A case of Heartbleed

The NSA left the public vulnerable to a security flaw while exploiting it.

Luis Ruuska

By now you’ve likely heard about or taken actions to protect yourself from the Heartbleed bug. The bug made as many as two-thirds of the world’s websites vulnerable by exploiting a flaw within popular OpenSSL software. It hit popular websites like Instagram and Pinterest, which advise changing your passwords.

Although the public and tech industry only became aware of the Heartbleed bug earlier this month, there are allegations that the National Security Agency has known about the bug for at least two years and has been exploiting it the entire time.

So far, NSA officials have maintained their innocence and said they, too, only became aware of the Heartbleed bug earlier this month.

Naturally, the bug would have made it extremely easy for the NSA to mine for the valuable sort of data it collects supposedly in the interest of national security.

But while its intentions through using the bug may have been legitimate, the fact that the NSA exploited the bug while leaving the American public open to a potentially catastrophic act of cyber warfare is extremely unsettling, not to mention contradictory to the entire purpose of the NSA.

In response to these allegations, President Barack Obama and his Review Group on Intelligence Communications Technologies have both reaffirmed their commitment to instituting what they call the “Vulnerabilities Equities Process.”

Under this process, government agencies like the NSA would have to disclose information about security risks like the Heartbleed bug to the public unless there is a national security or law enforcement need.

Though the American public really doesn’t have any other choice, it still has to put a great deal of trust into government agencies and their ability to draw a clear ethical line in their work.

If the allegations against the NSA are true, it’s clear that its professional values and ethics do not involve breaking the line, but instead bending it as far as possible. However, I don’t see much of a difference between the two.