Bloomberg is reporting that the National Security Agency has known about the Heartbleed Bug for two years. And rather than alerting the OpenSSL team so they could fix the problem, the NSA simply added the Heartbleed attack to its arsenal of tactics used to compromise targeted computers. Update: In a tweet, the NSA has denied that it knew about Heartbleed before it became public this month.
This won't surprise anyone who has been paying attention to how the National Security Agency operates. The agency has an entire department, known as Tailored Access Operations, devoted to offensive hacking. TAO combs popular software for security vulnerabilities it can use to introduce sophisticated malware into computers it wants to spy on. Once compromised, these computers can be re-programmed to spy on their users and divulge their private files, all without users knowing about it.
But the Bloomberg's reporting, if true, will further damage the already strained relationship between the nation's top electronic spying agency and the civilian security community. In the past, the private sector has sometimes relied on the NSA's technical expertise to help them better secure their products. Yet it now appears that securing the American Internet against online threats is far from the agency's top priority. When the agency discovers a flaw in popular software, the agency is more interested in preserving its ability to attack others than in alerting Americans to the problem.
If the NSA were the only intelligence agency in the world, that might not be a bad strategy. The problem is that America's adversaries have intelligence agencies too. If the NSA was able to discover the Heartbleed bug two years ago, there's a good chance that Chinese, Russian, or other intelligence services have too, exposing Americans and American companies to foreign eavesdropping.
This post has been updated to reflect the NSA's denial of Bloomberg's reporting.