In a frank discussion about the government's approach to vulnerabilities in cyber-infrastructure during a Washington Post Live summit Thursday, former NSA chief Michael Hayden said the agency is not always "ethically or legally compelled" to help fix flaws it knows about. If the agency thinks that no one else will be able to exploit a vulnerability, it leaves the problem unfixed to aid in its own spying efforts. That approach might be convenient for the NSA, but it needlessly endangers the security of Americans' computers.
The statement came after an audience member asked if backdoors reported in the NSA leaks introduced vulnerabilities that could be exploited by hackers. Craig Mundie, a Senior Adviser to the CEO at Microsoft, took a first crack at the question. He asserted that Microsoft does not engineer in any backdoors nor has there ever been any effort to "facilitate" those kind of things. However, he also noted he could not speak to government capabilities and added "any [backdoor] mechanism that anybody would put into something obviously creates another class of vulnerabilities."
"Nobody but us"
Hayden argued the concept of vulnerabilities was not unique to the Internet and had been an issue the NSA has dealt with since its founding. "There's a reason that America's offensive and defensive squads are up at Fort Meade," Hayden said, explaining "because both offense and defense at this world hinges on a question of vulnerability." Hayden then laid out the concept of NOBUS, which stands for "nobody but us," that he termed "very useful" for making macro-judgments about how to react to vulnerabilities, regardless of if those flaws are "preexistent, not designed, mistake, intended, implanted, [or] whatever":
You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch -- it's one that ethically and legally we could try to exploit in order to keep Americans safe from others.
You can watch the full exchange in the video embedded below.
To a certain extent, this NOBUS idea reflects the weighing of the dual defensive and offensive mission of the NSA. Sure, patching vulnerabilities might effectively make infrastructure safer on a broad scale. But we're talking about the same agency that reportedly has a 600-some elite offensive hacker squad, Tailored Access Operations or TAO, working out of its headquarters. And NOBUS also raises a lot of questions about how the intelligence agency determines if something is likely to be exploited by adversaries.
Take the NSA's connection to the zero-day market. Earlier this year a Freedom of Information Act (FOIA) request revealed that the agency had a significant contract with with Vupen, a French company that deals with zero-day vulnerabilities -- security flaws not yet discovered or patched by vendors. Sometimes these zero-days are used to exploit systems by the hackers who discover them, sometimes vendors are told about them as part of bug bounty programs, and sometimes they end up in these digital gray markets.
The United States is a major player in these gray markets, although other nations are reported to be also in on the game. A Reuters's special report from May claimed the United States was the biggest buyer of exploits from this market, with defense contractors and government agencies spending "at least tens of millions of dollars a year just on exploits." But by their very nature, these exploits would seem to fail the NOBUS test, says Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the ACLU's Speech, Privacy and Technology Project.
"The NSA does not have a monopoly over the exploits that it buys, whether from the black market or from defense contractors. Those same vulnerabilities can and will be discovered by other researchers too, some of whom may sell them to other governments and criminals," Soghoian said.
And while from a defensive perspective, it makes sense for intelligence agencies to scour these marketplaces and try to buy exploits out of the market, it doesn't seem like that's how it always works. Reuters spoke to two former White House cybersecurity advisers, Howard Schmidt and Richard Clarke, who thought the government was putting too much focus on offensive capabilities at the expense of business and consumer security. "If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users," Clarke said, adding "[t]here is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."
Developing offensive cyber capabilities
Sometimes purchased exploits appear to be making it into government designed malware. For instance, the Stuxnet worm that targeted Iranian uranium facilities is widely believed to have been a joint American-Israeli development -- and a security researcher told the Economist at least one of the four exploits it relies on was bought rather than engineered in-house.
Stuxnet also illustrates how the deployment of offensive cybertools could be bad for consumer and business IT security. Stuxnet managed to make it into the digital wild pretty quickly, infecting other industrial systems and companies. And that's not all. “Some of the zero-days used in Stuxnet were later exploited by criminals," said Soghoian. "Had the NSA provided information about the vulnerabilities to Microsoft, the company could have distributed patches, and those criminals never would have been able to exploit those vulnerabilities.”
“This is just one of many scenarios where offense and defense conflict," when it comes to cybersecurity, Soghoian said. "For the NSA to have offensive abilities they must leave the public vulnerable. When you buy a new computer, you don't have to tell the salesman if you are a terrorist, or a drug dealer. We all use the same computers and software. What this means is that for the NSA to have the capability to hack into the computer of a terrorist, they need to have the capability to hack into everyone else's computer too. They're prioritizing offense over defense, that's really what it comes down to.”
But while TAO is reportedly America's national digital offense, we aren't the only ones playing that game. Earlier this year, a report from cybersecurity firm Mandiant suggested that the Chinese military was behind a large cyber-espionage ring, and hackers who are believed to have ties to the Iranian government have successfully managed to access the control software for oil pipes and breached Navy computer networks. The growing profile of these other well-supported adversaries might make the case stronger for a focus on making the digital battlefield more secure, not less.
An NSA spokesman declined to comment on Hayden's comments, but defended the NSA's track record on cybersecurity, saying, “NSA’s Information Assurance Directorate sets the security requirements to protect our government’s national security systems, shares our understanding of vulnerabilities with the private sector, and advocates for the best vulnerability mitigations. We continue to partner with federal organizations, private industry, and academia.”