Leak Spotlights NSA's Conflicting Missions

A top National Security Agency official revealed this month that the agency's staff had rushed to the scene of virtually every major hack of a government computer network in the past two years.

Curtis W. Dukes, director of information assurance at the NSA, was trying to emphasize the Fort Meade-based spy outfit's lesser-known but growing role of helping to protect the nation's sensitive data.

But while Dukes was speaking to reporters in Washington, the cyber world was poring over a leaked cache of what appeared to be tools developed by the NSA for its more controversial activity: surveilling, spying and hacking.

The disclosure of the files — the NSA hasn't confirmed that they're authentic, but researchers and former NSA employees say they seem to be — underscored once again the tension between the two sides of NSA's dual mission: breaking into computer networks overseas in search of useful intelligence about foreign governments and terrorists and helping protect America's networks against foreign spies and other hackers.

Dukes, talking to reporters on the sidelines of an NSA conference last week, said his responsibilities included "fortifying public trust" in the agency — trust that suffered a major blow three years ago when former contractor Edward Snowden leaked details of its phone and email surveillance programs.

A group that called itself the Shadow Brokers posted files they claim came from the Equation Group, a name used in cyber circles for the NSA. Computer security analysts who have studied the files are mostly convinced they came from the agency.

In stilted English, the Shadow Brokers said they had more such files, which they would sell to the highest bidder.

A former NSA employee, who requested anonymity to discuss the agency's sensitive operations, said he recognized details in the leaked files.

"I don't think it was faked," the former employee said. "It's a big deal. Could be used to conduct active exploitation today."

The networking giant Cisco confirmed that the leak included a previously undiscovered weakness in its products. The weakness has attracted particular attention because it is a so-called zero-day vulnerability, meaning it was unknown to the company.

The NSA's identification of such vulnerabilities is controversial. While the NSA says it does not use them to break into American computers, there is no guarantee that another country or group of hackers has not found the same flaw.

In recent years, the government has followed a formal process to determine whether a weakness should be kept secret so it can be used to gather intelligence, or whether it should be shared to protect computer users.

The government's policy is to favor sharing. The NSA said recently that it had done so in 91 percent of cases. Andrew Crocker, an attorney at the Electronic Frontier Foundation, said too many questions about the Shadow Brokers files remain unanswered to know for sure what role the NSA might have played in their creation. But given all the fingers now pointing at Fort Meade, he said, he expects their disclosure to put pressure on the government to be more transparent. "I think that's a good thing," he said.

Columbia University scholar Jason Healey got up in front of the audience at a major hacker conference this month to make the case that the government's process for sharing vulnerabilities strikes a good balance between intelligence collection and security. He said it didn't seem as if the NSA was stockpiling large numbers of secret weaknesses, he said.

"I was taking actual personal risk getting up in front of hackers and saying NSA is less evil than you think," Healey said in an interview. But after the Shadow Brokers disclosure, he said, he's reviewing whether that conclusion still stands.

At the least, he said, the incident certainly raises fresh questions.

The most recent of the files posted by the Shadow Brokers dates at least as far back as 2013, a time when Healey concluded that the disclosure process was not functioning as intended, so they could have fallen through the cracks.

Healey said he wants the NSA or the National Security Council to provide a public explanation of what happened in the new case. "They need to come out on this," he said.

A spokesman for the National Security Council declined to respond to a request for comment. The NSA is in the midst of a major reorganization aimed in large part at bringing together its offensive and defensive operations. The idea is that if the two sides work more closely together, they can spot threats more quickly and work to come up with solutions. But privacy activists have raised the concern that the agency's much larger offensive side will overpower the defensive one.

NSA officials are trying to persuade skeptics that that's not what will happen, and that the defensive mission remains at least as important as ever.

Dukes did not comment on the Shadow Brokers leak, and the NSA has not addressed it publicly. But in an era when the online spying business puts the private information of every American at risk, he said, his team is increasingly being called on to help the FBI and Department of Homeland Security respond to major breaches.

In the past two years, he said, members of his team have been involved in cleaning up after hacks on the White House, the State Department, the Pentagon and the federal government's personnel agency. The NSA's teams can be on site within hours of a problem being discovered.

The agency also works with private companies. It published guidance last month on how to solve security problems in a product made by Cisco — not the one implicated in the Shadow Brokers files — and Dukes said the agency has worked with Microsoft to suggest ways to make Windows more secure and proposed fixes for a problem called "Pass the Hash."

"This is something where we knew the adversary was exploiting," he said. Microsoft declined to comment on its relationship with the NSA, but said in a statement that it reviews reports of security problems in its products thoroughly, whoever brings them to the company's attention.

Cisco has a relationship with Dukes' branch of the NSA. Company spokeswoman Yvonne Malmgren said working with the NSA is a necessity for many businesses. Malmgren declined to comment on whether the Shadow Brokers disclosure might affect the company's work with the NSA. But she said the firm is troubled by the disclosure.

"We are deeply concerned with anything that may impact the integrity of our products or our customers' networks, and Cisco will continue to seek additional information," she said. "Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers."

The NSA's defensive role started to grow beyond the government's classified systems and other military and spying infrastructure after the North Korean attack on Sony Pictures in 2014, 

It was a mission he would not have anticipated getting involved in years ago, he said, but now "there doesn't appear to be any network that's off limits."

The FBI and the Department of Homeland Security call on the NSA for its technical expertise — Dukes boasted that his teams are "arguably the best in the country."

Once called, NSA personnel can work on a breach for months. They gather information about the attack, work with other parts of the NSA to help figure out who might be behind it, and help the victim be better protected in the future.

For years, the NSA's defensive arm has been known as Information Assurance Directorate, but that organization is being dissolved as part of the shakeup.

The presentation Dukes gave to reporters featured his team's new logo. It's almost exactly the same as the old one: a bird of prey with its wings swept protectively forward.

Baltimore Sun:

 

« The Evolution of Hacking
Protecting Vehicles From Cyber- Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Pluralsight

Pluralsight

Pluralsight helps enterprises build technology skills at scale with expert-authored courses on today’s most important technologies including information and cyber security.

OSSEC

OSSEC

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS).

Repository of Industrial Security Incidents (RISI)

Repository of Industrial Security Incidents (RISI)

RISI is a database of cyber security incidents that have (or could have) affected process control, industrial automation or SCADA systems.

QuintessenceLabs

QuintessenceLabs

QuintessenceLabs offers a suite of Data Security technology, products and solutions to secure digital information in-transit, at-rest or in-use.

CyberPoint

CyberPoint

CyberPoint delivers innovative, leading-edge cyber security products, solutions, and services to customers worldwide.

Sangfor Technologies

Sangfor Technologies

Sangfor is a global leader of IT infrastructure, security solutions, and cloud computing.

Asseco Group

Asseco Group

Asseco Poland stands at the forefront of the multinational Asseco Group. We are a leading provider of state-of-the-art IT solutions in Central and Eastern Europe.

Cyber Security Raad (CSR) - Netherlands

Cyber Security Raad (CSR) - Netherlands

The Cyber Security Council (CSR) is a national, independent advisory body of the Dutch government undertaking efforts at strategic level to bolster cyber security in the Netherlands.

Cado Security

Cado Security

Cado Security is pushing digital forensics, and cyber incident response to the next level with an incident response software platform and specialist consulting services.

DeepFactor

DeepFactor

DeepFactor is the industry’s first Continuous Observability platform enabling Engineering and AppSec teams to find and triage RUNTIME security, privacy, and compliance risks in your applications.

BIG Cyber

BIG Cyber

BIG Cyber is a specialized Managed Security Service Provider (MSSP) dedicated to bringing military grade cyber security technology to the gaming industry.

Neosec

Neosec

We’re reinventing API security. Understanding behavior requires data, analytics, and intelligence. Neosec brings XDR techniques to application security.

Polygraph

Polygraph

Polygraph monitors the activities of click fraud gangs, including how they operate, who they target, the techniques they use, and how to detect their fraud.

ALSCO

ALSCO

ALSCO is dedicated to bringing first class IT services, technical support, and solutions to goverment, companies and organizations worldwide.

Buzz Cybersecurity

Buzz Cybersecurity

Buzz Cybersecurity systems and services are designed to proactively guard against common and uncommon cyber threats.

MyTurn Career LLC

MyTurn Career LLC

Looking for a rewarding career in cybersecurity? Explore a wide range of cybersecurity jobs and opportunities in this rapidly evolving field.