The balance between the NSA’s need to protect its hacking capabilities and the need to protect U.S. computers has to be addressed in light of the recent breach, several security observors have noted. The NSA did not notify the software vendors of the recent Shadow Brokers hacking.
The Shadow Brokers announced on Twitter on Aug. 13 they would auction off cyber-espionage tools taken from the Equation Group, which is widely considered part of the U.S. National Security Agency (NSA).
Hacking Under Investigation
James Clapper, director of national intelligence, said on Aug. 24 the event was still under investigation and that he did not know the full extent of what happened.
The leak contained encrypted files weighing more than 250MB of data, and these files included the encryption key for a folder of files labeled “Firewall.” The Shadow Brokers said the key to unlock the main body of data will only be released if it received 1 million bitcoin, about $580 million. The group is believed to be linked to Russia.
Security experts claim the NSA, known for its offensive capabilities, should be considering its defensive role more seriously.
Experts Call For Disclosure
Logan Brown, president of threat intelligence and vulnerability acquisition firm Exodus Intelligence, said it is in everyone’s interest for the government entity behind the Equation Group to advise security vendors of such a breach so that other nations do not use Equation’s IP against their citizens.
The outing of the NSA-linked framework is the most recent leak of cyber tools that indicate governments are active in cyber operations against individuals, non-government groups and other nations.
Lookout, a mobile security firm, and the University of Toronto’s Citizen Lab, noted on Aug. 25, that an attacker – believed to be government connected – used espionage tools the NSO Group allegedly created, against Ahmed Mansour, a known Middle Eastern activist targeted by previous attempts.
The question about the proper use of such technology by government agencies increases with each such revelation.
What The Files Contained
The leaked “Firewall” files included names of tools such as “SecondDate” and a passcode that marks the data as a match for the information leaked by Edward Snowden, the former NSA contractor. The tools in the teaser data target vulnerabilities in major firewalls.
Cisco, which is currently patching one issue, noted another vulnerability targeted by the Equation Group tools was patched in 2011.
Fortinet examined the files and found the attacks only impacted its software versions prior to 2012.
Juniper has found no exploitable vulnerabilities in the data.
NSA Policy Under Question
Nicholas Weaver, senior staff researcher at the International Computer Science Institute in Berkeley, Calif., says the NSA leak sheds light on the arrangement between agency’s mission to protect U.S. computer systems and its wish to exploit capabilities.
Previous calculations relied on the likelihood that another party would exploit the vulnerability, Weaver noted in a Lawfare blog. This calculation changes when NSA’s own tools can be stolen without detection. He questioned if there is a policy governing what NSA does when it knows its tools are compromised.
If NSA failed to notify Fortinet and Cisco of the breach of its tools, it represents a “serious dereliction” of the NSA information assurance mission since the government used both products which NSA is charged with protecting.
The U.S. government has said it would disclose vulnerabilities when there is a clear need to protect the nation’s computer systems and the Internet. Following disclosure of a widespread flaw in OpenSSL known as Heartbleed, the White House said it did not know about the issue, and if it did, it would have notified the public.
Spokesman: Decisions Not Easy
Michael Daniel, special assistant to the president and cyber-security coordinator who wrote the White House statement, said that the decision is not always easy. He said there are legitimate arguments on both sides of the decision to disclose.
The trade-offs between withholding information about vulnerabilities and prompt disclosure can have serious consequences. Disclosing such information can involve losing an opportunity to gather intelligence and undermine a terrorist attack, halt the theft of intellectual property, or find more dangerous vulnerabilities being used by adversaries to exploit networks.
Companies have largely remained silent on the issue. Juniper, Fortinet and Cisco chose not to comment.
The NSA did not return requests for comment.
Brown of Exodus Intelligence said the choice to disclose might not rest with the agency. If the Equation Group is a private firm employed by the NSA, the intellectual property and the decisions about it belong to the firm.
Featured image from Shutterstock.