As Seth covered earlier today, Bloomberg has accused the NSA of benefiting
from the Heartbleed OpenSSL bug. The NSA denies this in fairly strong terms. I'd like to draw attention to a different facet of the topic -- first, by discussing the semantics of the NSA's denial and then the wider impact of how that denial is perceived and what it means for the tech community as a whole.
The NSA's Denial is Surprisingly Straightforward
For the past year, the NSA's responses to the Snowden leaks have followed the same strategy: Either the organization claims that its activities are legal or it denies engaging in a similar
(but distinct) activity from the one it's actually accused of actually perpetrating. A good example of this is the allegation that the NSA tapped undersea data cables from Google
to intercept company data as it moved between server farms.
When asked if these allegations were true, General Alexander responded: "But I can tell you factually we do not have access to Google servers, Yahoo servers. We go through a court order." By refuting a claim that no one actually made, Alexander bet that the majority of readers wouldn't understand the difference between tapping the link
between servers and tapping the servers themselves.
With that in mind, what's striking about the Heartbleed denial is that it's unusally straightforward. The NSA's formal response states:
Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
This clear, specific statement is exactly what the NSA hasn't
been willing to say in its previous remarks. That doesn't mean the organization is being honest, but the scope and severity of this flaw means that it's possible even the NSA would feel obliged to reveal it.
Unfortunately, the fact that we're discussing whether the NSA would actually help patch a bug or deliberately exploit it is, itself, evidence of how perceptions of the organization have changed. A recent (albeit unofficial poll) by Princeton Survey Research Associates found that the NSA was trusted less than Facebook
when it came to securing personal information and considered the organization most likely to violate individual privacy.
If corporations and the public no longer trust the NSA to be truthful about what it knows and when it knew it, the organization's role in the wider security ecosystem will be fundamentally compromised. Google and Yahoo responded to the data cable snooping by implementing end-to-end encryption within their data centers. Now, with every major security flaw, the first question is "Did the NSA arrange this or just benefit from it?"
Why No One Trusts The NSA:
It's always been a given that the NSA had to balance the dual mandate of helping to secure the United States while finding ways to spy on targets using exploits and vulnerabilities in software. One of the most damning aspects of the Snowden leaks is the way the organization boasts of finding a legion of unpatched vulnerabilities and using those bugs to further its goals.
But the organization's responses to these leaks has been to alternately hide from the wider implications or to give false rebuttals to questions no one is asking. The general public may be fooled, the technical press and engineers in Silicon Valley are not. It's no accident that this is the third OpenSSL
vulnerability to be discovered in a matter of months; it suggests a broad research project aimed at locking down the holes the NSA has used to peer through windows.
In that sense, it doesn't matter if the NSA knew about Heartbleed or not. The agency has established a pattern of refusing to acknowledge a lie (General Alexander has referred to his remarks in front of Congress as the "least untruthful" answer), refusing to acknowledge known truths, and dismissed the concerns of ordinary citizens and Congressman alike. It's not as simple as saying the NSA may or may not have lied -- the NSA
is no longer trusted to understand the scope of the problem or care about the concerns of US citizens. The organization is playing by a different rulebook.