Leak Spotlights NSA's Conflicting Missions

A top National Security Agency official revealed this month that the agency's staff had rushed to the scene of virtually every major hack of a government computer network in the past two years.

Curtis W. Dukes, director of information assurance at the NSA, was trying to emphasize the Fort Meade-based spy outfit's lesser-known but growing role of helping to protect the nation's sensitive data.

But while Dukes was speaking to reporters in Washington, the cyber world was poring over a leaked cache of what appeared to be tools developed by the NSA for its more controversial activity: surveilling, spying and hacking.

The disclosure of the files — the NSA hasn't confirmed that they're authentic, but researchers and former NSA employees say they seem to be — underscored once again the tension between the two sides of NSA's dual mission: breaking into computer networks overseas in search of useful intelligence about foreign governments and terrorists and helping protect America's networks against foreign spies and other hackers.

Dukes, talking to reporters on the sidelines of an NSA conference last week, said his responsibilities included "fortifying public trust" in the agency — trust that suffered a major blow three years ago when former contractor Edward Snowden leaked details of its phone and email surveillance programs.

A group that called itself the Shadow Brokers posted files they claim came from the Equation Group, a name used in cyber circles for the NSA. Computer security analysts who have studied the files are mostly convinced they came from the agency.

In stilted English, the Shadow Brokers said they had more such files, which they would sell to the highest bidder.

A former NSA employee, who requested anonymity to discuss the agency's sensitive operations, said he recognized details in the leaked files.

"I don't think it was faked," the former employee said. "It's a big deal. Could be used to conduct active exploitation today."

The networking giant Cisco confirmed that the leak included a previously undiscovered weakness in its products. The weakness has attracted particular attention because it is a so-called zero-day vulnerability, meaning it was unknown to the company.

The NSA's identification of such vulnerabilities is controversial. While the NSA says it does not use them to break into American computers, there is no guarantee that another country or group of hackers has not found the same flaw.

In recent years, the government has followed a formal process to determine whether a weakness should be kept secret so it can be used to gather intelligence, or whether it should be shared to protect computer users.

The government's policy is to favor sharing. The NSA said recently that it had done so in 91 percent of cases. Andrew Crocker, an attorney at the Electronic Frontier Foundation, said too many questions about the Shadow Brokers files remain unanswered to know for sure what role the NSA might have played in their creation. But given all the fingers now pointing at Fort Meade, he said, he expects their disclosure to put pressure on the government to be more transparent. "I think that's a good thing," he said.

Columbia University scholar Jason Healey got up in front of the audience at a major hacker conference this month to make the case that the government's process for sharing vulnerabilities strikes a good balance between intelligence collection and security. He said it didn't seem as if the NSA was stockpiling large numbers of secret weaknesses, he said.

"I was taking actual personal risk getting up in front of hackers and saying NSA is less evil than you think," Healey said in an interview. But after the Shadow Brokers disclosure, he said, he's reviewing whether that conclusion still stands.

At the least, he said, the incident certainly raises fresh questions.

The most recent of the files posted by the Shadow Brokers dates at least as far back as 2013, a time when Healey concluded that the disclosure process was not functioning as intended, so they could have fallen through the cracks.

Healey said he wants the NSA or the National Security Council to provide a public explanation of what happened in the new case. "They need to come out on this," he said.

A spokesman for the National Security Council declined to respond to a request for comment. The NSA is in the midst of a major reorganization aimed in large part at bringing together its offensive and defensive operations. The idea is that if the two sides work more closely together, they can spot threats more quickly and work to come up with solutions. But privacy activists have raised the concern that the agency's much larger offensive side will overpower the defensive one.

NSA officials are trying to persuade skeptics that that's not what will happen, and that the defensive mission remains at least as important as ever.

Dukes did not comment on the Shadow Brokers leak, and the NSA has not addressed it publicly. But in an era when the online spying business puts the private information of every American at risk, he said, his team is increasingly being called on to help the FBI and Department of Homeland Security respond to major breaches.

In the past two years, he said, members of his team have been involved in cleaning up after hacks on the White House, the State Department, the Pentagon and the federal government's personnel agency. The NSA's teams can be on site within hours of a problem being discovered.

The agency also works with private companies. It published guidance last month on how to solve security problems in a product made by Cisco — not the one implicated in the Shadow Brokers files — and Dukes said the agency has worked with Microsoft to suggest ways to make Windows more secure and proposed fixes for a problem called "Pass the Hash."

"This is something where we knew the adversary was exploiting," he said. Microsoft declined to comment on its relationship with the NSA, but said in a statement that it reviews reports of security problems in its products thoroughly, whoever brings them to the company's attention.

Cisco has a relationship with Dukes' branch of the NSA. Company spokeswoman Yvonne Malmgren said working with the NSA is a necessity for many businesses. Malmgren declined to comment on whether the Shadow Brokers disclosure might affect the company's work with the NSA. But she said the firm is troubled by the disclosure.

"We are deeply concerned with anything that may impact the integrity of our products or our customers' networks, and Cisco will continue to seek additional information," she said. "Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers."

The NSA's defensive role started to grow beyond the government's classified systems and other military and spying infrastructure after the North Korean attack on Sony Pictures in 2014, 

It was a mission he would not have anticipated getting involved in years ago, he said, but now "there doesn't appear to be any network that's off limits."

The FBI and the Department of Homeland Security call on the NSA for its technical expertise — Dukes boasted that his teams are "arguably the best in the country."

Once called, NSA personnel can work on a breach for months. They gather information about the attack, work with other parts of the NSA to help figure out who might be behind it, and help the victim be better protected in the future.

For years, the NSA's defensive arm has been known as Information Assurance Directorate, but that organization is being dissolved as part of the shakeup.

The presentation Dukes gave to reporters featured his team's new logo. It's almost exactly the same as the old one: a bird of prey with its wings swept protectively forward.

Baltimore Sun:

 

« The Evolution of Hacking
Protecting Vehicles From Cyber- Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Zadara Storage

Zadara Storage

Zadara provide complete data backup and protection delivered as a fully-managed service.

International Association of Professional Security Consultants (IAPSC)

International Association of Professional Security Consultants (IAPSC)

Members of the IAPSC represent a unique group of respected, ethical and competent security consultants.

Mocana

Mocana

Mocana provides a software platform that allows you to develop, test and distribute more secure IoT devices and services.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

SecuPi

SecuPi

SecuPi delivers data-centric security with data-flow discovery, real-time monitoring, behavior analytics, and protection across web and enterprise applications and big data environments.

Open Cloud Factory

Open Cloud Factory

Open Cloud Factory is a European based security company, that strives to ease the pressure on IT managers, by providing tools to implement your Security Strategy in an effective and easy manner.

Cyber Wales

Cyber Wales

Cyber Wales provides a focus and forum for everyone in the industry, helping businesses come together and collaborate both within Wales and internationally.

3Lines Venture Capital

3Lines Venture Capital

3Lines Venture Capital invests in exceptional founders and startups working on broad disruptive themes of Future of Work, AI enabled enterprises, and Industry 4.0.

OmniCyber Security

OmniCyber Security

Omni is a cyber security firm specialising in Penetration Testing, Managed Security and Compliance.

Spike Reply

Spike Reply

Spike Reply is the company within the Reply Group focusing on cybersecurity and personal data protection.

Tentacle

Tentacle

Tentacle has developed a configurable data management tool that helps organizations to improve their information security programs and overall security posture.

CyberUp

CyberUp

CyberUp is a nonprofit organization created to strengthen the cybersecurity workforce. We help employers reimagine how they grow and scale their cybersecurity workforce.

Unit 42

Unit 42

Unit 42 brings together world-renowned threat researchers, incident responders and security consultants to create an intelligence-driven, response-ready organization.

ThreatER

ThreatER

ThreateER (formerly ThreatBlockr / Bandura Cyber) is a cybersecurity platform that provides active network defense by automating the discovery, enforcement, and analysis of cyber threats at scale.

Cyber and Fraud Centre – Scotland

Cyber and Fraud Centre – Scotland

The Cyber and Fraud Centre – Scotland exists to ensure Scottish organisations are as resilient as they can be against cyber and fraud crime.

GoCloud Systems

GoCloud Systems

GoCloud is an IT consulting firm. We provide IT strategy and cloud adoption services to the New Zealand Government, Non-Profit Organisations and private industry.