With a name like the National Security Agency, America's chief intelligence outfit might at least attempt to promote American security online. At the very least, one would hope its activities don't actively undermine U.S. cybersecurity. But—bad news—a recent leak of the agency's digital spy tools by a myterious group called the Shadow Brokers shows how the agency prioritizes online surveillance over online security.
For years, there have been rumors that the National Security Agency (NSA) was stockpiling a secret cache of powerful computer bugs to exploit for cyber-snooping. Recent revelations by the Shadow Brokers appear to confirm these allegations.
On August 13, the group published a number of "cyber weapons" that it claims were used by an NSA-linked hacking outfit known as the Equation Group. The leak was supposed to be a teaser for the Shadow Brokers' upcoming auction of a larger batch of software security-vulnerabilities, or exploits.
"You see pictures. We give you some Equation Group files free, you see. This is good proof no?" the Shadow Brokers proclaimed.
The Shadow Brokers' asking price for the upcoming dump? One million Bitcoin, or about $575.2 million (and no, the FBI are not getting in on the action).
The dumped information appears to be legitimate, and is dated from around 2013. It's clear that the exploits are functional, as networking manufacturer Cisco confirmed (and promptly set about correcting). But how do we know the exploits were actually used by the NSA?
Journalists at The Intercept compared the Shadow Brokers' data to its trove of Edward Snowden documents, some of which were never released to the public. The leak is consistent with their still-secret Snowden files, lending credibility to the Shadow Brokers' claims. Researchers at Kaspersky Labs likewise verified that the exploits themselves "share a strong connection" to previous tools known to have been used by the Equation Group.
Sloppy Spies and Secret Bugs
There are many concerning elements to this story. First, it's incredibly troubling that the NSA left itself or its tools open to a hack. If the NSA is going to spend billions of dollars to build a god-like system of dystopian digital control, they could at least not leave their dark materials lying around for any enterprising hacker to scoop up and sell to the highest bidder. It is still unclear whether hackers directly infiltrated NSA systems, or whether the hacker was able to take the exploits from a staging server that NSA agents use. Either way, it's unacceptable.
Then there's the question of who was behind the hack. Was it Russia? Maybe. But the Russian government might not want to advertise the hack in such a public manner, opting instead to keep the exploits for themselves to use. Could it have been a new Snowden, exposing the NSA's secrets from the inside? That's also possible, but there's not much specific evidence to confirm this.
One computer scientist believes that the group's broken English is a ruse to shift blame to the Russians, which could be true, but is insufficient to prove anything. It might as well have been Bitcoin creator Satoshi Nakamoto behind the hack. Attribution is notoriously difficult, and we may never be completely certain of who was behind this dump.
Whoever they are, however, the Shadow Brokers' actions have provided some long-overdue transparency for NSA hacking methods. The leak confirms what many have suspected for decades: The NSA opportunistically hoards and deploys powerful bugs that make everyone less secure online.
These bugs were particularly potent because NSA agents are the only people who knew about them—until now, obviously. In the industry, they are known as "zero day vulnerabilities," or simply "0days," and they get their name because software vendors have had "zero days" to patch up the vulnerability before a malicious actor can exploit them.
Intelligence-agencies such as the NSA like zero day vulnerabilities because they provide agents with a virtual monopoly on a particular software entry-point. The NSA can (and does) exploit non-0days, but this can be more of a hassle. With normal bugs, a piece of spyware that works one day may suddenly become useless after a company upgrades to a more secure version of Adobe Flash Player, for instance. With a zero day, on the other hand, government spooks can quietly exploit these vulnerabilities for quite some time without having to worry about pesky software developers patching up holes and closing the window on their spying schemes.
Zero days grant powerful groups a virtual monopoly on exploitation. And exploit they do.
Mission Control, Please
The problem with stockpiling zero days in this way is that it leaves everyone else less secure online. Ideally, someone who discovers a zero day vulnerability will quickly report it to the appropriate software developers so that the problem can be fixed. The Internet is already notoriously buggy and open to attack as it is. There are enough despots and criminals in the world that take advantage of these vulnerabilities. The United States government should be focused on fixing these bugs, not making them worse.
The NSA in particular has a lot of soul-searching to do. Like other government agencies, the NSA's official mission is unfortunately schizophrenic. On the one hand, it is tasked with accumulating and acting upon signals intelligence on America's foreign enemies. On the other hand, the NSA is also one of the multiple federal offices tasked with strengthening U.S. information security.
This so-called "dual mandate" can set the NSA up to fail on either of its two charges. In its efforts to provide the best intelligence on foreign threats, the NSA may believe it is simply doing its job by hording and deploying powerful zero-day vulnerabilities (in addition to the many run-of-the-mill security vulnerabilities that the agency uses). Yet this technique undercuts the NSA's other role to promote robust cybersecurity.
Alternatively, if the NSA were to dedicate all of its resources to improving information security, it arguably could fail to provide the best signals intelligence to U.S. policymakers.
There's a lot to criticize about the NSA. Yet the agency's results will always be hampered by its confusing and unworkable dual mandate. Until that changes, we should expect more of the same. In the meantime, the NSA should dedicate more resources to at least strengthening the information security of one body: itself.