Bloomberg is reporting that the Heartbleed bug, which shocked the web security community this week, has been known and actively exploited by the National Security Agency for at least two years. According to two anonymous sources familiar with the matter, the bug was kept secret in the interest of national security, while the agency used it to obtain passwords and other data. Since the bug was first committed in 2012, the report suggests the NSA discovered the bug and maintained access for nearly the entire lifespan of Heartbleed.
"They are going to be completely shredded."
The vulnerability could have been used to attack many services that were patched before the initial leak, including Gmail and Amazon Web Services, since their protection against Heartbleed only dates back to last week. That would give the NSA access to as many as two-thirds of the encrypted servers on the web. The report also indicates that Heartbleed is far from an anomaly. One source estimates that the NSA has thousands of similar vulnerabilities on file, and the agency has persistently defended their importance in intelligence gathering.
The NSA has officially denied the allegations, stating that it was not aware of the bug until it was made public on Monday. The White House also denied the allegations through an unusually strong and immediate National Security Council statement. "If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," the statement said.
Still, it's easy to see how the NSA could have found the bug early, given its overwhelming resource advantage: according to the Black Budget, the agency spends $1.6 billion a year on data processing and exploitation, more than a thousand times the annual budget of the OpenSSL project. The resulting conflict of interest casts major doubts on the NSA's role in US Cyber Defense. As a former Air Force cyber officer told Bloomberg, "they are going to be completely shredded by the computer security community for this."
Update April 11 4:43PM EST: The article has been updated to reflect the NSA and White House denials.
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.— NSA/CSS (@NSA_PAO) April 11, 2014