Why Obama's response to the Heartbleed bug is so troubling
On Friday, the Obama administration unequivocally denied a report that the NSA had exploited the Heartbleed vulnerability to gather intelligence, part of a swift effort to shut down a damaging storyline that featured the government knowingly failing to shield millions of Americans from an online security flaw.
But in so doing, the administration also made two important admissions. First, it can, if pressed, use plain English free of obvious deceit, in contrast to the obfuscation that has characterized the government's response to a stream of revelations about the NSA's vast internet dragnet. And second, the administration uses a previously undisclosed review process that sometimes does — but in this case supposedly did not — approve the exploitation of Heartbleed-like bugs.
Last week, researchers revealed a "catastrophic" vulnerability in the code two thirds of websites use to verify authenticity and protect passwords and the like, called OpenSSL. The vulnerability made it possible to obtain whatever data was in the memory of the computer during the authentication process, which meant that protective measures like user passwords or security questions might be accessible to hackers.
On Friday afternoon, Bloomberg reported that the NSA had known about and used the vulnerability starting shortly after it was introduced over two years ago. It sourced that report to "two people familiar with the matter."
With Bloomberg's report, it seemed that many of the suspicions raised about the NSA since last June were proven true — that the NSA was allowing dangerous holes to remain in the internet's security to make it easier for the agency to spy. Documents released by Edward Snowden made it clear the NSA had had a breakthrough in exploiting SSL in 2010, though it remains unclear how it had done so. The Bloomberg report seemed to provide an answer (albeit one that didn't line up with the Snowden time line of events).
The administration — specifically the NSA, the National Security Council, and the Director of National Intelligence — issued a coordinated denial on the intelligence community website — called "IC on the Record" — fairly quickly after the Bloomberg report. "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," it said. "The federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report."
The denial itself was fairly remarkable, coming as it did on a website often mocked for bearing the URL "I Con the Record," and which is associated with Director of National Intelligence James Clapper, who got caught lying to Congress about the NSA last year. The administration's habit of issuing false denial after false denial over the last year should lead us to dismiss yet another denial outright. Like the boy who cried wolf, the Obama White House has little credibility on the issue of Big Data when it matters.
Yet the Heartbleed denial was different. It offered a comprehensive denial — making it clear that neither the NSA nor any other part of the government had used this vulnerability. And it provided specificity about precisely when and how it learned of the vulnerability. In comparison with other, far less credible denials, this one stuck out because it lacked obvious holes (except, perhaps, that the NSA's British partner, GCHQ, had used the vulnerability, or that the NSA had exploited the security hole in the brief window after it found it).
Moreover, the nature of the vulnerability makes NSA's denial somewhat credible. Because the vulnerability only provides a random selection of data, it would not be an efficient spying technique.
The NSA probably has far more efficient ways to get around SSL. Moreover, some of the government's own websites were affected, a point the denial emphasized: "The federal government relies on OpenSSL to protect the privacy of users of government websites and other online services." (Though that, too, is not an ironclad alibi, since the NSA reportedly weakened other standards that its own computers use.)
But the denial did one more thing: it confirmed that the president has reaffirmed NSA's practice of keeping secret other vulnerabilities it finds so it can exploit them. The statement revealed, "In response to the recommendations of the President's Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities."
The President's Review Group, which was made up of outsiders who nevertheless had close ties to either the president or the national security community, had recommended in December that before the government use such vulnerabilities, it should conduct an interagency risk assessment to approve such use. "Before approving use of the Zero Day rather than patching a vulnerability, there should be a senior-level, interagency approval process that employs a risk management approach." ("Zero Day" is a reference to vulnerabilities that need to be fixed ASAP—i.e., in zero days.) The administration's denial on Friday dubbed this process "the Vulnerabilities Equities Process."
The announcement that the administration had "reinvigorated" its interagency process on Zero Days appears to be new news. It is not something President Obama announced in his big speech laying out reforms in January. Without more details, there's no reason to believe it is anything but a convenient talking point used to lend credence to a particularly strenuous denial.
But the announcement's discussion of the interagency review also made clear that the process will, sometimes, approve such a use — which means that the next Heartbleed could be exploited by the NSA. Furthermore, the standard the administration claims to have adopted — "a clear national security or law enforcement need" (italics mine) — is lower than the "urgent and significant national security priority" recommended by the Review Group.
In other words, in very clear language, the government has confessed that it does and will continue to keep secret Heartbleed-style vulnerabilities not just for national security purposes, but also for mere law enforcement. And that should worry those who want to keep their online information secure.