a­tion to hack­ers. 

The gov­ern­ment en­cour­ages com­pan­ies to re­port cy­ber­se­cur­ity is­sues to the U.S. Com­puter Emer­gency Read­i­ness Team, which is housed in the Home­land Se­cur­ity De­part­ment. US-CERT has a 24-hour op­er­a­tions cen­ter that re­sponds to se­cur­ity threats and vul­ner­ab­il­it­ies.

Chris­toph­er Sog­hoi­an, the prin­cip­al tech­no­lo­gist for the Amer­ic­an Civil Liber­ties Uni­on, said the U.S. gov­ern­ment only has it­self to blame if tech com­pan­ies don’t trust it to handle sens­it­ive se­cur­ity in­form­a­tion.

He said that be­cause gov­ern­ment agen­cies of­ten share in­form­a­tion with each oth­er, there’s no way for a com­pany to be sure the NSA won’t get in­form­a­tion shared with an­oth­er agency and use it to hack in­to private com­mu­nic­a­tions.

“I sus­pect that over the past eight months, many com­pan­ies have taken a real hard look at their ex­ist­ing policies about tip­ping off the U.S. gov­ern­ment,” he said. “That’s the price you pay when you’re act­ing like an out-of-con­trol of­fens­ive ad­versary.”

{{ BIZOBJ (video: 4883) }}

What We're Following See More »
Snowstorm Could Impact Primary Turnout
2 days ago

A snowstorm is supposed to hit New Hampshire today and “linger into Primary Tuesday.” GOP consultant Ron Kaufman said lower turnout should help candidates who have spent a lot of time in the state tending to retail politicking. Donald Trump “has acknowledged that he needs to step up his ground-game, and a heavy snowfall could depress his figures relative to more organized candidates.”

A Shake-Up in the Offing in the Clinton Camp?
2 days ago

Anticipating a primary loss in New Hampshire on Tuesday, Hillary and Bill Clinton “are considering staffing and strategy changes” to their campaign. Sources tell Politico that the Clintons are likely to layer over top officials with experienced talent, rather than fire their staff en masse.

Trump Is Still Ahead, but Who’s in Second?
1 days ago

We may not be talking about New Hampshire primary polls for another three-and-a-half years, so here goes:

  • American Research Group’s tracking poll has Donald Trump in the lead with 30% support, followed by Marco Rubio and John Kasich tying for second place at 16%. On the Democratic side, Bernie Sanders leads Hillary Clinton 53%-41%.
  • The 7 News/UMass Lowell tracking poll has Trump way out front with 34%, followed by Rubio and Ted Cruz with 13% apiece. Among the Democrats, Sanders is in front 56%-40%.
  • A Gravis poll puts Trump ahead with 28%, followed by Kasich with 17% and Rubio with 15%.
CNN Calls the Primary for Sanders and Trump
1 days ago

Well that didn’t take long. CNN has already declared Bernie Sanders and Donald Trump the winners of the New Hampshire primary, leaving the rest of the candidates to fight for the scraps. Five minutes later, the Associated Press echoed CNN’s call.