NSA

NSA ‘Cyber Weapons’ Leak Shows How Agency Prizes Online Surveillance Over Online Security

The NSA opportunistically hoards and deploys powerful bugs that make everyone less secure online.

|

VICTOR DE SCHWANBERG/Science Photo Library/Newscom

With a name like the National Security Agency, America's chief intelligence outfit might at least attempt to promote American security online. At the very least, one would hope its activities don't actively undermine U.S. cybersecurity. But—bad news—a recent leak of the agency's digital spy tools by a myterious group called the Shadow Brokers shows how the agency prioritizes online surveillance over online security.

For years, there have been rumors that the National Security Agency (NSA) was stockpiling a secret cache of powerful computer bugs to exploit for cyber-snooping. Recent revelations by the Shadow Brokers appear to confirm these allegations.

On August 13, the group published a number of "cyber weapons" that it claims were used by an NSA-linked hacking outfit known as the Equation Group. The leak was supposed to be a teaser for the Shadow Brokers' upcoming auction of a larger batch of software security-vulnerabilities, or exploits.

"You see pictures. We give you some Equation Group files free, you see. This is good proof no?" the Shadow Brokers proclaimed.

The Shadow Brokers' asking price for the upcoming dump? One million Bitcoin, or about $575.2 million (and no, the FBI are not getting in on the action).

The dumped information appears to be legitimate, and is dated from around 2013. It's clear that the exploits are functional, as networking manufacturer Cisco confirmed (and promptly set about correcting). But how do we know the exploits were actually used by the NSA?

Journalists at The Intercept compared the Shadow Brokers' data to its trove of Edward Snowden documents, some of which were never released to the public. The leak is consistent with their still-secret Snowden files, lending credibility to the Shadow Brokers' claims. Researchers at Kaspersky Labs likewise verified that the exploits themselves "share a strong connection" to previous tools known to have been used by the Equation Group.

Sloppy Spies and Secret Bugs

There are many concerning elements to this story. First, it's incredibly troubling that the NSA left itself or its tools open to a hack. If the NSA is going to spend billions of dollars to build a god-like system of dystopian digital control, they could at least not leave their dark materials lying around for any enterprising hacker to scoop up and sell to the highest bidder. It is still unclear whether hackers directly infiltrated NSA systems, or whether the hacker was able to take the exploits from a staging server that NSA agents use. Either way, it's unacceptable.

Then there's the question of who was behind the hack. Was it Russia? Maybe. But the Russian government might not want to advertise the hack in such a public manner, opting instead to keep the exploits for themselves to use. Could it have been a new Snowden, exposing the NSA's secrets from the inside? That's also possible, but there's not much specific evidence to confirm this.

One computer scientist believes that the group's broken English is a ruse to shift blame to the Russians, which could be true, but is insufficient to prove anything. It might as well have been Bitcoin creator Satoshi Nakamoto behind the hack. Attribution is notoriously difficult, and we may never be completely certain of who was behind this dump.

Whoever they are, however, the Shadow Brokers' actions have provided some long-overdue transparency for NSA hacking methods. The leak confirms what many have suspected for decades: The NSA opportunistically hoards and deploys powerful bugs that make everyone less secure online.

These bugs were particularly potent because NSA agents are the only people who knew about them—until now, obviously. In the industry, they are known as "zero day vulnerabilities," or simply "0days," and they get their name because software vendors have had "zero days" to patch up the vulnerability before a malicious actor can exploit them.

Intelligence-agencies such as the NSA like zero day vulnerabilities because they provide agents with a virtual monopoly on a particular software entry-point. The NSA can (and does) exploit non-0days, but this can be more of a hassle. With normal bugs, a piece of spyware that works one day may suddenly become useless after a company upgrades to a more secure version of Adobe Flash Player, for instance. With a zero day, on the other hand, government spooks can quietly exploit these vulnerabilities for quite some time without having to worry about pesky software developers patching up holes and closing the window on their spying schemes.

Zero days grant powerful groups a virtual monopoly on exploitation. And exploit they do.

Mission Control, Please

The problem with stockpiling zero days in this way is that it leaves everyone else less secure online. Ideally, someone who discovers a zero day vulnerability will quickly report it to the appropriate software developers so that the problem can be fixed. The Internet is already notoriously buggy and open to attack as it is. There are enough despots and criminals in the world that take advantage of these vulnerabilities. The United States government should be focused on fixing these bugs, not making them worse.

The NSA in particular has a lot of soul-searching to do. Like other government agencies, the NSA's official mission is unfortunately schizophrenic. On the one hand, it is tasked with accumulating and acting upon signals intelligence on America's foreign enemies. On the other hand, the NSA is also one of the multiple federal offices tasked with strengthening U.S. information security.

This so-called "dual mandate" can set the NSA up to fail on either of its two charges. In its efforts to provide the best intelligence on foreign threats, the NSA may believe it is simply doing its job by hording and deploying powerful zero-day vulnerabilities (in addition to the many run-of-the-mill security vulnerabilities that the agency uses). Yet this technique undercuts the NSA's other role to promote robust cybersecurity.

Alternatively, if the NSA were to dedicate all of its resources to improving information security, it arguably could fail to provide the best signals intelligence to U.S. policymakers.

There's a lot to criticize about the NSA. Yet the agency's results will always be hampered by its confusing and unworkable dual mandate. Until that changes, we should expect more of the same. In the meantime, the NSA should dedicate more resources to at least strengthening the information security of one body: itself.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

18 responses to “NSA ‘Cyber Weapons’ Leak Shows How Agency Prizes Online Surveillance Over Online Security

  1. I think you mean they hoard bugs. Or maybe they deploy hordes of bugs, I dunno.

    (Sorry, just one of my little pet peeves.)

    1. My Friend just told me about this easiest method of earning money from home. I’ve just tried it and now I am making $12500 per month without spending too much time. you can also learn about this trick by the link below…..

      Visit More This Site……… http://goo.gl/j42NAQ

  2. With a name like the National Security Agency, America’s chief intelligence outfit might at least attempt to promote American security online.

    DR-DRINK!

  3. This so-called “dual mandate” can set the NSA up to fail on either of its two charges.

    And it ends up failing at both.

  4. It’s like the Drug Enforcement Agency: Just as the DEA is tasked with keeping Americans from having drugs, so the NSA is tasked with keeping Americans from having security.

  5. bitcoin trading for about $580 so check your math on the price tag on the dump.

  6. I might be willing to part with a few bitcoin to learn the contents of the directory named “EPICBANANA”….

  7. If these tools are from 2013, God knows what else the NSA has developed since then. They’re probably chuckling at Cisco for fixing a bug they don’t use anymore…

  8. Start working at home with Google! It’s by-far the best job I’ve had. Last Wednesday I got a brand new BMW since getting a check for $6474 this – 4 weeks past. I began this 8-months ago and immediately was bringing home at least $77 per hour. I work through this link, go to tech tab for work detail.

    +_+_+_+_+_+_+_+_+ http://www.Reportmax90.com

  9. …a recent leak of the agency’s digital spy tools by a myterious group called the Shadow Brokers…

    Damn Shadow Brokers, always compromising security on the Citadel…

  10. Sounds like how inspector clouseau would react to the internet age

  11. Re: “There are enough despots and criminals in the world that take advantage of these vulnerabilities. The United States government should be focused on fixing these bugs, not making them worse.”

    Put another way: “The United States government has become one of the despots and criminals in the world that take advantage of these vulnerabilities.”

  12. My neighbor just got a stunning cream Cadillac CTS Sedan just by parttime work from a home pc… Read More Here and Go to Home Tab…. >>> http://www.jobsea3.com

  13. Work oppertunity: Start your work at home right now. Spend more time with your family and earn. Start bringing 85USD/hr just on a laptop. Very easy way to make your life happy and earning continuously.last week my check was 24551USD pop over here this site

    +_+_+_+_+_+_+_+_+ http://www.Siteweb80.com

  14. as Leslie implied I’m in shock that you able to earn $7211 in four weeks on the computer . go to this web-site ++
    ?????->> http://www.businessbay4.com/

  15. Alexa . you think Kathleen `s posting is impossible… last wednesday I got a great volvo after having made $5563 this-last/5 weeks and-over, 10 grand this past-munth . with-out a doubt this is the most financialy rewarding Ive ever done . I began this 7-months ago and straight away started making a nice over $70, p/h . pop over to this site

    ????????> http://www.factoryofincome.com

  16. I’m making over $9k a month working part time. I kept hearing other people tell me how much money they can make online so I decided to look into it. Well, it was all true and has totally changed my life. This is what I do…. Go to tech tab for work detail..
    ???????>>> http://www.earnmax6.com/

  17. Its such a really Nice Post… Really Awesome…

    I like it..

    MARRIAGE PROBLEMS SOLUTION
    YOGA TEACHER TRAINING

Please to post comments

Comments are closed.