The National Security Agency (NSA) claimed it knew nothing of the Heartbleed bug before news broke out, neither it has exploited the security flaw - a statement that continues to be questioned and doubted by critics.
The Heartbleed bug poses serious threats not only to Internet servers but to individual users as well, because it can exploit personal and confidential information without leaving a trace.
"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong," the Office of the Director of National Intelligence (ODNI) said in a statement.
The statement came after Bloomberg reported that NSA knew about the bug all along and frequently used it in collecting critical intelligence data, based on their two unidentified sources familiar with the issue. These sources also claimed the agency knew about the bug shortly after the introduction, eventually becoming a fundamental part of the toolkit of NSA when stealing information, such as account passwords, as well as other ordinary tasks.
"...the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost," the Bloomberg report said.
The search for vulnerabilities or flaws, according to experts, is essential to the mission of NSA-however, the practice has been considered controversial. NSA's alleged decision to not disclose the bug for security interests of the nation cracks open new debates on the real function of these highly skilled computer experts in the government. NSA employs over a thousand experts to look for such vulnerabilities through the use of sophisticated but classified analysis techniques.
"This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet," ODNI added.
The ODNI although said that when there is a discovery of vulnerabilities such as the Heartbleed, national interest dictates to responsibly disclose it, instead of withholding such information for intelligence or investigative purposes. It further said the White House revived the Vulnerabilities Equities Process, an interagency process that decides when to share such vulnerabilities.
Based on further research, NSA critics said the government's efforts to intensify its surveillance and other skills through backdoors, weak encryption and other intelligence-gathering tools are threats to Internet security. They added that the NSA has contradictory roles: the defensive role to protect U.S. computer networks from any attack and the offensive role of searching and utilizing vulnerabilities. Various reports said the agency went through a grueling nine months of criticism with the disclosure of surveillance leaks from former NSA contractor Edward Snowden.
Previously, President Barack Obama handpicked a review panel to investigate the alleged reports that the government introduced purposely backdoors into encryption software. In December 2012, the review panel found no evidence to support the reports but suggested the government to make things clear that the agency will not weaken universal encryption standards, among other things.
Meanwhile, Dr. Robin Seggelmann, a German programmer who used to work at University of Muenster in Germany for a research project, claimed he introduced accidentally the Heartbleed bug two years ago, which a reviewer, Dr. Stephen Henson, overlooked and got introduced into the official encryption protocol.
However, conspiracy theorists have speculations the bug has been maliciously inserted, to which Dr. Seggelmann denied.
"...it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he explained.
