NSA on Heartbleed: 'We're not legally allowed to lie to you'

NSA on Heartbleed: 'We're not legally allowed to lie to you'

Summary: In an exclusive interview with ZDNet's David Gewirtz, a senior NSA official explains why the agency regards security and civil liberties as more than a simple balancing act: "You have to have them both."


ZDNet recently had the opportunity to sit down and discuss how the NSA approaches the difficult challenge of both protecting our security and supporting the American ideals of openness and transparency. The recent Heartbleed bug brought these issues to light in a particularly relevant way.

This article contains a transcribed version of that interview. Other than a few housekeeping clean-ups, the interview is verbatim.

Before we start, I also want to point out that I was permitted to ask whatever questions I wanted, and Neal Ziring, Technical Director in NSA's Information Assurance Directorate was willing to answer them.

Here are some tidbits from the full interview:

  • "Vulnerabilities are very precious currency in cyberspace."
  • "...have we looked at OpenSSL? Of course we have. We, like a lot of other folks in the community, did not spot this particular vulnerability."
  • "Did we find it? No. We did not. A lot of other people didn't find it, either."
  • "We have people that are spread thin, looking at a lot of different pieces, and we just didn't catch this one."
  • "With a super-widespread vulnerability like Heartbleed, it's going to be in the national interest of the U.S. government to act to eliminate that vulnerability"
  • "What we try to do is understand those systems to a very deep level so that we can understand where they're strong, where they're weak.."
  • "I'll be frank with you. If it comes down to protecting against a terrorist or protecting against his privacy, I'm afraid that his privacy is not going to be the number one thing on people's minds."
  • "The only way to improve the trust is for us to be out there and transparent."

And now, the full interview, in its entirety...

ZDNet: Let's start out with some background. Tell us about yourself.

Neal: I've been at NSA since 1988, and I worked mostly in evaluation of security products, crypto products, things like that. I worked a little bit on mobile code security, executable content security as you sometimes call it at the DOD and IC levels. I worked a lot on router security, so if you go on NSA.gov, you can see some of the products I worked on, the guidance available on security, and I worked with NIST on security content automation protocol.

"The folks that are here on the inside get to see the intelligence that they're delivering every day. They get to see a soldier go home who they gave intelligence to his platoon so it wasn't ambushed."

Then I spent four years working over in our Technology Directorate as a security architect for some large government systems including some that went out to the field like Iraq and Afghanistan. Then I came back to my home, IAD Directorate, to be the Technical Director. You can think of it like a senior technical advisor position to our director.

Then, through all of that, like the last decade or so, I've been working a lot in our academic outreach efforts. We have a large program for designating Centers of Academic Excellence in information assurance and cybe security education, and I work on that, especially with the high level one called "CAER," which is for research universities.

ZDNet: What's your specific role here at NSA?

Neal: I said I'm from the Information Assurance Directorate. As you know, NSA has these two missions, a signal intelligence mission and an information assurance mission. I've spent most of my career in that information assurance mission, so my answers are going to tend to be from that viewpoint, although I understand the other mission.

ZDNet: What exactly is information assurance?

Neal: Information assurance, most people today would call it cybersecurity, although it's actually a little bit broader than that, but it's the art and science of being able to use our information with confidence in military systems, other national security systems, and being able to ensure that it is confidential when it needs to be confidential, that it has integrity when it needs that, that we have freedom to maneuver in cyber space.

Our motto for the Information Assurance Directorate is "Confidence in Cyberspace." We try to provide that for a very wide spectrum of customers. Under National Security Directive 42, our primary customer set are the national security systems, which are all your military and intelligence systems, certain other government systems that have to do with maintaining the national security of the U.S., but we actually do a lot beyond that in working with other parts of government and assisting government agencies at their request, for example, DHS with critical infrastructure, so we have a pretty broad mandate, and we've been operating in that mode since NSA was founded in the early 1950s.

ZDNet: Moving on from that to NSA's global mission, where do you see the NSA's global mission with regard to the digital systems data?

Neal: NSA's global mission from the intelligence side is to continue to produce actionable intelligence to the United States for the decision makers, the war fighters.

That mission hasn't gone away. It really hasn't changed. We still face a lot of threats in the world, and it's very important that the President, the military commanders, etc. have reliable intelligence about all those issues, so that hasn't changed.

Similarly, our information assurance global mission hasn't changed. We have to continue to provide products and services that protect national security systems wherever they may be. We have people deployed to the Middle East, working with folks on their networks out there right now. IAD [Information Assurance Directorate] does.

Those missions haven't gone away. They're complex. They keep getting more complex as our adversaries gain new tradecraft, but we're continuing to prosecute those and to partner with the folks we need to partner with all the time.

"...and certainly, NSA does have folks that look for vulnerabilities. We have to."

ZDNet: NSA is in a damned-if-you-do and damned-if-you-don't place with Heartbleed. If you did know about Heartbleed and didn't help get it fixed to protect us all, you're irresponsible spies. But if you didn't know about it and it's been there all along, in a very well-known piece of software, you're incompetent. So, which is it? Irresponsible or incompetent?

Neal: Yeah. This is a very tricky question, and certainly, NSA does have folks that look for vulnerabilities. We have to.

Vulnerabilities are very precious currency in cyberspace, and have we looked at OpenSSL? Of course we have.

We, like a lot of other folks in the community, did not spot this particular vulnerability. It's also very interesting to note that automated code scanners … I've talked to SMEs [Subject Matter Experts] both inside and outside NSA about this, didn't catch it either.

If you look at the structure of the OpenSSL code involved, it's a number of reasons why that could have been the case. Nobody knows exactly. The various companies are scrambling to rectify that at the moment, at least a few of them that I've talked to.

Did we find it? No. We did not. A lot of other people didn't find it, either. There's a lot of software out there. We have people that are spread thin, looking at a lot of different pieces, and we just didn't catch this one.

It's important to note that we focus on the technologies, the systems that we think have the most impact for national security. We have to prioritize on that basis.

The interview continues on the next page...

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

Topics: Security, Government, Government US, Privacy


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • He's probably sincere...

    ...but spooks get so caught up with national security concerns that they tend to forget about or minimize the privacy concerns of ordinary citizens who have no rational reason to trust them or anyone else who customarily works in secret. The potential for abuse is obvious; the hard job for the spooks is convincing laypeople that they're trustworthy. The Snowden revealations set back that trust 30-40 years and it won't be easy to win it back; and that's the fault of the US Intelligence Community and the elected and appointed officials responsible for supervising it; not Snowden.

    When you're working in secret, the rule has to be to not do anything one would be ashamed of the public finding out about. Leaks happen, but even damaging leaks shouldn't cause people to be suspicious of the institution. The fact that the Snowden revealations did just that is indicative of the real problem.
    John L. Ries
    • And again I'm anonymous

      I wonder if this is a Javascript issue.
      John L. Ries
      • As my name promptly comes back

        John L. Ries
  • 'We're not legally allowed to lie to you'

    Ha-ha-ha! LOL. :-P
    • EXACTLY!!!

      You were expecting him to say: 'We're not legally allowed to lie to you ... BUT SOMETIMES WE DO"?
      George Mitchell
  • How do you know...

    How do you know they aren't lying to you NOW?

    "We are not legally allowed to lie to you." (Unless that is a lie)
  • When has legality

    ever been a prerequisite for action by the NSA? Or those who comprise it?
  • 'We're not legally allowed to lie to you'

    He borrowed that line from Obama and Jay Carney and Obama's administration.

    They only lie to protect us from the truth.
  • Of course they're allowed to lie to us...

    They do it all the time. In fact, the Supreme Court has ruled that law enforcement officials (police, etc.) are allowed to lie to citizens. Unless they are testifying under oath, they can and do lie all the time. It is part of their standard operating procedure. In the case of police, its considered justified in the capture of criminals, though more often it's used to induce innocent people to incriminate themselves in acts they never committed, and in the "intelligence" world, it's considered necessary for national security.

    "I don't lie" is the foremost indicator that someone is lying to you.

    I have no idea whether the NSA knew about the Heartbleed bug or not. They are probably incompetent enough that if they didn't create it, they didn't know about it. But certainly, if they did know about it, they'd have exploited it to gain information about both citizens and foreigners rather than revealing it for the privacy protection of computer users.
  • "We're not legally allowed to lie to you"

    The following statement is true.

    The preceding statement was false.