Shadow Brokers Leak Shows NSA Inadvertently Arms Hackers
Code dumps, lack of oversight allowing bad actors to piggy back off U.S. cyberoperations
In the popular video game Mass Effect, the Shadow Broker is the mysterious head of a global organization that trades in information, always selling to the highest bidder, but never letting one customer gain access to all the data.
In real life, the Shadow Brokers is a stealthy cybergroup that is playing a similar game with our national security. The Shadow Brokers leaked National Security Agency documents on April 8 that describe in detail many of the hacking tools that were used by the NSA to conduct advanced cyberespionage, outing not just the NSA but the victims of their attacks and the techniques used to attack them.
The WikiLeaks dump and the Shadow Brokers leaks are pretty strong indicators that important stuff is broken.
In one example, the NSA had recently hacked into the international banking network and covertly breached several banks. The leaked documents additionally provide clear evidence that the NSA also launched a series of successful cyberintrusions against the president of Iran and the Russian Federal Nuclear Center and a myriad of other lesser-known organizations. The documents describe the specific computer code used in such a way that anyone could do the same thing.
The last time the U.S. did something of a similar scale was the Stuxnet attack on the Iranian nuclear enrichment program; but in that case, the actual code was not made public.
This leak dwarfs the WikiLeaks Vault7 dump and describes a multistage attack bypassing the very latest and best security technology, and infecting and exploiting vulnerabilities and flaws in leading software products that we all use every day.
In contrast with WikiLeaks, the Shadow Broker files provided are complete and unredacted computer code, fully operable by anyone with minimal programming experience to unleash on any target of their choosing. Whatever you may think of Julian Assange, WikiLeaks at least purposefully redacted the usable parts of the code so that they could not be easily duplicated.
These hacks were produced by the NSA’s elite Equation Group, the same guys whom the cybersecurity community recognizes as the most sophisticated and lethal cyberattack group in the world. In other words, forget Russia, China, Iran, and North Korea. The best cyberattackers on the planet are our own guys. The only problem is that they don’t seem to be able to keep their secrets secret.
The NSA’s hacking tools take advantage of hoarded security bugs in computer products that we all use and spend billions each year to keep secured. Rather than use these vulnerabilities for their own purposes with no apparent congressional oversight, it would be nice if the NSA could let the manufacturers know that these holes exist so they could do something about them before the hackers could exploit them. There is currently no set of rules that governs when or even if the NSA should notify a manufacturer about a security flaw.
The murky and duplicitous VEP (Vulnerabilities Equity Process), created under President Obama, is publicized as a way to “minimize the number of security flaws the government was hoarding” but since there are no rules about when, where, and how many the NSA needs to disclose, violation of this “disclosure process” has no consequences and obviously no oversight.
The over-arching questions posed by all of this are whether we really want covert espionage groups to have and wield that kind of power under the flag of national security; and if we do, then to whom should they answer, how should they protect the secrets they possess, and under what specific and legally enforceable circumstances should they be compelled to disclose known vulnerabilities to the vendors of the products they exploit?
In addition, I would want to know why, if the best intelligence group on the planet cannot keep their secrets secret, would we then expect the FBI to be able to protect secret keys to backdoors in iPhone operating systems? My view is that Apple made a correct decision in withholding that information.
The WikiLeaks dump and the Shadow Brokers leaks are pretty strong indicators that important stuff is broken. It is clear that the continued mishaps by our esteemed intelligence agencies are putting our country in danger and heightening the risk of a major cyberattack by one of our enemies. Our defenses are weak, our intelligence has been repeatedly compromised, and we have no governing oversight for any of these activities.
It is well beyond time for Trump to create a strong and meaningful executive order addressing the whole cybersecurity management issue before we, along with the rest of the world, learn first-hand the consequences of a catastrophic cyberevent and even more about the inner workings of our own espionage sausage factory.
Steve King is COO of Netswitch Technology Management.