To penetrate the computers of foreign targets, the National Security Agency relies on software flaws that have gone undetected in the pipes of the Internet. For years, security experts have pressed the agency to disclose these bugs so they can be fixed, but the agency hackers have often resisted.
Now with the mysterious release of a cache of NSA hacking tools over the weekend, the agency has lost an offensive advantage, experts say, and potentially placed at risk the security of countless large companies and government agencies worldwide.
Several of the tools exploited flaws in commercial firewalls that remain unpatched, and they are out on the Internet for all to see. Anyone from a basement hacker to a sophisticated foreign spy agency has access to them now, and until the flaws are fixed, many computer systems may be in jeopardy.
The revelation of the NSA cache, which dates to 2013 and has not been confirmed by the agency, also highlights the administration's little-known process for figuring out which software errors to disclose and which to keep secret.
The hacker tools' release “demonstrates the key risk of the U.S. government stockpiling computer vulnerabilities for its own use: Someone else might get a hold of them and use them against us,” said Kevin Bankston, director of New America's Open Technology Institute.
“This is exactly why it should be U.S. government policy to disclose to software vendors the vulnerabilities it buys or discovers as soon as possible, so we can all better protect our own cybersecurity.”
The weekend's release prompted immediate speculation about who might be behind it. A group calling itself Shadow Brokers claimed responsibility. Some experts and former employees suspect, although without hard evidence, that Russia is involved. Other former employees say it is more likely a disgruntled insider seeking to make a profit.
Whoever it is, “it's very concerning that potentially someone working for another government is essentially holding hostage companies that are sitting behind these firewalls, making them very vulnerable,” said Oren Falkowitz, chief executive of Area 1 Security and a former NSA analyst.
The firewalls sold by Cisco, Juniper and Fortinet are highly popular and work on large-scale enterprise systems. “These are very, very powerful and successful” products, Falkowitz said. “They aren't devices bought by two people.”
Already, the firms are racing to reverse-engineer the code, identify any flaws and devise patches. Cisco confirmed Wednesday that one of the flaws was a “zero-day” — previously unknown to the public — and that it is working on a fix. The flaw was in a tool or exploit code-named Extrabacon.
Juniper spokeswoman Leslie Moore said the company is reviewing the released file. “If a product vulnerability is identified, we will address the matter and communicate to our customers,” she said.
Fortinet spokeswoman Sandra Wheatley Smerdon said that the firm is “actively working with customers” who are running the FortiGate firewall version 4.X and that it “strongly” recommends that they update their systems “with the highest priority.”
The government has a process for determining when to share software flaws. Agencies such as the NSA and the FBI are supposed to submit any flaws they discover to a multiagency group of experts, who then weigh whether the advantage of keeping the vulnerabilities secret outweighs the public's cybersecurity.
White House cybersecurity coordinator Michael Daniel has said that “in the majority of cases,” disclosure of the bug is in the national interest. The multiagency process didn't really begin until spring 2014. The NSA had had its own internal process for years before that.
