How the NSA shot itself in the foot by denying prior knowledge of Heartbleed vulnerability

In admitting it didn't know about a massive security flaw in one of the Web's most used encryption libraries, the NSA inadvertently revealed a massive institutional failure.
Written by Zack Whittaker, Contributor

The National Security Agency has eyes and ears everywhere. At least, so we thought.

In 2012, during a classified but widely-known operation at Fort Meade, MD, government crypotographers and developers downloaded the OpenSSL source code, as it does with dozens of other software published on the Web. The operation's objective was to find weaknesses in the library and exploit those vulnerabilities as part of wider efforts by the intelligence agency to conduct mass-scale surveillance.

After the code was downloaded and compiled, the developers were soon able to pinpoint a programming flaw in the code, which would have allowed the agency to collect usernames and passwords far quicker, more efficiently, and at a lower cost than its bulk data collection programs, notably its fiber cable tapping operation named Upstream. 

Executives and senior officials heralded it as one of the biggest vulnerability discoveries in the intelligence agency's recent history. A single programming flaw that it could exploit and use to tap directly into the communications of hundreds of millions of users, and gain system administrative privileges to vacuum up every shred of data it could find. Not just once, but at will, and it was untraceable. 

It was the NSA's golden goose.

Except, none of that happened, according to a statement by the U.S.' director of national intelligence, James Clapper, who said on Friday following the Bloomberg report citing two people familiar with the situation. "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report."

"Reports that say otherwise are wrong," he added, noting that the U.S. government "relies" on OpenSSL to protect its users on government websites. "If the… government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

Either one of two things happened: Bloomberg got screwed over by its sources, or the U.S. government is outright lying and clambering to save face with the already disgruntled public.

Clapper's response instead disclosed a seismic vulnerability in the intelligence agency's own mission, to "protect U.S. national security systems and to produce foreign signals intelligence information."

Clapper has, either intentionally (though more likely inadvertently) revealed the agency's own core internal weaknesses and deficiencies probably more so than any other revelation leaked by whistleblower Edward Snowden, who remains responsible for the biggest global intelligence leak in post-World War II history.

The NSA's job, first and foremost, has been blown up by the Snowden leaks in a specific and precise way than the agency's simplistic "protect America" rhetoric -- from tapping fiber cables, demanding data from Silicon Valley servers, intercepting wireless transmissions, and exploiting vulnerabilities and flaws in common encryption standards in order to vacuum up all the data things.

Forget what you think about the NSA right now. Speaking in devil's advocate terms, as taxpayers we pay for the NSA to protect the U.S. and its citizens and interests at home and abroad from foreign threats. With an international "mutual assured destruction" policy between our friends, enemies, and frenemies on the world stage, intelligence gathering is just a fact of life. And the NSA is not going anywhere any time soon,

By admitting that the NSA had not exploited the Heartbleed bug, described as "catastrophic" and the "worst vulnerability found" on the Internet since commercial traffic began to flow along its pipes, it shows how fundamentally flawed the agency is.

Previous leaks have shown that the NSA has spent hundreds of millions of dollars in actively exploiting weaknesses in encryption standards in conjunction with its British electronic eavesdropping counterpart, GCHQ. These activities "undermine the fabric of the Internet," according to security experts.

"If the… government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL." — James Clapper

It's not outside the bounds of reason to suggest that the NSA, arguably, should have found the bug within days, weeks, or even months after it was reportedly accidentally introduced into the OpenSSL cryptographic library, more than two years ago. 

Knowing how crucial and intrinsically important the library is to the world's web servers and online operations, the NSA should have downloaded the source code along with other libraries available on the Web, compiled it, poked it within an inch of its limits to find bugs, flaws, and weaknesses, and discovered the Heartbleed bug long before it was disclosed earlier this month.

Whether or not the NSA should have exploited the vulnerability for its own intelligence-gathering operations remains an entirely separate question, which will not be answered here.

Despite the egregious infringement of privacy and security on the ordinary American and foreigner alike, one is, nevertheless somewhat skeptically, actually inclined to believe the strongly-worded, stern-toned, and brazenly written statement by Clapper, who up until now has shied away from making public refutations about the NSA's capabilities and activities -- not least, because he stuffed it up once before on the floor of Congress. Historically, previous statements have either declined to comment citing ongoing intelligence operations, or released documents in an attempt to counter the media negativity and public outrage with its own version of events.

Clapper has not been the most candid or honest official in the Obama administration official since the breakout of leaks by the media in June 2013. In testimony to Congress following the disclosure of the PRISM program, Clapper misled officials about the bulk collection of American's metadata, and was pulled apart by the press as a result.

U.S. President Barack Obama defended Clapper in an interview with CNN's Jake Tapper earlier this year. He said: "Clapper's] concern was that he had a classified program that he couldn't talk about and he was in an open hearing in which he was asked, he was prompted to disclose a program, and so he felt that he was caught between a rock and a hard place."

Clapper's candid statement debut on Friday was further hardened by his closing sentiments.

"When Federal agencies discover a new vulnerability in commercial and open source software – a so-called 'Zero day' vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose," Clapper said.

"Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities."

Reading in between the lines of Clapper's comments, it's clear because that the scope and range of this bug was so wide and pervasive, had the NSA have discovered it, there's a strong hint that it may have not disclosed it – keeping it for itself to dive further into our private lives than the Snowden leaks have shown thus far.

But it didn't, because it was too busy looking in the wrong direction.

Editorial standards