The Heartbleed bug was a secret to everyone until this week—unless, of course, you’re the U.S. National Security Agency.
According to a report from Bloomberg, which cites two people familiar with the matter, the controversy-stirring NSA knew about the bug for “at least two years” and “regularly used it to gather critical intelligence.” The bug is considered to be among the largest, most widespread, and most salient glitches in the history of the internet.
The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
“It flies in the face of the agency’s comments that defense comes first,” Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer, told Bloomberg. “They are going to be completely shredded by the computer security community for this.”
An NSA spokeswoman declined to comment on the agency’s knowledge or use of the bug.