White House: NSA didn't exploit 'Heartbleed'

The White House is denying a report that National Security Agency (NSA) was aware of a massive security flaw affecting websites across the Internet and used the bug in order to obtain personal data.

Bloomberg reported on Friday that the spy agency was aware of the "Heartbleed" security glitch for at least two years and used it to obtain passwords and other data. But White House spokeswoman Caitlin Hayden said Friday that this report is "wrong."

ADVERTISEMENT
"The Federal government was not aware of the recently identified vulnerability in [the encryption software] OpenSSL until it was made public in a private sector cybersecurity report," she added. That report came out earlier this week.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

The NSA has been criticized for its efforts to actively seek out and exploit vulnerabilities in cyberspace, a practice that critics say weakens security around the world.

But a White House review board suggested the agency halt its efforts to undermine online security, and Hayden said that the White House had "reinvigorated" an interagency process for determining when cyber vulnerabilities should be shared with their creators.

"Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities," Hayden said.

She added that when government agencies do detect bugs in public software "it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."

The Heartbleed bug was detected by researchers earlier this week. The glitch in the widely popular OpenSSL security system could allow people to obtain passwords, bank account information and other sensitive data.

Critics of the spy agency were outraged after news broke suggesting that the NSA may have been exploiting the cyber vulnerability.

Patriot Act author and NSA critic Rep. James Sensenbrenner Jr. (R-Wis.) said in statement that the report, if true, "calls into serious question what the intelligence community does behind its dark cloud of secrecy and is yet another example of how our privacy and data security have been cast aside in the name of national security."

There have not been any reported attacks involving the bug, but the Department of Homeland Security warned on Friday that "malicious actors in cyberspace" could take advantage of the flaw to nab people's information.

The agency instructed people to check if the websites they commonly used were affected by the bug and change their passwords once it was patched.

Congress is currently reviewing a number of proposals to reform the NSA, including one from the White House, though none of the plans have gained significant traction.

A sweeping reform bill from Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) and Sensenbrenner has gained more than 160 co-sponsors but has been stuck in committee for months.

House Judiciary Committee Chairman Bob Goodlatte (R-Va.) on Thursday declined to say whether the panel would take action on the bill, called the USA Freedom Act.

— This story was updated at 5:13 p.m.