NSA could have exploited virus

New information has been made available on the Heartbleed virus, which incriminates the National Security Agency.

The virus was made public Monday as a vulnerability in some versions of the OpenSSL program, an encrypting tool that is widely used on the Internet to protect sensitive information like credit card numbers, that’s able to bypass security and access the protective information.

According to a press release, Bloomberg News reported April 11 that, according to “two people familiar with the matter,” the NSA knew about the Heartbleed virus for more than two years, and they kept it a secret and used it to collect information.
The Office of the Director of National Intelligence denied the allegation, hours after Bloomberg released the information.

Fred Cate, director of IU’s Center for Applied Cybersecurity Research said the allegations, if true, will show a White House unwilling to listen to the independent advisors it appointed to help ease the privacy and security leaks made public by Edward Snowden.

“Normally such an absolute denial by a federal agency would be taken seriously,” Cate said in the release, “but the number of apparently unambiguous denials by the intelligence community that, over the past year, have been proven false or seriously misleading has caused serious credibility issues for the NSA and the DNI.”

“DNI” refers to the Director of National Intelligence.

In a 2013  testimony given by DNI Director James Clapper and former NSA Director General Keith Alexander, they claimed the NSA doesn’t collect information on Americans. The release suggests this claim turned out to be either only partially true, or completely false.

“After a succession of such statements — and no action in response by Congress or the president — it is not surprising that many people doubt the NSA’s denial of any knowledge of the Heartbleed bug,” Cate said.

The release said the issue of whether the NSA knew about the greatest threat to data security in the Internet’s history, according to some experts, would not be an issue at all if the NSA didn’t continue to work two seemingly contradictory missions: cyber security and foreign intelligence.

Cate, who is also a professor in the IU Maurer School of Law, filed comments with the President’s Review Group on Intelligence and Communications Technology in October 2013.
“Privacy and security advocates have long worried that in pursuit of the latter, increasingly dominant mission, the agency would learn about software and other vulnerabilities and rather than disclose or attempt to fix them, the agency would exploit them, thus compromising the former mission,” he said in the statement.

Cate said disclosures by Snowden made other issues clear.

“The agency has gone a step further and actively introduced vulnerabilities into commercial security products and services to enhance its ability to collect intelligence, even though this actively weakens both government and private-sector infrastructure,” he said.

Because of these issues, Cate called for the NSA to be divided into two separate agencies.
The President’s Review Group included his recommendation in its December 2013 report, according to the release. The group also recommended that the NSA not hide or use security vulnerabilities except in “rare instances” and for short periods of time.

President Obama declined to follow either recommendation, the release said.

“The president has identified cyber threats as among the most critical dangers facing the nation,” Cate said in the release. “Yet, it is hard to take this claim too seriously when key responsibility for fighting those threats is given to the agency with the most to gain by hiding and exploiting them.”

Kathrine Schulze