Leak Spotlights NSA's Conflicting Missions

A top National Security Agency official revealed this month that the agency's staff had rushed to the scene of virtually every major hack of a government computer network in the past two years.

Curtis W. Dukes, director of information assurance at the NSA, was trying to emphasize the Fort Meade-based spy outfit's lesser-known but growing role of helping to protect the nation's sensitive data.

But while Dukes was speaking to reporters in Washington, the cyber world was poring over a leaked cache of what appeared to be tools developed by the NSA for its more controversial activity: surveilling, spying and hacking.

The disclosure of the files — the NSA hasn't confirmed that they're authentic, but researchers and former NSA employees say they seem to be — underscored once again the tension between the two sides of NSA's dual mission: breaking into computer networks overseas in search of useful intelligence about foreign governments and terrorists and helping protect America's networks against foreign spies and other hackers.

Dukes, talking to reporters on the sidelines of an NSA conference last week, said his responsibilities included "fortifying public trust" in the agency — trust that suffered a major blow three years ago when former contractor Edward Snowden leaked details of its phone and email surveillance programs.

A group that called itself the Shadow Brokers posted files they claim came from the Equation Group, a name used in cyber circles for the NSA. Computer security analysts who have studied the files are mostly convinced they came from the agency.

In stilted English, the Shadow Brokers said they had more such files, which they would sell to the highest bidder.

A former NSA employee, who requested anonymity to discuss the agency's sensitive operations, said he recognized details in the leaked files.

"I don't think it was faked," the former employee said. "It's a big deal. Could be used to conduct active exploitation today."

The networking giant Cisco confirmed that the leak included a previously undiscovered weakness in its products. The weakness has attracted particular attention because it is a so-called zero-day vulnerability, meaning it was unknown to the company.

The NSA's identification of such vulnerabilities is controversial. While the NSA says it does not use them to break into American computers, there is no guarantee that another country or group of hackers has not found the same flaw.

In recent years, the government has followed a formal process to determine whether a weakness should be kept secret so it can be used to gather intelligence, or whether it should be shared to protect computer users.

The government's policy is to favor sharing. The NSA said recently that it had done so in 91 percent of cases. Andrew Crocker, an attorney at the Electronic Frontier Foundation, said too many questions about the Shadow Brokers files remain unanswered to know for sure what role the NSA might have played in their creation. But given all the fingers now pointing at Fort Meade, he said, he expects their disclosure to put pressure on the government to be more transparent. "I think that's a good thing," he said.

Columbia University scholar Jason Healey got up in front of the audience at a major hacker conference this month to make the case that the government's process for sharing vulnerabilities strikes a good balance between intelligence collection and security. He said it didn't seem as if the NSA was stockpiling large numbers of secret weaknesses, he said.

"I was taking actual personal risk getting up in front of hackers and saying NSA is less evil than you think," Healey said in an interview. But after the Shadow Brokers disclosure, he said, he's reviewing whether that conclusion still stands.

At the least, he said, the incident certainly raises fresh questions.

The most recent of the files posted by the Shadow Brokers dates at least as far back as 2013, a time when Healey concluded that the disclosure process was not functioning as intended, so they could have fallen through the cracks.

Healey said he wants the NSA or the National Security Council to provide a public explanation of what happened in the new case. "They need to come out on this," he said.

A spokesman for the National Security Council declined to respond to a request for comment. The NSA is in the midst of a major reorganization aimed in large part at bringing together its offensive and defensive operations. The idea is that if the two sides work more closely together, they can spot threats more quickly and work to come up with solutions. But privacy activists have raised the concern that the agency's much larger offensive side will overpower the defensive one.

NSA officials are trying to persuade skeptics that that's not what will happen, and that the defensive mission remains at least as important as ever.

Dukes did not comment on the Shadow Brokers leak, and the NSA has not addressed it publicly. But in an era when the online spying business puts the private information of every American at risk, he said, his team is increasingly being called on to help the FBI and Department of Homeland Security respond to major breaches.

In the past two years, he said, members of his team have been involved in cleaning up after hacks on the White House, the State Department, the Pentagon and the federal government's personnel agency. The NSA's teams can be on site within hours of a problem being discovered.

The agency also works with private companies. It published guidance last month on how to solve security problems in a product made by Cisco — not the one implicated in the Shadow Brokers files — and Dukes said the agency has worked with Microsoft to suggest ways to make Windows more secure and proposed fixes for a problem called "Pass the Hash."

"This is something where we knew the adversary was exploiting," he said. Microsoft declined to comment on its relationship with the NSA, but said in a statement that it reviews reports of security problems in its products thoroughly, whoever brings them to the company's attention.

Cisco has a relationship with Dukes' branch of the NSA. Company spokeswoman Yvonne Malmgren said working with the NSA is a necessity for many businesses. Malmgren declined to comment on whether the Shadow Brokers disclosure might affect the company's work with the NSA. But she said the firm is troubled by the disclosure.

"We are deeply concerned with anything that may impact the integrity of our products or our customers' networks, and Cisco will continue to seek additional information," she said. "Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers."

The NSA's defensive role started to grow beyond the government's classified systems and other military and spying infrastructure after the North Korean attack on Sony Pictures in 2014, 

It was a mission he would not have anticipated getting involved in years ago, he said, but now "there doesn't appear to be any network that's off limits."

The FBI and the Department of Homeland Security call on the NSA for its technical expertise — Dukes boasted that his teams are "arguably the best in the country."

Once called, NSA personnel can work on a breach for months. They gather information about the attack, work with other parts of the NSA to help figure out who might be behind it, and help the victim be better protected in the future.

For years, the NSA's defensive arm has been known as Information Assurance Directorate, but that organization is being dissolved as part of the shakeup.

The presentation Dukes gave to reporters featured his team's new logo. It's almost exactly the same as the old one: a bird of prey with its wings swept protectively forward.

Baltimore Sun:

 

« The Evolution of Hacking
Protecting Vehicles From Cyber- Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ON-DEMAND WEBINAR: 2024 and beyond: Top six cloud security trends

ON-DEMAND WEBINAR: 2024 and beyond: Top six cloud security trends

Learn about the top cloud security trends in 2024 and beyond, along with solutions and controls you can implement as part of your security strategy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CEPS

CEPS

CEPS is a leading think tank and forum for debate on EU affairs, ranking among the top think tanks in Europe. Topic areas include Innovation, Digital economy and Cyber-security.

CloudLayar

CloudLayar

CloudLayar is a cloud-based website firewall for protecting your website against online threats.

ODVA

ODVA

ODVA is a global trade and standards development organization whose members comprise the world’s leading industrial automation companies.

Haltdos

Haltdos

Haltdos is an AI driven website protection service that secures websites against today's cyber threats.

CyberGreen Institute

CyberGreen Institute

The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem.

Compnet

Compnet

Compnet is a service company that assists customers in integrating complete ICT systems including network infrastructure and security solutions.

Finnish Accreditation Service (FINAS)

Finnish Accreditation Service (FINAS)

FINAS is the national accreditation body for Finland. The directory of members provides details of organisations offering certification services for ISO 27001.

CyberSec Hub

CyberSec Hub

The goal of CyberSec Hub is to create a centre of excellence for cybersecurity in Krakow, a new European “Cyber-Silicon Valley”.

KBR

KBR

To help governments and other agencies to combat cyber threats, KBR is safeguarding their most valuable systems with sophisticated tools, hardware and training.

Octo

Octo

Octo, an IBM company, is a technology firm dedicated to solving the Federal Government’s most complex challenges, enabling agencies to jump the technology curve.

Security Risk Management (SRM)

Security Risk Management (SRM)

SRM provide a comprehensive security risk management service encompassing people, processes, technology, governance, compliance and risk management.

Cufflink

Cufflink

Cufflink makes your business more secure, compliant and trusted. We limit the likelihood and impact of a data breach by controlling exactly what can and can't be done with personal data.

Oort

Oort

Oort is an identity threat detection and response platform for enterprise security. The Oort platform is API-driven, cloud-native and agentless for rapid time to value and high scalability.

NextGen Cyber Talent

NextGen Cyber Talent

NextGen Cyber Talent is a non-profit providing a platform to increase diversity and inclusion in the cybersecurity industry.

Memcyco

Memcyco

Memcyco is a provider of cutting-edge digital trust technologies to empower brands in combating online brand impersonation fraud, and preventing fraud damages to businesses and their clients.

Runecast Solutions

Runecast Solutions

Runecast Solutions is a global leader in AI-powered risk mitigation, security, continuous compliance and more efficient IT operations management.