SEPTEMBER
23, 2016 | BY BILL BUDINGTON AND ANDREW
CROCKER
NSA’s
Failure to Report Shadow Broker Vulnerabilities Underscores Need for Oversight
In August, an entity calling itself
the “Shadow Brokers” took the security world by surprise by publishing what
appears to be a portion of the NSA’s hacking toolset. Government investigators
now believe that the Shadow Brokers stole the cache of powerful NSA network
exploitation tools from a computer located outside of the NSA’s network where
they had been left accidentally, according to Reuters. A new detail, published for the
first time in yesterday’s Reuters report, is that the NSA learned about the
accidental exposure at or near the time it happened. The exploits, which showed
up on the Shadow Brokers’ site last month, target widely used networking products produced by Cisco and
Fortinet and rely on significant, previously unknown
vulnerabilities or “zero days” in these products. The government has not
officially confirmed that the files originated with the NSA, but the Intercept
used documents provided by Edward Snowden to demonstrate links between the NSA and the Equation Group,
which produced the exploits.
The Reuters
story provides a partial answer to the most important question about the Shadow
Brokers leak: why did the NSA seemingly withhold its knowledge of the Cisco and
Fortinet zero days, among others, from the vendors? According to unnamed
government sources investigating the matter, an NSA employee or contractor
mistakenly left the exploits on a remote computer about three years ago, and
the NSA learned about that mistake soon after. Because the agency was aware
that the exploits had been exposed and were therefore vulnerable to theft by
outsiders, it “tuned its sensors to detect use of any of the tools by other
parties, especially foreign adversaries with strong cyber espionage operations,
such as China and Russia.” Apparently finding no such evidence, the NSA sat on
the underlying vulnerabilities until the Shadow Brokers posted them publicly.
But the NSA’s overconfidence should
disturb us, as security researcher Nicholas Weaver points out. The
“sensors” mentioned by Reuters are likely a non-technical reference to
monitoring of the Internet backbone by the NSA under such authorities as
Section 702 and Executive Order 12333, which could act as a form of Network
Intrusion Detection System (NIDS). (The Department of Homeland Security also
operates an NIDS called Einstein specifically to monitor government
networks.) But Weaver explains that at least some of the exploits, including
those that affected Cisco and Fortinet products, appear not to lend themselves
to detection by outside monitoring since they operate within a target’s
internal network. In other words, the NSA’s confidence that its surveillance
tools weren’t being used by other actors might have been seriously misplaced.
The NSA’s decision not to disclose
the Cisco and Fortinet vulnerabilities becomes even more questionable in light
of the fact that some of the specific products affected had
been approved by the Department of Defense’s Unified Capabilities (UC) Approved
Products List (APL), which identifies equipment that can be used in DoD
networks:1
Under National
Security Directive 42 [.pdf], NSA is tasked with securing
“National Security Systems” against compromise or exploitation, a mission which
was traditionally housed within the Information Assurance Directorate (IAD).
The NSA is currently in the process of combining the “defensive” IAD with its
“offensive” intelligence-gathering divisions, but high-level officials charged
with information assurance have acknowledged the NSA’s defensive mission is more important than
ever. Regardless of whether the mission of protecting National
Security Systems is interpreted broadly or narrowly, the NSA’s failure to
remedy defects in products used widely across the IT sector and apparently by
the government, and even the DoD itself, is difficult to defend.
Above all, the Shadow Brokers story
highlights the need for oversight of the government’s use of zero days. Right
now, the decision whether to retain or disclose a vulnerability is
theoretically governed by the Vulnerabilities Equities Process (VEP), a once-secret
policy that EFF obtained in redacted form via a Freedom of Information Act lawsuit. But because the VEP
isn’t binding on the government, as far as we can tell, it’s toothless. While
we don’t know the exact considerations employed by the government in reaching a
decision to withhold a zero day, several of the high-level considerations
described by White House Cybersecurity Coordinator Michael Daniel in a blog post about the VEP seem highly relevant:
·
How much is the vulnerable system
used in the core Internet infrastructure, in other critical infrastructure
systems, in the U.S. economy, and/or in national security systems?
·
Does the vulnerability, if left unpatched,
impose significant risk?
·
How much harm could an adversary
nation or criminal group do with knowledge of this vulnerability?
·
How likely is it that we would know
if someone else was exploiting it?
Even if NSA initially believed the
specific vulnerabilities at issue in this case wouldn’t be discovered by
others, its knowledge that the exploits had been left exposed should have
changed that calculus. And if NSA knew specifically that the exploits had been
stolen, it’s hard to think of a rationale where disclosure would still be
outweighed by other considerations. Coincidentally, the NSA seems to have lost
control of the Shadow Brokers exploits in 2013, during a fallow period for the
VEP. Although the VEP was written in 2010, Michael Daniel told Wired that it was not “implemented to the
full degree that it should have been” and was only “reinvigorated” in 2014.
We think lawmakers should be
concerned with this story, and we encourage them to ask the NSA to explain
exactly what happened. We think the government should be far more transparent
about its vulnerabilities policy. A start would be releasing a current version
of the VEP without redacting the decisionmaking process, the criteria
considered, and the list of agencies that participate, as well as an accounting
of how many vulnerabilities the government retains and for how long. After
that, we urgently need to have a debate about the proper
weighting of disclosure versus retention of vulnerabilities, and we should
ensure that any policy that implements this decision is more than just a vague
blog post or a document that lacks all “vigor.”
====================================================Another Special Announcement - Tune in to my radio interview, on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.
www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================
No comments:
Post a Comment