Modern field guide to security and privacy

NSA leak rattles cybersecurity industry

The National Security Agency stockpiled sophisticated tools designed to penetrate commonly used security software. Now that hackers have revealed some of those techniques, companies are left scrambling to secure their systems.

Pablo Martinez Monsivais/AP/File
Director of the National Security Agency Adm. Michael Rogers (c.) at a Senate Intelligence Committee hearing in September 2015.

After an unknown group released a cache of hacking tools from the National Security Agency earlier this week, some of the biggest tech companies in the world are scrambling to patch their systems and software to protect themselves and customers from attacks.

The leak came from the anonymous group calling itself the Shadow Brokers. While the group's origin and motivations remain unknown, cybersecurity experts and former agency employees have authenticated the cache of NSA hacking tools.

By exposing the custom-made malware online, the Shadow Brokers have suddenly made many of the systems American corporations rely on for cybersecurity more vulnerable to digital attacks from criminals and spies.

Now, many cybersecurity experts are asking why the NSA would stockpile so many of these kinds of security vulnerabilities without telling the affected companies such as networking giants Cisco and digital security firm Fortinet.

"The policy question we have to ask ourselves is what's an acceptable amount of time for the NSA to keep these exploits exclusively, before being legally compelled to disclose them," says Jeremiah Grossman, head of security strategy at cybersecurity firm SentinelOne.

While he says that the NSA needs some of the software exploits to spy on its adversaries and carry out digital missions, holding onto those flaws too long can be detrimental to American security. 

Cisco said it inspected the NSA cache and discovered at least two hacking tools targeting security flaws in its products. The company said it did not know about the existence of one of the flaws until this week’s leak.

Beyond Cisco and Fortinet, which discovered firewall vulnerabilities among the digital weapons, many other companies could be at risk.

So far, the Shadow Brokers have released about 300 megabytes of data comprising a total of over 50 attack tools that would let attackers bypass firewalls that organizations rely on to defend against external attacks.

The leak also raises questions about the nature of nation-state hacking, and how much spy agencies know about flaws in software that they aren't revealing to tech companies and the public.

"How many of these are the Russians and the Chinese sitting on?" asked Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs.

The US does have a process that requires the NSA to disclose its bug discoveries to the White House National Security Council. The idea is to ensure that security flaws with especially broad impact are disclosed to the relevant companies so they can fix them, said Mr. Healey.

While that process may need to be updated in light of the NSA leaks, it is likely that other countries don’t have even this level of transparency.

"It is quite possible that their arsenals are even more significant than the US arsenal, which means there are a bunch more vulnerabilities we don't know about," he said. "It means the overall security of US infrastructure could be even worse than we thought."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to NSA leak rattles cybersecurity industry
Read this article in
https://www.csmonitor.com/World/Passcode/2016/0820/NSA-leak-rattles-cybersecurity-industry
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe