No, the US White House didn’t know about Heartbleed and didn’t exploit the OpenSSL bug to snoop, it said on Friday.
According to a statement from the Office of the Director of National Intelligence, the government has a “bias” toward responsible bug disclosure:
This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
But that approach is squishy. The notion of responsible disclosure is more of a bias than a requirement, senior administration officials said on Saturday.
In fact, officials said that President Obama has left a huge loophole open in the form of an exception for “a clear national security or law enforcement need.”
As Bloomberg reported on Monday, the White House’s directive to limit US intelligence’s exploitation of software bugs, if strictly implemented without loophole, would require elite spying units to empty out their pockets of thousands of exploits, according to intelligence professionals.
Those exploits include bugs found not just in software but also in industrial controllers, heating and cooling systems, printers, anti-virus software, video conferencing systems and encryption protocols.
But this responsible-disclosure exception loophole is just too fuzzy, says Jason Syversen, who formerly worked on cyberwar projects for the Pentagon and now runs a New Hampshire company called Siege Technologies that develops cyberwar tools.
Bloomberg quotes him:
[Limiting the use of such exploits] would hamstring the ability of the intelligence organizations to do their mission. That's like saying spies are only allowed to lie some of the time but still have to do their job.
The NSA’s previous knowledge of Heartbleed came into question when Bloomberg reported that the agency knew about the flaw for at least two years and regularly used it to gather critical intelligence.
According to Richard Clarke, a member of a presidential panel set up to review NSA practices, the White House issued guidance on the issue of responsible disclosure to the entire intelligence community three weeks ago.
His guidance followed, more or less, the panel’s earlier recommendation that bugs be exploited and computer users kept vulnerable and in the dark only rarely and only for the most important intelligence goals.
The presidential guidance was made public for the first time on Friday, in response to the Bloomberg News report that the NSA had been milking the Heartbleed bug.
The White House has up until now been mute on what decisions have been made in the wake of the presidential panel’s recommendations, with the exception of last month, when it was announced that bulk data collection would stop, that data would be left in the hands of telecoms, and that the government would be able to get at it with court orders when needed.
But as the New York Times describes it, underneath this silence, there’s a roaring debate within the intelligence agencies regarding such things as whether the NSA should hammer away at weakening commercial encryption systems or trying to build in back doors that facilitate the agency’s communications cracking capabilities.
Giving up the power to use zero-day vulnerabilities as a wedge to open up enemies’ or targets’ communications systems would mean giving up the power to create a weapon such as Stuxnet, the cyber attack on Iran’s nuclear enrichment sites that the NSA reportedly built on top of four zero-day exploits.
Even those in the government who are sympathetic to broad reforms of the NSA can’t quite imagine giving up that zero-day power. The NYT quoted one such, a senior White House official:
I can't imagine the president - any president - entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.