After an unknown group released a cache of hacking tools from the National Security Agency earlier this week, some of the biggest tech companies in the world are scrambling to patch their systems and software to protect themselves and customers from attacks.
The leak came from the anonymous group calling itself the Shadow Brokers. While the group's origin and motivations remain unknown, cybersecurity experts and former agency employees have authenticated the cache of NSA hacking tools.
By exposing the custom-made malware online, the Shadow Brokers have suddenly made many of the systems American corporations rely on for cybersecurity more vulnerable to digital attacks from criminals and spies.
Now, many cybersecurity experts are asking why the NSA would stockpile so many of these kinds of security vulnerabilities without telling the affected companies such as networking giants Cisco and digital security firm Fortinet.
"The policy question we have to ask ourselves is what's an acceptable amount of time for the NSA to keep these exploits exclusively, before being legally compelled to disclose them," says Jeremiah Grossman, head of security strategy at cybersecurity firm SentinelOne.
While he says that the NSA needs some of the software exploits to spy on its adversaries and carry out digital missions, holding onto those flaws too long can be detrimental to American security.
Cisco said it inspected the NSA cache and discovered at least two hacking tools targeting security flaws in its products. The company said it did not know about the existence of one of the flaws until this week’s leak.
Beyond Cisco and Fortinet, which discovered firewall vulnerabilities among the digital weapons, many other companies could be at risk.
So far, the Shadow Brokers have released about 300 megabytes of data comprising a total of over 50 attack tools that would let attackers bypass firewalls that organizations rely on to defend against external attacks.
The leak also raises questions about the nature of nation-state hacking, and how much spy agencies know about flaws in software that they aren't revealing to tech companies and the public.
"How many of these are the Russians and the Chinese sitting on?" asked Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs.
The US does have a process that requires the NSA to disclose its bug discoveries to the White House National Security Council. The idea is to ensure that security flaws with especially broad impact are disclosed to the relevant companies so they can fix them, said Mr. Healey.
While that process may need to be updated in light of the NSA leaks, it is likely that other countries don’t have even this level of transparency.
"It is quite possible that their arsenals are even more significant than the US arsenal, which means there are a bunch more vulnerabilities we don't know about," he said. "It means the overall security of US infrastructure could be even worse than we thought."