Unfortunately, Heartbleed has become a familiar term to many people across the country. It is a serious vulnerability, a weakness in the widely-used OpenSSL encryption software that protects the electronic traffic on a large number of websites and in scores of devices. Although new computer “bugs” and malware crop up almost daily, this vulnerability is unusual in how widespread it is, it’s ease of use, the potentially damaging information it allows malicious actors to obtain, and the length of time before it was discovered. As the administration has said, the Federal government was not aware of the vulnerability until it was made public in press reports.
It is important to note that it takes time to address this issue properly. As with the private sector, government agencies must analyze their systems to identify where they have the Heartbleed vulnerability, determine how to implement the appropriate response, and then ensure that they can implement the response without disrupting critical operations. Finally, the scope and scale of this vulnerability may continue to evolve as researchers and companies discover new places or devices that may be susceptible.
This analysis has informed how the Federal government has responded to this vulnerability since its public disclosure, working at an aggressive yet appropriate pace in our response and acting out of an abundance of caution. Working with other agencies, we have:
- Enabled our network defenses across the Executive branch to detect someone trying to use the exploit and in many cases to block those attempts
- Begun scanning government networks for this vulnerability to ensure that we know where it exists
- Issued technical alerts and mitigation steps through the our National Communications and Cybersecurity Integration Center
- Engaged with our industry partners to discuss the threat posed by the vulnerability
As we conduct the scans of government systems and agencies conduct their own reviews, many government websites turn out to have never been vulnerable to Heartbleed because they did not use OpenSSL; in those cases, no further action is needed at this time. However, in those cases where agencies determine that a website or system could have been vulnerable to Heartbleed, they are taking the same steps as the private sector:
- Updating to secure versions of OpenSSL
- Re-issuing certificates for the website
- Requiring or asking users to reset their passwords, if the website permits users to login, and alerting users on a website’s homepage to this fact.
- Reminding users not to use a new password on any site that has not clearly been patched.
We will continue to focus on this issue until government agencies have mitigated the vulnerability in their systems. And we will continue to adapt our response if we learn about additional issues created by the vulnerability. The government remains committed to protecting any personally identifiable information it holds and to upholding high standards of cybersecurity.
Posted by Dr. Phyllis Schneck, Deputy Under Secretary of Homeland Security for Cybersecurity and Communications