The NSA denies it knew of the Heartbleed bug

April 11, 2014

(Trevor Paglen /The Intercept)

The NSA is disavowing its knowledge of the Heartbleed security vulnerability after a Bloomberg report suggested that the spy agency had exploited it for at least two years.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," NSA spokesperson Vanee Vines told The Post. "Reports that say otherwise are wrong.”

The White House and the Office of the Director of National Intelligence echoed that statement Friday, saying neither the NSA nor any other part of the U.S. government knew about Heartbleed before April 2014.

"If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," said National Security Council spokesperson Caitlin Hayden.

The denials are unusually forceful for an agency that has historically deployed evasive language when referring to its intelligence programs.

According to two anonymous sources cited by Bloomberg News, the NSA knew for "at least two years" that it could use the Heartbleed vulnerability to steal passwords and other sensitive information from unwitting Internet users. The bug is a result of a flawed update to a widely used security protocol underpinning as much as two-thirds of the Web.

Privacy advocates said Friday that the report, if true, would not be a surprise.

The White House said Friday that when the government uncovers a Heartbleed-like bug, "it is in the national interest" to notify developers — "unless there is a clear national security or law enforcement need."

Previous reports show that the NSA has actively sought out and purchased security flaws in the past to use against intelligence targets. It is unclear whether allies of the United States knew of the Heartbleed bug.

Brian Fung covers technology for The Washington Post, focusing on telecom, broadband and digital politics. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.
Comments
Show Comments

Sign up for The Switchboard

Get five tech stories you need to read every morning.

Most Read Business
Next Story
Brian Fung · April 11, 2014