Did the NSA Take Advantage of the Heartbleed Bug?

The Heartbleed bug is an exploit that has been known about for approximately two years. However, the amount of people that truly recognized its potential effects is limited. It’s possible that hackers have taken advantage of this exploit over the years, but most complications have only came up since it became public uproar.

There’s a lot to discuss when it comes to the Heartbleed bug. A lot of focus is put on which companies and websites are affected or how you can protect yourself. However, there is a unique story that picked up traction last week. A story that asks a very compelling question: Did the NSA take advantage of the Heartbleed bug?


Photo: Robin Lund / Shutterstock

Of course, this is a question that only a select number of people truly know the answer to. Beyond having that firsthand knowledge, all that can be used is speculation. But there has been some pretty thorough speculating on the subject and the while the NSA has kept quiet, the White House has not remained silent on the question. So it does give you a bit of information to piece together to sort of make your own judgment or to create your own assumptions on whether the NSA has taken advantage of the bug or not.

What “Take Advantage” Means

It is important to be clear that the term “take advantage” in this scenario is referencing to the idea that the NSA used this security leak as a spying tool. The idea is that the NSA had known about it already and used it as a strength, another piece in their arsenal, instead of just letting it be known to the appropriate security experts or to the public.

What the White House Says About This

The White House released a statement through a spokeswoman, Caitlin Hayden, of their National Security Council. This statement effectively declared that there is no reason to believe that the Heartbleed bug was common knowledge in the NSA or any other government departments prior to April of 2014.

Why It Makes Sense That The NSA Knew About It

The public is speculation that the NSA knew about the bug. A lot of this speculation could have surfaced as a result of general unacceptance of the NSA in general. There has been a lot of hate for this government department ever since the Edward Snowden incident.

However, it is important to note that the NSA focuses a lot of their budget and man hours on finding security exploits on the Internet. Open source software is often targeted as all the code is there, ready to be read. So after millions of dollars, countless hours from some of the smartest techies in the world, and use of the most sophisticated software available, one would only think that such a bug would have been discovered by now – after all, OpenSSL isn’t exactly used by just a small group of people.


Photo: Gil C / Shutterstock

Rumors have surfaced that the NSA had found out about the bug back when it was first discovered and since they have used it as a method for finding account passwords and other information. Of course, it could still be possible that this rumor is false and that the over 1,000 security experts did not have a clue about the bug.

Why It Would Make Sense That The NSA Didn’t Know About It

Here’s where it gets interesting. It’s public knowledge that the NSA is allowed to continue on with an Obama ‘seal of approval’ but this doesn’t come lightly. In January, Obama set a rule. This rule made it a requirement for the NSA to report any major bug discoveries to the vendors and other involved parties so it can be patched.

Still, there’s a problem with using this as logic to back up the NSA. Obama added a condition to this rule. This condition made it acceptable for bugs that were deemed as effective for the purpose of law enforcement or national security would not have to be reported. Not only that, but they could be exploited by the NSA department as well.

Another possible argument is that the NSA would have disclosed it to the US government and they would have at least helped their friends up North. If this would have happened, the Canada Revenue Agency website probably would not have been exploited.

Additionally, it is interesting to note that a Google security expert, Neel Mehta discovered the bug on March 21st, then CloudFlare, a firm owned by Google, found out the issue on March 31st, but it was not publicized until April 9th. This time was used to protect Google user’s data and when asked if Google shared the bug information with the NSA, they simply said that their user’s security and privacy was the number one concern.

It’s all really up in the air. You can assume that this story will continue to develop in the following weeks and months, but chances are it will be fuelled with nothing but speculation.