The NSA has been ordered to report major software bugs to developers so they can be fixed, but it still has leeway to exploit them first in some cases.
Last week the announcement of the Heartbleed bug created a panic, as companies sought to update their software and users to change their passwords. Heartbleed was considered especially serious because it affected so much of the internet and because it could potentially give hackers access to passwords.
A report by Bloomberg News indicated that the NSA had known about Heartbleed for two years and chose to exploit the vulnerability it offered rather than warn users about its existence. Hours after the Bloomberg story was published, both the NSA and the White House denied any prior knowledge of the bug.
The NSA may or may not have known about Heartbleed, but everyone agrees that the agency is heavily involved in discovering and even purchasing so-called “zero day” exploits. The NSA’s headquarters is said to keep a list of such flaws, which it can exploit when necessary. The NY Times reports four such flaws were used in the US cyber attack on Iranian centrifuges.
The question remains: What is the NSA required to do if it discovers a major security flaw in software? The answer to that question isn’t entirely clear cut and was mostly not understood before the Heartbleed bug made it a front page story.
Last August the President created a Review Group on Intelligence and Communications Technologies. According to the Director of National Intelligence website, the group was to offer recommendations on how “the United States can employ its technical collection capabilities in amanner that optimally protects our national security and advances ourforeign policy while respecting our commitment to privacy and civilliberties.”
Obviously, there are two opposing intentions contained in that statement. Protecting privacy and civil liberties does not always square with protecting national security and the NSA’s “collection capabilities.” The Review Group made it’s recommendations in December, including that the President reassess how the NSA uses the “zero day” exploits.
This recommendation was apparently resisted by the NSA. The WSJ reports: “the push to disclose andaddress zero day vulnerabilities was a major point of contention for theintelligence agencies, which fought the recommendation.” The NY Times is more explicit, saying the NSA compared giving up the exploits to “unilateral disarmament.”
At this point, we have two different perspectives on what happened next. The WSJ reports that, after considering it, the administration made “no substantive change to the process.” The Times offers a slightly more favorable interpretation, quoting National Security Council spokeswoman Caitlin Hayden saying the recommendations had “reinvigorated” the process of determining when to exploit useful “zero day” security flaws.
Whether or not the NSA knew about Heartbleed in particular, it still looks for and purchases security exploits like Heartbleed. And the recommendations the President received from the Review Group in December do not seem to have changed the process significantly. As even the Times concedes, the president left “a loophole that is likely to allow the N.S.A. to continue to exploitsecurity flaws both to crack encryption on the Internet and to designcyberweapons.”