It could have been a Bond trailer, complete with the dramatic intro “In a world where there are no secrets.” But this is real. On Monday, a mysterious group calling itself the Shadow Brokers released files apparently swiped from the “omnipotent” Equation Group – likely a technical arm of the National Security Agency. The files were technical marvels, offering means of breaching popular routers such as Cisco, Fortinet, Juniper and TopSec.
These marvels also pose a security nightmare. They contained a wealth of previously unknown means of breaching network defenses – so called “zero-day exploits.” The sheer number of zero-days underscored the vulnerability of most popular systems. Even as software developers and hardware manufacturers scrambled to remedy any unaddressed gaps, the revelations underscored the seeming inevitability of cyber-breaches. Ironically, the files themselves bear timestamps indicating that they were swiped from the NSA in the summer of 2013 following the Edward Snowden revelations. The filching of these files at the height of a security outcry demonstrates the difficulties even the most technologically advanced organizations have defending against determined cyber-foes.
The government is aware of the problems inherent in sitting on a large store of vulnerabilities. Since 2014, the White House has required agencies identifying zero-day vulnerabilities to report them to the applicable developers and manufacturers. But there is a caveat. Agencies first forward newly unearthed flaws to a special taskforce that determines whether the tactical advantage of keeping the discovery secret outweighs the public interest in a more secure cyber environment. In an intelligence culture, the institutional incentives to protect such tools can be strong. In the present case, the tool cache represents a treasure trove of vulnerabilities, though apparently ones developed rather than discovered by the government.
The takeaway is that every cyberweapon is a double-edged sword: as useful to the bad guys as the good. The same process that enables the NSA to develop these tools will eventually enable others – hackers, organized crime, other states – to develop them. For instance, Wired suggested that the use of Stuxnet to paralyze Iran’s nuclear program enabled the development of a variant that subsequently crippled Saudi Aramco computers. Snowden himself stated the Shadow Brokers leak was likely connected to Russian sources: after U.S. officials and media fingered Russia for the DNC hack, Russia apparently wanted to send a message “that an escalation in the attribution game could get messy fast.”
In the present case, the mere fact of Shadow Brokers’ revelations was interesting in the Rumsfeldian sense. Namely, it identified a heretofore unknown unknown – that particular servers used by the NSA could and indeed have been breached. As former Defense Secretary Donald Rumsfeld observed: “Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.”
If NSA affiliates can be breached, then so can virtually any business, school, church, or other institution that uses computers. Absent an Amish existence or a return to the Mad Men and typewriter era, the prudent enterprise should do the only thing it can: mandate a regular periodic process under which key stakeholders from business, IT, and legal undertake a review of its business practices, regulatory obligations, and cyber-security to minimize vulnerability. It is the optimal approach in a world of many unknown unknowns.
| © Poyner Spruill LLP. All rights reserved.