BLOOMINGTON, Ind. -- A disclosure -- and denial -- over whether the NSA discovered, hid and exploited the Heartbleed vulnerability for the past two years highlights both the damage that the agency’s credibility has suffered and the urgent need to separate the agency’s twin responsibilities for information assurance and surveillance into two agencies, according to an Indiana University cybersecurity expert.
Fred H. Cate, director of the university's Center for Applied Cybersecurity Research, said the most recent allegations, if true, also showcase a White House unwilling to listen to the very independent advisors it appointed to help mitigate the privacy and security revelations made public by Edward Snowden.
The Heartbleed bug was disclosed publicly Monday as a vulnerability in the popular OpenSSL program that is widely used across the internet to protect data and systems and to authenticate users during online transactions.
Bloomberg News reported late Friday, April 11, that, according to “two people familiar with the matter,” the National Security Agency knew of the Heartbleed bug for more than two years and not only kept it secret but regularly exploited it to collect information.
The Office of the Director of National Intelligence responded hours later with a flat denial.
“Normally such an absolute denial by a federal agency would be taken seriously,” Cate said, “but the number of apparently unambiguous denials by the intelligence community that over the past year have been proven false or seriously misleading has caused serious credibility issues for the NSA and the DNI.”
For example, recent testimony by both DNI Director James Clapper and former NSA Director General Keith Alexander turned out to be at best partially true, and at worst completely false.
“After a succession of such statements -- and no action in response by Congress or the president -- it is not surprising that many people doubt the NSA’s denial of any knowledge of the Heartbleed bug,” Cate said.
But the issue of whether the agency knew about what some experts are calling the greatest threat to data security in the history of the Internet for more than two years and did nothing to address it wouldn’t matter so much if the NSA did not continue to be responsible for two apparently contradictory missions: securing cyberinfrastructure and gathering foreign intelligence.
In comments filed with the President’s Review Group on Intelligence and Communications Technology in October 2013, Cate, who is also C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law, wrote that “privacy and security advocates have long worried that in pursuit of the latter, increasingly dominant mission, the agency would learn about software and other vulnerabilities and rather than disclose or attempt to fix them, the agency would exploit them, thus compromising the former mission.”
Disclosures by Edward Snowden have made clear that “the agency has gone a step further and actively introduced vulnerabilities into commercial security products and services to enhance its ability to collect intelligence, even though this actively weakens both government and private-sector infrastructure,” Cate wrote. He therefore called for “dividing the NSA into two separate agencies.”
The President’s Review Group included this recommendation in its December 2013 report. The Review Group also recommended that the NSA not hide or exploit security vulnerabilities except in “rare instances” and for short periods of time.
President Obama, however, declined to follow either recommendation.
“The president has identified cyber threats as among the most critical dangers facing the nation,” Cate said, “Yet it is hard to take this claim too seriously when key responsibility for fighting those threats is given to the agency with the most to gain by hiding and exploiting them.”
Cate’s October 2013 comments to the President’s Review Group are available online.