Security experts are hoping the government will learn a number of lessons from a recent leak of source code from an NSA-linked group.
The previously unknown hacker outfit the Shadow Brokers announced an auction for the source code on Monday, releasing a small sample to prove they could make good on the promise. Proof was important: If the files were authentic, it would mean security had failed to stop highly sensitive and dangerous code from being swiped from the NSA, either by an inside source or hackers.
The proof files were enough to cause harm on their own. They contained previously unknown methods to circumvent popular routers from manufacturers like Cisco, Juniper and Fortinet — putting everyone who used them at risk of an unstoppable breach. By Thursday evening, not all of them had been patched.
To people who work in the security field, this is a nightmare scenario. But many hope it will also be a teachable moment.
The Vulnerability Equity Process
Just as it ultimately did in the San Bernardino case, when law enforcement needed to circumvent security features on an iPhone, U.S. law enforcement and intelligence agencies purchase vulnerabilities unknown to manufacturers to hack into devices. Other times, they use their own research to find these vulnerabilities, known as "zero-days."
The Obama administration requires agencies to justify keeping any vulnerability for any purpose to a White House review board. Otherwise, it is disclosed to a manufacturer to fix.
The first lesson to learn from the Shadow Broker leaks, many in the security industry have said, is that keeping a governmental supply of zero-days is something that can no longer be taken lightly.
By the administration’s own admission, hoarding zero-days makes products less secure. It is not just leaks like the Shadow Brokers; there is no guarantee other nations or even petty criminals will not discover and exploit the same vulnerabilities as the U.S. The government cannot protect a private business or political party from vulnerabilities not released to the public.
The vulnerability equity process — that process of justifying which zero-days to keep for offensive purposes — is meant to minimize risk by keeping arsenal as small as possible.
Just keeping numbers low might not be enough, said Jeremiah Grossman, chief security strategist at the information security firm SentinelOne.
“I would like the NSA to be able to accomplish its mission,” he said. “But we should ask how long they should have before they need to notify manufacturers.”
The pilfered code offered by the Shadow Brokers appears to be from 2013 — many suspect it was held by the Russian government and is now being dangled in public as leverage to prevent the United States from publicly blaming Russia for the Democratic National Committee hacks. Had the NSA been limited to a year before disclosing the flaw to the manufacturer, Grossman suggests, the leak would not be a security fiasco.
The NSA, he said, could continually replace old zero-days with newly found ones.
“The key lesson is that there is no such thing as a vulnerability only we can use. Either other nations will discover it or bad guys are going to steal it from us,” said Kevin Bankston, Director of the New America Foundation’s Open Technology Institute.
Bankston was referring to more than just zero-days. Law enforcement agencies in the United States and around the world have argued that they need some form of access to encrypted communications. For that to work, manufacturers would have to introduce an entrance point. But if the keys to that entrance point ever escaped, it would become an unstoppable vulnerability.
“When the top hacking outfit on the planet is itself hacked, we should be concerned that keeping backdoors secure isn’t going to work.”
Whether the Shadow Brokers hacked the NSA or the code was removed from the NSA by an inside threat, it appears to be a closely held secret that the agency was unable to protect. Security experts worry that the theory that engineers can create an encryption doorway only the right intelligence agency will be able to get through will invariably suffer the same flaws.