The more we learn about the Shadow Brokers, who claim to be auctioning off "cyberweapons" that crafted for the NSA's use, the scarier the breach gets: some of the world's biggest security companies are tacitly admitting that the exploits in the Shadow Brokers' initial release can successfully penetrate their products, and they have no fix at hand.
The NSA and other arms of the US military have created and fed a booming market for unpublished software defects (aka "Zero Days") that can be hoarded and weaponized as part of a program that promotes that the ability to attack NSA enemies as more important than defending America from the attacks those enemies launch.
Keeping vulnerabilities secret only works if your enemies don't independently discover them — and if you don't accidentally leak them, as seems to be the case here. Otherwise, you should assume that your enemies have the same tools at their disposal as you, meaning that the only people who don't know about the defects in products like Cisco and Fortinet firewalls are the businesses that rely on them and the people who've entrusted their safety and privacy to those businesses.
The extraordinary thing about the Shadow Brokers isn't that people other than the NSA are exploiting bugs that the NSA deliberately left intact for their own convenience: it's that we know about it. The researchers who sell their zero days on the underground market have customers other than the NSA, after all, and their adversaries have their own research labs. In a world where everyone uses the same computers, networks and operating systems, you can't weaponize the defects in those systems without making your own people vulnerable to them.
This is one of the fundamental problems with calling this business "cyberwar." Whatever you think about nuclear weapons, the secrecy surrounding the Manhattan Project did not mean that bugs in physics remained unpatched, leaving Americans vulnerable to their enemies' ability to exploit them. A Manhattan Project for cyberweapons isn't about discovering principles in physics, it's about discovering flaws in technology that has the power of life and death over billions of people, and then doing nothing to fix those flaws.
The Obama administration, for its part, told the New York Times in 2014 that it ordered the NSA to disclose the security flaws it discovers in computer systems in most cases, but to hold those flaws in secret when they can be used to serve "a clear national security or law enforcement need." And Dave Aitel, a former NSA analyst who now runs the security firm ImmunitySec, contends that the sort of exploits exposed in the Shadow Brokers breach do hold exactly that sort of national security value. "Remote access on Cisco [equipment] sounds like it has national-security-level value to me," says Aitel, who has posited in a blog post that the data was in fact stolen from the NSA and that the Shadow Brokers group was likely Russian. "We don't know what valuable intelligence was gathered through the use of this technology, but you can be assured it was worth spending the time to create it. When you have 300 megabytes of code that's this carefully crafted, you didn't do that for fun."Aitel argues that as controversial as it may be, the NSA needs exactly these sorts of secret network exploitation capabilities to do its job. "Imagine if you didn't have any Cisco exploits," he says. "You'd be unable to report on terrorist movements, on Russian and Chinese movements….This is the necessary bread and butter of getting intelligence work done in this day and age. We need to get used to it."
The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days [Andy Greenberg/Wired]
Cisco confirms NSA-linked zeroday targeted its firewalls for years
[Dan Goodin/Ars Technica]
(Image: Unsplash, CC-0)
