The part of the evolving Heartbleed story that initially left me guardedly skeptical was the assertion, made by Bloomberg News, that the National Security Agency knew about this enormous Internet security flaw back in early 2012, but kept it secret because they wanted the option of exploiting it for their own purposes. Given that millions of sensitive passwords, and servers full of Americans’ confidential data, might be at risk, this could become a huge scandal if true. The NSA has denied the story ever since Bloomberg ran it at the end of last week.
I’m skeptical because Bloomberg dropped its allegations in a very matter-of-fact way, without revealing its source. They didn’t say the NSA might have kept Heartbleed on a leash, using it to harvest passwords from (presumably? maybe? hopefully?) foreign websites while leaving the rest of us vulnerable. The Bloomberg article asserted without reservation that the NSA had done this. The agency says they did not. Given what we’ve learned about the Surveillance State, we must sadly conclude it’s plausible that Heartbleed would be deliberately kept secret from Americans by their own government – let’s just say it’s not exactly out of character. But I haven’t seen any convincing evidence or sourced testimony that the agency’s denials are false in this case. This is a gun we definitely need to see smoking.
Also, the magnitude of the potential scandal will be influenced by how much actual damage to online privacy occurs. Heartbleed is a tremendous potential risk, a flaw in the encryption software for secure Internet connections that could allow clever hackers to steal user names and passwords from hundreds of thousands of systems – possibly even the administrator passwords that would give them unrestricted access to everything stored on a server. But as of yet, there has been no confirmed case of a Heartbleed hack occurring. It’s possible the bad guys didn’t find the flaw in time to exploit it, and their window of opportunity is closing, as the affected Internet code is updated to resolve the problem. It would be unusual for such a huge flaw to sit out there undetected by hackers for the better part of two years – they tend to find such vulnerabilities very quickly – but we might have gotten lucky in this case.
In any event, Bloomberg News is keeping up the pressure, publishing a new piece that claims the NSA maintains a “trove of software flaws” gathered by a unit called Tailored Access Operations… which not only keeps its hacking weapons secret from the public, but doesn’t even have to disclose them to the rest of the U.S. intelligence community, including other units of the NSA.
The new story once again asserts that two sources “familiar with the matter said that the agency was aware of [Heartbleed] and had used it as part of the intelligence gathering toolkit,” along with a dutiful reprise of the NSA’s denial that it knew about Heartbleed before the general public learned of its existence a few weeks ago. It is said that the NSA has been working to crack the Secure Socket Layer (SSL) encryption that protects sensitive Internet communications, and has developed hacks other than Heartbleed that allow it to crack secure systems.
The new Bloomberg report concludes by speculating that revised guidelines for online espionage might compel the NSA to begin giving up its stockpile of hidden vulnerabilities by quietly handing its stockpile over to major software vendors, who would presumably begin addressing the flaws sniffed out by government operatives over the years. It’s also possible the agency could keep what it has, and begin observing broader standards of transparency when it discovers new bugs.