Friday brought allegations that the NSA not only knew of Heartbleed, but had used the exploit for some time, perhaps two years. The NSA, in a statement, denied this. The White House followed suit. Since then we’ve learned a few things that are worth keeping in mind.
Let’s begin with what the U.S. government’s policy is regarding revealing flaws in Internet security. The New York Times wrote the key report on this, based on sourcing from “senior administration officials.” The gist here is that the U.S. government now claims to have a bent towards disclosing what flaws it does find, provided, as quoted by The Times, there is a “a clear national security or law enforcement need.”
While it is easy to appreciate a leaning towards disclosure, the above leaves American people in a position of either trusting the government or not. Put simply, as the government gets to decide for itself what is a “clear national security need or law enforcement need,” we, the average folk, have no window into what it not disclosed, and why.
There’s reason for that, naturally: If the NSA decided to tell the world each and every exploit that it found and intended to use, they would all slam shut, and it’s job would become far harder if not impossible. At the same time, we haven’t answered the following question: If the NSA had known about Heartbleed — and some remain convinced that, denials, aside, it did — would it have told the Internet community?
If we can’t be sure that Heartbleed wouldn’t have passed the anti-efficacy test — the idea that a flaw is so dangerous to the public safety that it must be disclosed, potential offensive capabilities be damned — we are left essentially nowhere. That tension negates the fact that the NSA claims to have not known; if we can’t be sure of its own methods for determining what is to be disclosed and what not, at least in the abstract, any single case is simply an occluded data point with no axes to measure from.