Leak Spotlights NSA's Conflicting Missions

A top National Security Agency official revealed this month that the agency's staff had rushed to the scene of virtually every major hack of a government computer network in the past two years.

Curtis W. Dukes, director of information assurance at the NSA, was trying to emphasize the Fort Meade-based spy outfit's lesser-known but growing role of helping to protect the nation's sensitive data.

But while Dukes was speaking to reporters in Washington, the cyber world was poring over a leaked cache of what appeared to be tools developed by the NSA for its more controversial activity: surveilling, spying and hacking.

The disclosure of the files — the NSA hasn't confirmed that they're authentic, but researchers and former NSA employees say they seem to be — underscored once again the tension between the two sides of NSA's dual mission: breaking into computer networks overseas in search of useful intelligence about foreign governments and terrorists and helping protect America's networks against foreign spies and other hackers.

Dukes, talking to reporters on the sidelines of an NSA conference last week, said his responsibilities included "fortifying public trust" in the agency — trust that suffered a major blow three years ago when former contractor Edward Snowden leaked details of its phone and email surveillance programs.

A group that called itself the Shadow Brokers posted files they claim came from the Equation Group, a name used in cyber circles for the NSA. Computer security analysts who have studied the files are mostly convinced they came from the agency.

In stilted English, the Shadow Brokers said they had more such files, which they would sell to the highest bidder.

A former NSA employee, who requested anonymity to discuss the agency's sensitive operations, said he recognized details in the leaked files.

"I don't think it was faked," the former employee said. "It's a big deal. Could be used to conduct active exploitation today."

The networking giant Cisco confirmed that the leak included a previously undiscovered weakness in its products. The weakness has attracted particular attention because it is a so-called zero-day vulnerability, meaning it was unknown to the company.

The NSA's identification of such vulnerabilities is controversial. While the NSA says it does not use them to break into American computers, there is no guarantee that another country or group of hackers has not found the same flaw.

In recent years, the government has followed a formal process to determine whether a weakness should be kept secret so it can be used to gather intelligence, or whether it should be shared to protect computer users.

The government's policy is to favor sharing. The NSA said recently that it had done so in 91 percent of cases. Andrew Crocker, an attorney at the Electronic Frontier Foundation, said too many questions about the Shadow Brokers files remain unanswered to know for sure what role the NSA might have played in their creation. But given all the fingers now pointing at Fort Meade, he said, he expects their disclosure to put pressure on the government to be more transparent. "I think that's a good thing," he said.

Columbia University scholar Jason Healey got up in front of the audience at a major hacker conference this month to make the case that the government's process for sharing vulnerabilities strikes a good balance between intelligence collection and security. He said it didn't seem as if the NSA was stockpiling large numbers of secret weaknesses, he said.

"I was taking actual personal risk getting up in front of hackers and saying NSA is less evil than you think," Healey said in an interview. But after the Shadow Brokers disclosure, he said, he's reviewing whether that conclusion still stands.

At the least, he said, the incident certainly raises fresh questions.

The most recent of the files posted by the Shadow Brokers dates at least as far back as 2013, a time when Healey concluded that the disclosure process was not functioning as intended, so they could have fallen through the cracks.

Healey said he wants the NSA or the National Security Council to provide a public explanation of what happened in the new case. "They need to come out on this," he said.

A spokesman for the National Security Council declined to respond to a request for comment. The NSA is in the midst of a major reorganization aimed in large part at bringing together its offensive and defensive operations. The idea is that if the two sides work more closely together, they can spot threats more quickly and work to come up with solutions. But privacy activists have raised the concern that the agency's much larger offensive side will overpower the defensive one.

NSA officials are trying to persuade skeptics that that's not what will happen, and that the defensive mission remains at least as important as ever.

Dukes did not comment on the Shadow Brokers leak, and the NSA has not addressed it publicly. But in an era when the online spying business puts the private information of every American at risk, he said, his team is increasingly being called on to help the FBI and Department of Homeland Security respond to major breaches.

In the past two years, he said, members of his team have been involved in cleaning up after hacks on the White House, the State Department, the Pentagon and the federal government's personnel agency. The NSA's teams can be on site within hours of a problem being discovered.

The agency also works with private companies. It published guidance last month on how to solve security problems in a product made by Cisco — not the one implicated in the Shadow Brokers files — and Dukes said the agency has worked with Microsoft to suggest ways to make Windows more secure and proposed fixes for a problem called "Pass the Hash."

"This is something where we knew the adversary was exploiting," he said. Microsoft declined to comment on its relationship with the NSA, but said in a statement that it reviews reports of security problems in its products thoroughly, whoever brings them to the company's attention.

Cisco has a relationship with Dukes' branch of the NSA. Company spokeswoman Yvonne Malmgren said working with the NSA is a necessity for many businesses. Malmgren declined to comment on whether the Shadow Brokers disclosure might affect the company's work with the NSA. But she said the firm is troubled by the disclosure.

"We are deeply concerned with anything that may impact the integrity of our products or our customers' networks, and Cisco will continue to seek additional information," she said. "Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers."

The NSA's defensive role started to grow beyond the government's classified systems and other military and spying infrastructure after the North Korean attack on Sony Pictures in 2014, 

It was a mission he would not have anticipated getting involved in years ago, he said, but now "there doesn't appear to be any network that's off limits."

The FBI and the Department of Homeland Security call on the NSA for its technical expertise — Dukes boasted that his teams are "arguably the best in the country."

Once called, NSA personnel can work on a breach for months. They gather information about the attack, work with other parts of the NSA to help figure out who might be behind it, and help the victim be better protected in the future.

For years, the NSA's defensive arm has been known as Information Assurance Directorate, but that organization is being dissolved as part of the shakeup.

The presentation Dukes gave to reporters featured his team's new logo. It's almost exactly the same as the old one: a bird of prey with its wings swept protectively forward.

Baltimore Sun:

 

« The Evolution of Hacking
Protecting Vehicles From Cyber- Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Fuel Recruitment

Fuel Recruitment

Fuel Recruitment is a specialist recruitment company for the IT, Telecoms, Engineering, Consulting and Marketing industries.

GFI Software

GFI Software

GFI Software works with System Administrators, IT Professionals and IT Executives to ensure that their IT infrastructures are monitored, managed, secured and compliant.

QASymphony

QASymphony

QASymphony software testing and QA tools help companies create better software by improving speed, efficiency and collaboration during the testing lifecycle.

National Cyber-Forensics & Training Alliance (NCFTA) - USA

National Cyber-Forensics & Training Alliance (NCFTA) - USA

NCFTA is a trusted alliance of private industry and law enforcement partners dedicated to information sharing and disrupting cyber-related threats.

VerifyMe

VerifyMe

VerifyMe is a global technology solutions company delivering brand protection offerings to mitigate counterfeiting, product diversion, and illicit trade.

OneSpan

OneSpan

OneSpan (formerly Vasco Data Security) is a global leader in digital identity security, transaction security and business productivity.

PhishX

PhishX

PhishX is a SaaS platform for security awareness that simulates Cyberthreats, train people, while measure and analysis results, reducing Cybersecurity risks for People and Companies.

CYRail

CYRail

CYRail project will analyse threats targeting Railway infrastructures and develop innovative attack detection and alerting techniques.

aDolus Technology

aDolus Technology

aDolus delivers a robust solution for safeguarding against counterfeit or malicious software and firmware in mission-critical systems.

Satori Cyber

Satori Cyber

The Satori Cyber Secure Data Access Cloud is the first solution on the market to offer continuous visibility and granular control for data flows across all cloud and hybrid data stores.

QuoLab

QuoLab

QuoLab empowers security professionals to analyze, investigate and respond to threats within an integrated ecosystem.

US Coast Guard Cyber Command

US Coast Guard Cyber Command

US Coast Guard Cyber Command’s focus is to ensure the security of our cyberspace, maintain superiority over our adversaries,and safeguard our Nation’s critical maritime infrastructure.

BCyber

BCyber

BCyber is a Swiss Cyber Security company that provides security products, training, and managed services to protect diverse IT and OT environments against cyber, physical, and cyber-physical threats.

Filigran

Filigran

Filigran provides threat intelligence, adversary simulation and crisis response open solutions to thousands of cybersecurity and crisis management teams across the world.

Sirti

Sirti

Sirti is Italy's leading technology company in the design and production of network infrastructures and telecoms system integration.

Digital & Intelligence Service (DIS)

Digital & Intelligence Service (DIS)

DIS is the fourth Service of the SAF, here to defend and dominate in the digital domain, and achieve peace and security for our land.