Federal Government Was Among Last To Know About 'Heartbleed' Bug
Google and other companies knew about the “Heartbleed” bug, a serious flaw in Internet security, but failed to tell anyone in the federal government.
A story from the National Journal reports that Google engineer, Neel Mehta, discovered Heartbleed some time in March. The company then took time to patch its own services, like email and YouTube, before going public with the information on April 7 and without notifying any government agency. Other companies performed similar patches without informing government officials.
Heartbleed is a flaw in the encryption technology, known as OpenSSL, that provides security to over 60 percent of all servers on the public Internet according to a Los Angeles Times story.
A story from Bloomberg News reported that the National Security Agency (NSA) had known about Heartbleed for two years and failed to tell companies about it, choosing instead to exploit it for its own purposes.
That story forced the White House to issue a statement admitting that the federal government had no idea about the severe security flaw until April, long after Google had discovered it.
"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cyber security report," said White House spokeswoman, Caitlin Hayden, in the statement.
While the federal government encourages companies to report critical Internet security flaws to the U.S. Computer Emergency Readiness Team, it is not unusual for those companies to wait until their own systems have been patched before doing so.
In the case of Heartbleed though, most companies patched their servers and then went public with the information. The decision not to notify the government could have left federal systems open to hackers.
Christopher Soghoian, a technologist for the American Civil Liberties Union, said he was not surprised that the government was among the last to know about Heartbleed. According to Soghoian, federal officials only have themselves to blame for Google and other companies not trusting them to handle sensitive information. He suggested that the government has maintained an adversarial relationship with technology companies where cyber security is concerned.
"I suspect that over the past eight months, many companies have taken a real hard look at their existing policies about tipping off the U.S. government," he said. "That's the price you pay when you're acting like an out-of-control offensive adversary.”