Heartbleed: National Insecurity Agency

Last year, security contractor Edward Snowden walked out of the United States with reams of secret documentation on the monitoring practices of the U.S. National Security Agency. The incident highlighted the vulnerability of a security apparatus that provides four million people with “top secret” clearance.

The media is abuzz now with the discovery of a major cybersecurity vulnerability known as “Heartbleed.” The breach may have been exposing passwords and credit card data to thieves for several years.

To add insult to all the mega-monitoring injury, the NSA now finds itself alleged to have known about this flaw for more than two years, without alerting anyone.

In the past, the NSA and its defenders have claimed that – beyond its controversial surveillance role – it provides a major service to the modern U.S. economy.

The argument goes that the NSA has the best of the country’s best cybersecurity experts on staff – and thus helps shore up U.S. corporations and the nation’s citizenry at large from cyber threats, by identifying and closing flaws. That would indeed be a valuable service in pursuit of protecting the public good.

Now, it turns out that the NSA knew about what may prove to have been the biggest flaw in the history of internet security, yet said nothing.

Exploiting a threat

Why? Because the agency believed (probably correctly, from a technical standpoint) that keeping the flaw open would make it easier to snoop on “persons of interest” to the U.S. intelligence and counterterrorism community. With the vulnerability left open, the NSA would be free to enter accounts and track financial information via passwords and card numbers.

But in doing so, the agency exposed hundreds of millions of U.S. citizens and hundreds of major U.S. corporations – the same people and entities the NSA purports to protect – to the risk of major thefts of data and personal information over the past two years.

By comparison, the list of targets, even by the NSA’s broad standards, probably only included several thousand people – a far smaller number than those innocent civilians exposed to cyberattack and theft.

When attacks such as the Boston Marathon bombings have occurred, despite the years of mass surveillance and data vacuuming meant to stop them, we Americans are told that the government can’t possibly stop everything. That’s certainly true, but they also haven’t told us much about what they have stopped. We are unable to measure their success or utility.

Show your work

For years, the U.S. public has been told that the NSA can’t tell us about its successes because that information is classified. We’ve been assured over and over again that their increasingly massive surveillance was necessary for our safety and was doing its job – even if we can’t see the proof.

Instead, we now find out that they knowingly endangered hundreds of millions of Americans and countless major firms.

In what context is that calculation justified? Since 9/11, U.S. society has grudgingly accepted – tacitly, at least – their dubious claim that they needed to infringe indefinitely and without limit the rights of some to save the lives of many.

But now we citizens are supposed to accept a prioritization so warped that it twists the entire mission of the security apparatus on its head to where surveillance is the end, not the means.

Losing the thread

What was the point of the infinite surveillance in the first place? Wasn’t it to provide “national security” to the collective U.S. population, as they have continually insisted? Or is the goal, in fact, just to “catch bad guys” one at a time?

If the NSA has indeed thwarted numerous terror plots on the homeland, they may have saved a few hundred lives, based on the average scale of a successful terrorist attack (and even that would be a high estimate). In isolation, that may be a good outcome, but in the meantime, they exposed millions of people. Thus, in the wider context, they failed their core mission.

They are now so far down the rabbit hole of “security” at all costs that they have failed to notice when they became the vulnerability.

The breadth of the “top secret” clearances is an avoidable weakness, but it was an internal weakness, exposing only the security agencies themselves. In contrast, with “Heartbleed,” the NSA decided to expose the U.S. population in their quest to “catch the bad guys” targeting that population.

The U.S. security apparatus’s intentional and self-serving refusal to disclose or close the gaping hole of “Heartbleed” should be a reckoning point. Their non-utility to the U.S. public is now clearer than ever.

The NSA isn’t searching for a needle in a haystack. They’re missing the forest for the trees.