On the otherwise quiet Friday afternoon of April 11, Bloomberg News reporter Michael Riley released an explosive story (0), asserting that the National Security Agency discovered a flaw in a widely used Internet security protocol two years ago but sat on the information in order to exploit it for intelligence gathering purposes. The article concluded “Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.” Riley based his account on the word of “two people familiar with the matter.”
Given the gravity of the charge, the initial, halting reaction of the Obama White House and the NSA was puzzling. Clearly caught off guard, the administration first responded with the standard “no comment” on matters related to the NSA. Within hours, however, both the NSA and the White House issued precedent-setting statements (the first time the security apparatus has ever commented on a specific charge), flatly denying that the NSA had known of the flaw since 2012. National Security Council spokeswoman, Caitlin Hayden, stated: “Reports that the NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong.” And the Director of National Intelligence, James Clapper, stated: “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report.” (This statement reflects the fact that the flaw was independently uncovered by Google and a security firm, Codenomicon, who had begun warning other companies in the days before the Bloomberg story).
What have we learned after two weeks of extensive commentary and analysis from technical and political experts, as well as a predictably passionate and (sometimes) thoughtful response in the blogosphere? First, regarding the dangers to the security of the Internet: it is real but thus far there has not been large scale damage – so far as is known – to either private, commercial activity or government traffic. The Heartbleed bug is actually a flaw in the design of OpenSSL, an encryption tool that is utilized by as many as two-thirds of all active websites (though many consumer sites are not vulnerable because they employ specialized encryption software). It originated in an accidental mistake introduced by a volunteer German programmer two years ago that was not caught by reviewers. Despite conjecture in the blogosphere (and a history of just such activity) there is no evidence that the NSA had anything to do with the introduction of Heartbleed.
Public acknowledgement of the bug has produced a huge scramble to produce protective patches. As noted, Google had independently discovered the flaw, and in the ensuing days and weeks large Internet and technology firms such as Cisco, IBM, Intel, Jupiter Networks, Facebook, Yahoo, Amazon, as well as banks and financial institutions have moved to introduce fixes (1) that will block potential hackers. The U.S. Department of Homeland Security warned that hackers are attempting to exploit the bug in targeted networks, and the Canadian Revenue Agency reported that Heartbleed has been used to steal data on some 900 Canadian citizens. Though large companies have moved quickly, the concern is that many small users will not act to protect themselves – and indeed, once the bug is exploited it will be virtually impossible to detect. In addition, recent tests by security firms have demonstrated that the Heartbleed bug can be utilized to capture private encryption keys that open unfettered access to data flowing between website servers and users’ computers – though again evidence of actual exploitation has not surfaced.
This two part series will address – but alas not definitively answer – two major questions: did the NSA actually not know of Heartbleed and what are the policy implications that flow from the evolving tale of Heartbleed? Part two will address the second question.
Though it has not been widely reported, despite strong denials by the Obama administration, Bloomberg is sticking by its original story and conclusions (more on this below). Not unexpectedly, opinion from outside observers, in print and on the web, is deeply divided. For many, the NSA’s history of obfuscation and alleged deception is dispositive – Intelligence Director James Clapper’s “lying to Congress” in his Senate testimony that the agency did not spy on American citizens is repeatedly cited by sceptics. Along this line, though with less paranoia, other commentators, including the Washington Post technology blog (2), point to the pressure on the NSA to deny outright:
[If the Bloomberg report is true,] it is difficult to imagine any justification that will even begin to soothe the shock and outrage among people and businesses, both American and non-American who take computer security seriously. If it turns out that the vulnerability has been exploited either by criminals or (more likely) by non-U.S. intelligence agencies, the outrage will be even greater.
Adding to the suspicion is the fact that revelations from Edward Snowden (3) had presented documents showing that as early as 2010 an NSA program, BULLRUN was targeting the SSL protocol. Many security experts find it hard to believe that, given the depth of such searches, the agency could have missed the error introduced in 2012.
Still, there are security experts – some generally critical of the NSA – who point to the emphatic, no-wiggle-room White House and NSA denials, and hold that the administration would not risk lying out of fear of public backlash if it were caught. Others, including a respected CSIS cybersecurity expert, James Lewis, firmly believe that the NSA would not have held back knowledge of Heartbleed (4). Lewis told the New York Times that such an NSA response would have been “weird,” knowing the risk to the Internet (Lewis is also almost alone in holding that the entire episode has been overdramatized by the press and some in the security community: “a long line of ridiculous stories about cybersecurity.”).
All of this leads us back to the original Bloomberg story and Bloomberg’s subsequent defense of its essential accuracy. In response to the administration’s emphatic denials, Bloomberg went back to its sources and also dug deeper into the possibilities of alternative explanations of what transpired between Heartbleed and the NSA. In a little-noticed follow up article (5), Michael Riley reaffirmed his original conclusions but also noted that the agency had “more than one way to circumvent the security of SSL and OpenSSL.” Sources pointed out that a potential work-around could involve not exploiting the SSL software directly but breaking into a different system in the targeted computer on which the software depends. And outside cybersecurity expert, Jason Syverson, conjectured: “Maybe it’s not Heartbleed, maybe it’s what they call alpha green, and alpha green is something that sends a packet to Open SSL and creates and information leak.” NSA could have considered this a hacking technique rather than an SSL software vulnerability, which it had the responsibility to reveal. In this scenario, the White House and NSA denials could be technically correct, and still allow the NSA to reap the security benefits of a workaround that did not utilize Heartbleed in the first instance.
Needless to say, the NSA had no comment on the follow up Bloomberg story, so we are left with messy conjecture. But unless Heartbleed results in large scale commercial hacking and damage to the Internet in the future (or Edward Snowden has another surprise up his sleeve), the White House and the agency may have dodged a bullet. This does not mean, however, that the difficult policy challenges created by the NSA’s capability and policy of breaking into Internet security protocols are settled or going away. These challenges will be taken up in Part 2 of this posting.