The NSA Has a New Disclosure Policy: Getting Hacked

On Monday, when tech executives arrived in their offices, just days after a mysterious group of hackers released what they claimed were a set of NSA hacking tools, a familiar and frustrating pattern was taking shape. America’s premier signals intelligence agency had once again discovered unknown flaws in products used to secure computer networks around the globe, but instead of telling the manufacturers, the NSA pocketed those flaws, like skeleton keys that would let them open doors to others’ networks whenever and wherever they wanted.

If the tools released by the group known as the “Shadow Brokers” are legitimately from the NSA — and security researchers and agency veterans say that they appear to be — the agency now faces a fresh round of questions about how the breach occurred and when the agency found out.

That’s because the data released by the Shadow Brokers contained what are known as “zero days,” software flaws that are unknown to the manufacturer of a piece of software or hardware, and thus flaws for which no patch is even in the works.

Stockpiling such vulnerabilities is part of an international arms race in cyberspace. Last weekend’s dump exposed what is likely a small part of the American arsenal of such high tech battering rams, and it has reignited a debate among security researchers about whether the government should be stockpiling them, or if it should be revealing those vulnerabilities to manufacturers to make American networks more robust.

Given that the hardware made by the likes of Cisco Systems and Fortinet are often the backbone of the networks used by the U.S. military and State Department, helping those companies lock the back door should be a “no-brainer,” said Jason Healey, a former cyber operator for the U.S. Air Force and now a researcher at Columbia University.

“It would disappoint me if they knew and didn’t tell” the very vendors that are outfitting critical parts of the U.S. government, he said.

But some NSA veterans tick off plenty reasons not to share the information. Tipping off the Chinese and Russians about potential weaknesses makes no sense, said Dave Aitel, a former NSA research scientist and the CEO of Immunity, a security firm. And broadcasting just what tools the NSA is using risks compromising operations both past and present, he said.

On Wednesday, Cisco and Fortinet said they had not been notified about the software flaws that had been exposed. Timestamps in the released NSA code indicate that the hacking tools were likely swiped in October of 2013, though such marks can be easily faked.

On paper, the U.S. government has a process to determine whether to tell manufacturers  they’ve got a problem. The interagency process was established in 2010, fell into disuse, and was then “reinvigorated” in 2014, in the words of White House cybersecurity chief Michael Daniel.

But security experts across the political spectrum scoff at the process and the notion that it seriously considers giving away potentially valuable zero-day vulnerabilities.

“Anything that has intelligence value is not going to be released,” Aitel says.

Chris Soghoian, the chief technologist at the ACLU, agrees. “It’s clear the game is rigged” against disclosure, he said.

But thanks to the Shadow Brokers, the vulnerabilities have been disclosed after all — not to the manufacturers, but to the entire world. What amounts to a series of military-grade hacking tools are now freely available on the internet, on sites such as this one. These tools can be used by hackers to break into firewalls, control a network, and spy on users. Another tool may be capable of stealing a users’ encryption keys.

So far, one of the tools released stands out: ExtraBacon. That piece of code targets Cisco’s Adaptive Security Appliance firewall, widely used widely by both the U.S. government and private sector companies. ExtraBacon allows an attacker to take control of the firewall and monitor all traffic on it — a classic NSA strategy. On Wednesday, Cisco issued a security alert for the high-severity vulnerability; The company has so far not patched it, and has only issued a “work-around” for the problem.

It’s unclear whether the NSA would have been required to release these tools, even if the interagency process had been working in 2013, when they were apparently found. The NSA has said that it discloses more than 90 percent of the vulnerabilities it discovers, but that’s a figure that is itself shrouded in mystery.

It’s easy to determine how important a given exploit is to cybersecurity, but not its potential value to intelligence services, said Susan Hennessey, a former NSA lawyer and a current fellow at the Brookings Institution.

“You don’t know what kind of targets this kind of exploit was being used against,” she said. “If this was an exploit that was the single entry point for a single target that was very hard — that’s not known.”

Reformers are calling for an overhaul of the government disclosure process. Former National Security Council officials Ari Schwartz and Rob Knake argued in a report this year that it needs a greater degree of transparency, should be codified with an executive order, and should lean toward disclosure.

But, notes the ACLU’s Soghoian, the role of intelligence agencies is to be prepared for any eventuality. That likely mitigates against any great breakthrough in government disclosures, especially of the valuable zero-day vulnerabilities that can be used for highly critical cyber operations.

“The moment when Putin has bought an iPhone is not when you go out and say to one of your contractors, ‘Hey you can get me an iPhone exploit,” Soghoian said.

Photo by Scott Wong/Getty Images