Cyber Command Knows Its Tools Can Also Be Used By Their Targets

US military commanders say that when US Cyber Command and the National Security Agency use a capability against targets abroad, they understand it might eventually be used by an adversary.

The threat of having the NSA’s tools leaked has been an issue inside the agency for years now, former NSA contractor Edward Snowden brought it into the public domain when he revealed a trove of NSA programs in 2013, but the risk of having adversaries detect, obtain or reverse engineers NSA-used tools has become especially salient.

Researchers from cybersecurity firm Symantec revealed that a Chinese-linked hacking group had repurposed tools linked with the NSA as early as March of 2016 and used them to attack various targets around the world.

It is unclear how the group, known as Buckeye, obtained the tools, but Symantec assesses it is possible it observed an NSA-linked attack, then gathered enough info to repurpose the code. It is also possible Buckeye stole the tools from an unsecured server or leaked the code to the group, although Symantec said that was less likely.

“There’s always a risk calculus in any sort of operation that we take on in Cyber Command,” said David Luber, the executive director of US Cyber Command, during a recent media roundtable. “The commander Gen. Paul Nakasone looks at those scenarios every single day.”

According to The George Washington University’s National Security Archive, Cyber Command runs an internal deliberation process before deciding to launch a mission.

The deliberation includes an assessment of intelligence gain loss, a blowback assessment, an assessment of collateral effects, a legal review and a risk assessment report.

Through its Vulnerabilities Equities Process (VEP),  government officials determine to either withhold or disclose information to tech companies about newly discovered software flaws. The VEP allows the government to keep certain “limited categories” from being shared, the details of which remain classified.

According to an appendix the White House released two years ago, one of the factors officials consider in VEP deliberations is how widely used the affected product is. But the trade-off is to also consider whether flaws can be exploited to support intelligence collection and cyber operations.

Jordan Rae Kelly, the former director for Cyber Incident Response on the National Security Council who oversaw the VEP, said the deliberation is a balancing act.

“It’s about really looking and understanding vulnerabilities in a deep way,” Kelly, who is now senior managing director at FTI Consulting, told CyberScoop. “Understanding how agencies might use individual exploits or if the exploits will be used in a series of tools is part of the evaluation equation.”

Speaking to CyberScoop, Neil Jenkins, a former cyber adviser at the Department of Homeland Security, said that the Symantec research highlights possible flaws in the VEP.

“We have to be taking into better consideration how prominent an exploit is in the ecosystem. … This was a vulnerability in a Microsoft product in Windows,” Jenkins, now the chief analytic officer of the Cyber Threat Alliance, told CyberScoop. “That alone should have been enough to say … we should disclose this exploit.”

Kelly said she “wouldn’t say that any one factor is weighed more heavily” in the process.

The NSA, which is the executive secretariat of the VEP, has said in the past it’s disclosed 91 percent of the vulnerabilities it finds. In the case of the vulnerabilities that Buckeye was found to be using, the NSA shared its software vulnerabilities with Microsoft so it could patch the flaws, according to The New York Times.

The NSA would not comment on the VEP. Cyber Command and the White House’s National Security Council did not respond to request for comment.

The VEP’s review process, which traces its development back to the Obama administration, was only publicly disclosed for the first time in 2014. In those deliberations, the reviewers are supposed to consider whether exploiting the vulnerability will cause harm or if adversaries are likely to use the vulnerability for their own purposes.

Luber said that Cyber Command, just like other parts of the Department of Defense, participates in the review process.

“When it comes to working in an environment where our tools will be used in our operations, we participate just like other parts of the U.S. government in the VEP,” Luber said.

Cyberscoop

You Might Also Read:

‘Chinese Spies’ Had NSA Cyber Weapons Before The Shadow Brokers Leak:

America Remains Vulnerable To Cyber Attack:

 

 
« Two Years After WannaCry Severe Risks Remain
Is The US Planning A Cyber Attack On Iran? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Omerta

Omerta

Omerta is a global security technology and services company. We advise, consult, design, build, mitigate, protect, manage, provide and train to protect from increasing cyber threats.

CyberPolicy

CyberPolicy

CyberPolicy is a cyber protection solution for small businesses. It combines three important components against cyber threats - Cyber Plan, Cybersecurity and Cyber Insurance.

Karamba Security

Karamba Security

Karamba provide an IoT Security solution for ECUs in automobiles which ensures that all cars are protected (not just autonomous cars).

MSAB

MSAB

MSAB is a pioneer in forensic technology for mobile device examination.

Malta Information Technology Agency (MITA)

Malta Information Technology Agency (MITA)

MITA is the central driver of Government Information and Communications Technology (ICT) policy, programmes and initiatives in Malta.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ICTSecurity Portal

ICTSecurity Portal

The ICTSecurity Portal is an interministerial initiative in cooperation with the Austrian economy and acts as a central internet portal for topics related to security in the digital world.

Ravelin Technology

Ravelin Technology

Ravelin prevents chargebacks, fraud, and account takeover. Machine learning and human insight combine for highly accurate fraud detection and prevention.

CybExer Technologies

CybExer Technologies

CybExer provide an on-premise, easily deployable solution for complex technical cyber security exercises based on experience in military grade ranges.

Cyber Risk Institute (CRI)

Cyber Risk Institute (CRI)

CRI is a not-for-profit coalition of financial institutions and trade associations working to protect the global economy by enhancing cybersecurity and resiliency through standardization.

Saepio Solutions

Saepio Solutions

Saepio promote an all-encompassing approach to cybersecurity, ensuring the appropriate balance of budget and resource across Policy, Product and People.

Grant Thornton

Grant Thornton

Grant Thornton is one of the world’s leading networks of independent assurance, tax and advisory firms.

ISECURION Technology & Consulting

ISECURION Technology & Consulting

ISECURION is an information security consulting company. We provide a unique blend of services to our customers catering to the current information security landscape.

Single Point of Contact

Single Point of Contact

Single Point of Contact is a Managed IT Services provider that helps businesses to achieve a seamless and secure IT environment.

Innov8tif

Innov8tif

Innov8tif is an AI company specialised in providing ID assurance solutions — helping digital businesses to prevent frauds by verifying and authenticating customers identity.

Smarsh

Smarsh

Smarsh products are designed for user-friendly, efficient compliance. From archiving, supervision, and discovery to cybersecurity – Smarsh has you covered.