The Washington Post

The NSA denies it knew of the Heartbleed bug

(Trevor Paglen /The Intercept)

The NSA is disavowing its knowledge of the Heartbleed security vulnerability after a Bloomberg report suggested that the spy agency had exploited it for at least two years.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," NSA spokesperson Vanee Vines told The Post. "Reports that say otherwise are wrong.”

The White House and the Office of the Director of National Intelligence echoed that statement Friday, saying neither the NSA nor any other part of the U.S. government knew about Heartbleed before April 2014.

"If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," said National Security Council spokesperson Caitlin Hayden.

The denials are unusually forceful for an agency that has historically deployed evasive language when referring to its intelligence programs.

According to two anonymous sources cited by Bloomberg News, the NSA knew for "at least two years" that it could use the Heartbleed vulnerability to steal passwords and other sensitive information from unwitting Internet users. The bug is a result of a flawed update to a widely used security protocol underpinning as much as two-thirds of the Web.

Privacy advocates said Friday that the report, if true, would not be a surprise.

The White House said Friday that when the government uncovers a Heartbleed-like bug, "it is in the national interest" to notify developers — "unless there is a clear national security or law enforcement need."

Previous reports show that the NSA has actively sought out and purchased security flaws in the past to use against intelligence targets. It is unclear whether allies of the United States knew of the Heartbleed bug.

Brian Fung covers technology for The Washington Post, focusing on telecommunications and the Internet. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.
Show Comments
Most Read
DJIA -1.29%
NASDAQ -3.25%
Last Update: 4:33 PM 02/06/2016(DJIA&NASDAQ)



Success! Check your inbox for details.

See all newsletters

Close video player
Now Playing

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.