Heartbleed kicked off a new chapter in the rollicking discussion of privacy, digital security, and the role of government in protecting its citizenry from threats both real and imagined.
News of Heartbleed broke early last week, starting a soul-searching bit of Internet-scrambling by services large and small to examine their own networks and products to see if they were exposed to the flaw. Much work remains for those impacted to get their services air-tight and patched, with certificates and revoked and replaced. It’s no small task, and one that isn’t nearly done.
Friday brought allegations that the NSA not only knew of Heartbleed, but had used the exploit for some time, perhaps two years. The NSA, in a statement, denied this. The White House followed suit. Since then we’ve learned a few things that are worth keeping in mind.
Let’s begin with what the U.S. government’s policy is regarding revealing flaws in Internet security. The New York Times wrote the key report on this, based on sourcing from “senior administration officials.” The gist here is that the U.S. government now claims to have a bent towards disclosing what flaws it does find, provided, as quoted by The Times, there is a “a clear national security or law enforcement need.”