A Virtual House of Cards

If lack of abundant policing and decentralization are the principal virtues of the Internet,  they’re not without their downsides. That much was made clear by the disclosure of a major vulnerability in OpenSSL—a key Internet security method—that researchers have since dubbed the “Heartbleed” bug.

Up to two-thirds of websites—including major sites like Facebook and Google— relied on the flawed OpenSSL protocol after the bug was introduced by a single German programmer in an update two years ago. The code was reviewed by an OpenSSL developer, but neither the programmer nor that developer noticed the flaw before it was adopted by millions of sites to encrypt sensitive information such as passwords, credit card numbers, and health records sent between users and company servers.

While there has not been any evidence that hackers exploited the bug to gain access to unauthorized information, the thought that the world’s most technologically sophisticated companies were unaware of a major security flaw for two years is not reassuring.

As it stands todays, cybersecurity rests on a house of cards, with much of the Internet’s users relying on open-source software that usually works well. But when it doesn’t, it’s up to the good will of cybersecurity researchers or self-motivated people to inform the rest of the world of the latest security vulnerabilities. Today, Internet usage is a necessity for most, but it’s one that leaves us always dependent on the kindness of strangers.

Broadly speaking, there are two groups that exploit security flaws like Heartbleed: criminals and intelligence agencies. And while it doesn’t appear that malcontented hackers made use of the loophole, an article published in Bloomberg alleged that the National Security Agency had known of the flaw and exploited it for years. The Obama administration and NSA have both issued denials.

Even if the NSA knew of Heartbleed, the collection of vulnerabilities is not altogether sinister. After all, the essential job of the NSA is to get into places other people do not want them to be.

There is a broader conversation to be had about the wisdom of stockpiling of so-called “zero-day vulnerabilities”—flaws that developers have zero days to repair. The President’s Review Group on Intelligence and Communications Technologies urged that the government “should generally move to ensure that zero days are blocked” and only use them rarely for “high priority intelligence collection.”

As the benefits from an Internet-dependent world accelerate, so too do the rewards of exploiting security flaws for intelligence agencies and criminals alike.

Striking the correct balance between the needs for collectively decided security protocols and decentralization will be a difficult task. But it’s one that will need to happen soon.