Heartbleed: Cybersecurity as Melodrama
April 15, 2014
The discovery of a vulnerability named Heartbleed in Open SSL, a key commercial encryption program, joins a long line of ridiculous stories about cybersecurity.
Here’s the basic question. The coding error was made over two years ago. Since then, there have been dozens of major breaches of company websites, leading to losses of millions of dollars and exposing the personal information of hundreds of millions of consumers. How many of them involved Heartbleed?
Congratulations if you said zero. Millions of compromised records and not one report of any of these major breach involving Heartbleed. This is a better indicator of risk. To take the most recent example, the people who hacked Target used something much more sophisticated than Heartbleed.
Cybercriminals are hackers who are in business to make money, as much money as possible. One measure of how useful Heartbleed is to criminals would be to look on cybercrime websites, where millions of personal records are available for sale. Heartbleed is one vulnerability among many. Criminals have better ways to extract money from companies.
There are several steps between compromise and money. Cybercriminals, a professional lot, use the most efficient techniques. These are people looking to make millions of dollars. They engage in industrial-scale crime, not piecework hacking of individual accounts. Stealing your password, accessing your account, getting your credit card information, and then figuring out how to do this hundreds of thousands of times and monetize the date is too much work.
Heartbleed is a vulnerability in open source SSL software. Open source code (in simple terms) is the blueprint and operating instructions for a program like SSL. Access to source code is a crucial step for breaking encryption or hacking a program. Since the software is freely available, anyone, including hackers and intelligence agencies can obtain it.
Open source makes it easy to hack, but not that much easier. There was once a debate about the vulnerabilities of open source, with companies that sold propriety software claiming that open source was unreliable. This debate is long over. The benefits of using open source software far outweigh any risk, but that does not mean there is no risk. All coders make errors and all programs, free, open, or proprietary have exploitable errors. Open SSL is no exception.
Intelligence agencies are interested in SSL, but not so they can hack your Amazon or eBay account. After 2001, groups like Al Qaeda developed techniques to avoid being monitored. One techniques was to use VPNs (Virtual Private Networks). Some VPNs used Open SSL. Being able to penetrate VPN is something every major intelligence agency is interested in doing and we should assume that many VPNs have been penetrated, not just by wicked old NSA, but by other countries that also have strong cyber and cryptographic capabilities. If hackers can exploit source code, so can intelligence agencies and if people were going to break SSL, they did it after 2002 and before 2010, suggesting that Heartbleed is not new and the end of the world.
Go ahead and change your password if it makes you feel better, but passwords as protection failed years ago. Financial regulators specified in 2005 that banks stop relying on passwords, and most moved to some kind of “two-factor” authentication (such as entering a password and then a numeric code you receive from the bank). Relying solely on passwords for security is risible.
There have been roars of outrage over NSA’s alleged knowledge of Heartbleed and failure to disclose this. The White House and NSA have strongly denied these allegations. Such strong denials are unusual and make it likely that NSA was not keeping Heartbleed a secret. NSA does find or buy vulnerabilities in software – there are so many – and they often tell the company that make the software - but not always and not always right away. It is fashionable and convenient, but inaccurate, to blame NSA for all problems on the internet. There is a thriving black market in vulnerabilities with many companies and countries as customers. NSA assesses the risk to the public and to U.S. security when it makes a decision on whether to notify the producer. Numerous companies report privately that NSA or another federal agency has alerted them to a flaw in their product. We do not know if all flaws are notified, but many are and this is not done with much fanfare because that would give hackers an advantage.
The phrase “stockpiling” vulnerabilities is a pejorative and inaccurate term coined by advocates to lend weight to a policy agenda. The phrase does not accurately describe how vulnerabilities are used. Stockpiling is the term used for nuclear weapons. We stockpile nukes. Associating it with cyber vulnerabilities provides an ominous and inaccurate picture that gives opposition to the “militarization” of cyberspace an emotional weight. Emotional weight is not a substitute for analysis. Cyberspace has been militarized from the start – it was a DOD project, and China, Russia and the U.S. began developing military attack tools in the1990s. Many other states have now joined them. This is like saying, if only the United States would give up warplanes, we could make airspace a zone of peace. A worthy goal, perhaps, but unrealistic and unattainable. If you know how vulnerabilities are used to create exploits, it is more accurate to say “reference library” rather than stockpile, but “reference library is insufficiently menacing to have emotional appeal.
That SSL was hackable was not a big surprise. SSL was created in 1994. While it has been regularly updated and improved, hackers have had a long time to study it. SSL (and its successors) is medium grade encryption designed for e-commerce – millions of low value transactions. SSL has performed admirably in letting people engage in e-commerce with manageable risk. Heartbleed has not really changed this, as the absence of damaging hacks illustrates. SSL did not eliminate risk, but reduced it to a manageable level for individual transactions. The Digi-Notar hack of September 2011 involved the compromise of SSL certificates (probably by Iran). This was a more sophisticated hack than Heartbleed, but it shows that Heartbleed was not the first compromise, nor the most damaging, simply the noisiest.
We can still talk ourselves into making Heartbleed a grave crisis. If there was any amateur hacker on the planet who did not know about SSL vulnerabilities, this is no longer the case. Hackers are an inquisitive lot; many will be tempted to play with the hack to see if it works. If the fuss over Heartbleed leads to improvements in SSL, there will be real benefit, but this will take time and in the interim, we can expect only increased noise and risk.
James Andrew Lewis is a senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2014 by the Center for Strategic and International Studies. All rights reserved.