The NSA is disavowing its knowledge of the Heartbleed security vulnerability after a Bloomberg report suggested that the spy agency had exploited it for at least two years.
The White House and the Office of the Director of National Intelligence echoed that statement Friday, saying neither the NSA nor any other part of the U.S. government knew about Heartbleed before April 2014.
"If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," said National Security Council spokesperson Caitlin Hayden.
The denials are unusually forceful for an agency that has historically deployed evasive language when referring to its intelligence programs.
According to two anonymous sources cited by Bloomberg News, the NSA knew for "at least two years" that it could use the Heartbleed vulnerability to steal passwords and other sensitive information from unwitting Internet users. The bug is a result of a flawed update to a widely used security protocol underpinning as much as two-thirds of the Web.
Privacy advocates said Friday that the report, if true, would not be a surprise.
Allegation that NSA knew about Heartbleed is just an allegation. But fits their statements about breaking SSL & collection of SSL sessions.
— Ramez Naam (@ramez) April 11, 2014
Also, I find it almost impossible to believe nobody other than NSA had spotted & exploited Heartbleed before now.
— Julian Sanchez (@normative) April 11, 2014
The White House said Friday that when the government uncovers a Heartbleed-like bug, "it is in the national interest" to notify developers — "unless there is a clear national security or law enforcement need."
Previous reports show that the NSA has actively sought out and purchased security flaws in the past to use against intelligence targets. It is unclear whether allies of the United States knew of the Heartbleed bug.