A new article by Michael Riley at Bloomberg makes an explosive allegation. According to “two people familiar with the matter,” the NSA has known about the crippling ‘Heartbleed’ bug that compromises one of the core Internet security standards for at least two years. It has exploited this bug to secretly gather intelligence.
If this story bears out (it would be good to have absolute confirmation that the reporter’s sources were the kind of people who would have active operational knowledge regarding the NSA’s activities), it has profound political consequences. This earlier post discusses the complicated relationship between the NSA’s two core missions – of securing U.S communications against adversaries (including helping the private sector through its relationship with the relevant standard setting body), and of breaking the codes of non-U.S. actors to further the U.S. national interest.
This relationship has become more complicated since the 1980s because cryptography is now ubiquitous on the Internet (even if people don’t realize they’re using it), and both U.S. and non-U.S. firms often use the same cryptographic standards and software. The two core missions may come into conflict when the NSA finds out about (or pays for knowledge of) bugs or backdoors with security implications. On the one hand, the NSA can let the U.S. private sector know so that it can patch the bug, protecting U.S. industry and individuals, but also fixing a vulnerability that could be used to compromise foreign systems. Alternatively, it can keep the bug quiet, allowing U.S. business and individuals to go unprotected, but preserving the vulnerability for surreptitious use against foreign parties of interest.
The Bloomberg story says that the NSA decided to leave the U.S. private sector, and U.S. individuals, completely unprotected against the most crippling security vulnerability of our generation, in order to compromise the security of non-U.S. targets. If this is true, perhaps we’ll hear more about the rationale behind this decision (although very likely not). On its face, it is difficult to imagine any justification that will even begin to soothe the shock and outrage among people and businesses, both American and non-American, who take computer security seriously.
If it turns out that this vulnerability has been exploited, either by criminals or (more likely) by non-U.S. intelligence agencies, the outrage will be even greater. The willingness of the private sector to cooperate with the U.S. government in sharing information about vulnerabilities will be compromised, perhaps irrevocably. The informal dominance of the U.S. in international Internet governance debates will be undermined. Organizations such as the Internet Engineering Task Force, which create many of the basic underlying protocols of the Internet, will move from grumbling and unhappiness to outright revolt.
Last September, the prominent cryptographer and writer Bruce Schneier wrote that the Snowden revelations showed that the U.S. could no longer be regarded as an ethical steward of the Internet, and called for the international engineering community to take Internet governance into their own hands. After today’s news, his arguments are likely to find many, many sympathetic ears.
Update: The White House has emphatically and unambiguously denied any previous knowledge of the Heartbleed vulnerability.