The Heartbleed bug, the recently disclosed and already notorious flaw in the way that some websites send information, put millions of Americans at risk for theft of money, identity and perhaps worse. Yet, by some accounts, it was willfully exploited by the National Security Agency, which, if true, decided to leave Americans uninformed and exposed for whatever benefits it could gain from illicit monitoring of Internet traffic.
The NSA denies this, but in the past it has exploited such security flaws to gain access to target computers. The NSA operates in the shadows in order to keep Americans safe, and we have learned in about as hard a way as possible that there are those who live to murder Americans by the thousands.
But this is a special case, and it demands review. American business depends to a huge extent upon the Internet and the trust that users have in its security. American citizens communicate with one another and with their banks, doctors and lawyers via the Internet, seeking or sharing confidential information, including passwords with which someone with bad intent could ruin them. This flaw had the potential to inflict chaos on millions of people and, for all anyone knows at this point, did.
The flaw was inadvertently introduced in 2012 during a minor adjustment to OpenSSL, an open-source protocol – free codes whose integrity relies upon a small number of underfunded researchers.
By contrast, the NSA has more than 1,000 experts devoted to the task of detecting such flaws using sophisticated, secret techniques.
According to Bloomberg News, once the NSA found the Heartbleed flaw, it quickly became part of its toolkit for stealing – yes, stealing – passwords and other information. Even if anyone is willing to grant that the NSA isn’t stealing information from American citizens and businesses – though no official has offered that assurance – it remains a troubling fact that if the NSA knows about security flaws like Heartbleed, other, more nefarious, agencies and individuals probably do, too.
In the end this is more evidence that the country needs a better understanding of the legitimate needs of intelligence agencies for anti-terror operations and other uses. The Internet has opened more doors into Americans’ privacy than anyone suspected only a few years ago and it is obvious that there is no going back. This genie is out of the bottle.
Unless and until the government is willing to engage in the kind of discussion that allows Americans to accept what their intelligence agencies are doing in their name, they should understand that there are serpents in this electronic jungle and that, when it comes to their security, they are largely on their own.