A group of hackers called the Shadow Brokers has just released a new dump of data from the National Security Agency. This is plausibly the most extensive and important release of NSA hacking tools to date. It’s likely to prove awkward for the U.S. government, not only revealing top-secret information but also damaging the government’s relationships with U.S. allies and with big information technology firms. That is probably the motivation behind the leak: The Shadow Brokers are widely assumed to be connected with the Russian government. Here’s what the dump means.
What information has been released?
The release is only the most recent in a series of Shadow Broker dumps of information. However, it is by far the most substantial, providing two key forms of information. The first is a series of “zero-day exploits” for Microsoft Windows software. Zero-day exploits are attacks that take advantage of unknown vulnerabilities in a given software package. Exploits against commonly used software such as Windows are highly valuable — indeed, there is a clandestine international market where hackers sell exploits (sometimes through middlemen) to intelligence agencies and other interested parties, often for large sums of money. Intelligence services can then use these exploits to compromise the computers of their targets.
Second, information in the dump seems to show that the NSA has penetrated a service provider for SWIFT, an international financial messaging service. Specifically, it appears to have penetrated a SWIFT Service Bureau that provides support for a variety of banks in the Middle East.
Why are zero-day exploits important?
The leak of the zero-day exploits is important for two reasons. First, once the existence of a zero-day exploit is revealed, it rapidly loses a lot of its value. Zero-day exploits work reliably only when they are held secret. Microsoft may already have fixed many of these vulnerabilities (
there are conflicting reports from Microsoft and security companies UPDATE: NOW SECURITY RESEARCHERS APPEAR TO HAVE WITHDRAWN THEIR CLAIMS). However, if it hasn’t, or if the attacks provide information to hackers that can be used to generate more attacks, unscrupulous hackers might be able to take advantage. In a worst-case scenario, there may be a period when it’s as if criminal hackers suddenly acquired super powers in an explosion, as in the TV show “The Flash,” and started using them for nefarious ends.
Second, and as a consequence, trust between the United States and big software companies may be seriously damaged. Some weeks ago, Adam Segal of the Council on Foreign Relations wrote a report talking about how the U.S. government needs to rebuild a relationship with Silicon Valley that had been badly damaged by the Edward Snowden revelations. Now, the damage is starting to mount up again.
Most people think of the NSA as a spying agency and do not realize that it has a second responsibility: It is also supposed to protect the security of communications by U.S. citizens and companies against foreign incursions. When the United States learns of a zero-day exploit against software used by Americans, it is supposed to engage in an “equities process,” in which the default choice should be to inform the software producer so that it can fix the vulnerability, keeping the zero-day secret only if a special case can be made for it.
The revelation that the United States has kept its hands on so many vulnerabilities will further confirm the skepticism of many in the technology community, who believe that the equities process isn’t working. In a series of tweets, Facebook chief security officer Alex Stamos said the equities process is “broken” and that the U.S. government needs to consider taking away authority for defensive cybersecurity from the NSA and building a new agency instead. In an initial statement, Microsoft seemed to suggest that the NSA never contacted it about the exploits so it could issue a fix. More recently, it has said that most of the vulnerabilities had already been fixed. A lot will depend on whether the vulnerabilities have indeed been fixed, and whether the US government did in fact help Microsoft fix them and when.
Why is the information on SWIFT potentially politically explosive?
SWIFT, a financial cooperative based in Belgium, sounds like a boring organization with a boring job. It runs the financial messaging system that allows banks to transfer money back and forth. In fact, its role has been heavily politicized since shortly after Sept. 11, 2001. As Abraham Newman and I discussed in a recent academic article, the U.S. Treasury quickly realized that SWIFT provided an extraordinary resource for tracking flows of money across the world and began to secretly require it to provide data for U.S. intelligence analysis. The problem was that SWIFT is a European organization, subject to Belgian privacy law. This made it illegal to provide this kind of data, so SWIFT had to work in secret. When the New York Times revealed SWIFT’s secret relationship with the U.S. Treasury, that caused political uproar and a long series of difficult E.U.-U.S. negotiations, which culminated eventually in an agreement under which the United States could have access to SWIFT data under a series of formal safeguards.
Many European officials are unhappy with this agreement, because they think that the safeguards were formalities rather than real protections. Earlier data from the Snowden leaks provided some evidence that the NSA was extracting information from SWIFT outside the framework of the agreement. The new revelations indicate that the NSA sees SWIFT transactions as a key target and is looking to gather SWIFT-related data through other means than the agreement. It’s not clear why the NSA might have done this. It could be that the NSA wants data on targets that would be hard to justify under the agreement. It could also be that the agency does not want European officials to know who its targets are. It could simply be that the NSA is doing it because the agency can, and because it is more useful or convenient to collect the information this way, or because there is other associated information it can gather.
Whatever the rationale, this is going to make many Europeans very unhappy. European allies of the United States, who put a lot of political capital into persuading reluctant officials and politicians to sign onto the agreement, will be very embarrassed. Skeptics in the European Parliament, the European Ombudsman’s Office (which has tried and failed to find out more about the consequences of the agreement for E.U. citizens) and the European Commission will be emboldened in their criticisms.
Worst of all for the United States and U.S. technology companies, the European Court of Justice is likely to soon consider a number of cases challenging information exchange with the United States. These include emerging challenges to the Privacy Shield arrangement, which European e-commerce companies rely on to send data across the Atlantic. U.S. officials have been trying to persuade European politicians and courts that the U.S. government is privacy friendly, and that it can be trusted to live up to the spirit as well as the letter of its agreements. The new dump provides evidence that is likely to be used against the United States in these proceedings and that might very possibly be compelling for a court that is probably disinclined to trust the Trump administration in the first place.
If, as many observers believe, the Shadow Brokers are a catspaw or false identity for the Russian government, it is interesting to speculate on why they released this information — and why now. It is not only damaging for the United States, but it is likely to prove enraging to many U.S. intelligence and security officials.