Emerging out of the blue, a cryptic online group that calls itself the Shadow Brokers claims that it has purloined a cache of cyber burglary tools from a little known but highly skilled hacking operation dubbed the Equation Group. The Shadow Brokers made some of the tools available for free, but announced that it would auction off the rest — with a goal of more than half a billion dollars.
The incident might have been written off as routine Internet puffery, except that Equation may be a contractor for or even an arm of the National Security Agency — in other words, a group of the United States’ very own cyber thieves. Kaspersky Lab, a Moscow-based cybersecurity analyst, has said Equation Group could be the world’s most skillful hacking team; its sophistication and resources have led a number of analysts to conclude that Equation is backed by or part of the NSA.
Oh and yes, at least some of the tools the Shadow Brokers dumped online for free reveal previously unknown security flaws in firewalls used to safeguard corporate and government computer networks. How useful they are remains to be seen, but the tools are clearly the work of skillful hackers.
The Internet is abuzz with speculation about who the Shadow Brokers might be. Some security researchers — and former NSA contractor turned whistle-blower Edward Snowden — believe that it’s a Russian-backed group wagging a finger at the NSA. Given the Russians’ apparent involvement in the recent leak of emails from the Democratic National Committee, the Shadow Brokers’ work could conceivably be another effort to rattle voters prior to the November election.
Who created the tools and how the Shadow Brokers obtained them are also in dispute. Kaspersky found unique bits of code in the files the Shadow Brokers released that had also been in malware previously attributed to Equation, giving credence to the claim that the files are, in fact, that group’s handiwork. But some security experts doubt that the Shadow Brokers actually pried into Equation’s servers to nab the files, all of which are at least three years old. Instead, some suggest that they were taken from Equation’s network by an insider using a USB drive, or that they were stolen from a computer Equation used on one of its prior attacks.
Regardless of whether the NSA is behind Equation, it shouldn’t surprise anyone that U.S. intelligence agencies would be developing impressive hacking capabilities. They absolutely should be, especially with Russia, China and other less than friendly governments doing so. And though that sort of work is essential to understanding how to protect U.S. computer networks, “smart” devices and Internet-connected infrastructure against incessant online attacks, the federal government has to do more than play defense in cyberspace. It has to be able to respond in kind in order to deter state-sponsored intrusions. Malware can also be an effective substitute for military force when trying to defuse global threats; witness the use of the Stuxnet worm to cripple Iranian centrifuges that were enriching uranium for that country’s nuclear program. And any hacking tools the U.S. develops and uses are subject to being stolen. That’s true of everything online.
Nevertheless, the Shadow Brokers episode raises an important question about how the government uses what it learns about cyber vulnerabilities. When the feds uncover a new weakness in a firewall, an operating system or a browser that allows them to hack into a network or a device, should they keep that knowledge to themselves for later use or share it with the companies putting out the susceptible products?
The files dumped online by the Shadow Brokers include several "zero-day” exploits (that is, attacks on previously undisclosed vulnerabilities). Though analysts at cybersecurity firm Risk Based Security have said that most of these tools aren’t terribly useful — they aren’t likely to work remotely through the Internet — security researchers have found at least one that can unlock private online networks that were secured by a specific Cisco product. And it appears that none of the security problems being exploited had been revealed to the products’ manufacturers.
The administration reportedly requires agencies that find a zero-day vulnerability to go through a process to determine whether that information should be shared with the product’s manufacturer. That’s a good thing, but the default position should be in favor of closing security holes, not leaving them open. As much as intelligence agents may gain from the ability to slip files out of or plant surveillance software on a foreign server, the government’s first duty should be protecting U.S. residents and businesses against the unrelenting assault from scam artists, thieves and worse online.
That’s why it’s appalling to think that the NSA may be scouring computer networking equipment — much of it made by U.S. companies — for hidden security holes that it then keeps secret for its own purposes. If the Equation Group can find a vulnerability, it’s reasonable to assume that some other country’s elite hackers can too. The public is already dangerously lax about online security and maddeningly slow to install the patches and updates needed to fix the flaws that security researchers uncover. Washington shouldn’t be adding to the problem by withholding information about the holes it finds.