A Bloomberg report earlier today said that the NSA intentionally kept the Heartbleed bug a secret in order to use it as a tool for intelligence.
The NSA reportedly found out two years ago that it could use the bug to its own advantage, i.e., to gather vital intelligence from key targets. Even worse, the NSA, sources added, decided to keep it a secret.
The controversial agency was able to collect data such as passwords and other personal information - all at the expense of ordinary users, who were, in return, left exposed to hackers with knowledge of Heartbleed.
Security experts are now wondering what happened to the NSA's "defense comes first" motto.
“It flies in the face of the agency’s comments that defense comes first. They are going to be completely shredded by the computer security community for this,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council.
In spite of the allegation, the NSA denied any knowledge of the bug. In a statement published today, the NSA said that it was not aware of the identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report.
The NSA added that if they had discovered the flaw prior to last week, the agency would have reported Heartbleed to the community responsible for OpenSSL. Here's the full statement of the NSA:
April 11, 2014
NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
When Federal agencies discover a new vulnerability in commercial and open source software – a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it – it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
In response to the recommendations of the President’s Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.