Hacking Team, Computer Vulnerabilities, and the NSA

facebooktwittergoogle_plusredditpinterestlinkedinmail
(www.perspecsys.com, Flickr Commons)

(www.perspecsys.com, Flickr Commons)

When the National Security Administration (NSA) — or any government agency — discovers a vulnerability in a popular computer system, should it disclose it or not? The debate exists because vulnerabilities have both offensive and defensive uses. Offensively, vulnerabilities can be exploited to penetrate others’ computers and networks, either for espionage or destructive purposes. Defensively, publicly revealing security flaws can be used to make our own systems less vulnerable to those same attacks. The two options are mutually exclusive: either we can help to secure both our own networks and the systems we might want to attack, or we can keep both networks vulnerable. Many, myself included, have long argued that defense is more important than offense, and that we should patch almost every vulnerability we find. Even the President’s Review Group on Intelligence and Communications Technologies recommended in 2013 that “U.S. policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on U.S. Government and other networks.”

Both the NSA and the White House have talked about a secret “vulnerability equities process” they go through when they find a security flaw. Both groups maintain the process is heavily weighted in favor or disclosing vulnerabilities to the vendors and having them patched.

An undated document — declassified last week with heavy redactions after a year-long Freedom of Information Act lawsuit — shines some light on the process but still leaves many questions unanswered. An important question is: which vulnerabilities go through the equities process, and which don’t?

A real-world example of the ambiguity surrounding the equities process emerged from the recent hacking of the cyber weapons arms manufacturer Hacking Team. The corporation sells Internet attack and espionage software to countries around the world, including many reprehensible governments to allow them to eavesdrop on their citizens, sometimes as a prelude to arrest and torture. The computer tools were used against U.S. journalists.

In July, unidentified hackers penetrated Hacking Team’s corporate network and stole almost everything of value, including corporate documents, e-mails, and source code. The hackers proceeded to post it all online.

The NSA was most likely able to penetrate Hacking Team’s network and steal the same data. The agency probably did it years ago. They would have learned the same things about Hacking Team’s network software that we did in July: how it worked, what vulnerabilities they were using, and which countries were using their cyber weapons. Armed with that knowledge, the NSA could have quietly neutralized many of the company’s products. The United States could have alerted software vendors about the zero-day exploits and had them patched. It could have told the antivirus companies how to detect and remove Hacking Team’s malware. It could have done a lot. Assuming that the NSA did infiltrate Hacking Team’s network, the fact that the United States chose not to reveal the vulnerabilities it uncovered is both revealing and interesting, and the decision provides a window into the vulnerability equities process.

The first question to ask is why? There are three possible reasons. One, the software was also being used by the United States, and the government did not want to lose its benefits. Two, NSA was able to eavesdrop on other entities using Hacking Team’s software, and they wanted to continue benefitting from the intelligence. And three, the agency did not want to expose their own hacking capabilities by demonstrating that they had compromised Hacking Team’s network. In reality, the decision may have been due to a combination of the three possibilities.

How was this decision made? More explicitly, did any vulnerabilities that Hacking Team exploited, and the NSA was aware of, go through the vulnerability equities process? It is unclear. The NSA plays fast and loose when deciding which security flaws go through the procedure. The process document states that it applies to vulnerabilities that are “newly discovered and not publicly known.” Does that refer only to vulnerabilities discovered by the NSA, or does the process also apply to zero-day vulnerabilities that the NSA discovers others are using? If vulnerabilities used in others’ cyber weapons are excluded, it is very difficult to talk about the process as it is currently formulated.

The U.S. government should close the vulnerabilities that foreign governments are using to attack people and networks. If taking action is as easy as plugging security vulnerabilities in products and making everyone in the world more secure, that should be standard procedure. The fact that the NSA — we assume — chose not to suggests that the United States has its priorities wrong.

Undoubtedly, there would be blowback from closing vulnerabilities utilized in others’ cyber weapons. Several companies sell information about vulnerabilities to different countries, and if they found that those security gaps were regularly closed soon after they started trying to sell them, they would quickly suspect espionage and take more defensive precautions. The new wariness of sellers and decrease in available security flaws would also raise the price of vulnerabilities worldwide. The United States is one of the biggest buyers, meaning that we benefit from greater availability and lower prices.

If we assume the NSA has penetrated these companies’ networks, we should also assume that the intelligence agencies of countries like Russia and China have done the same. Are those countries using Hacking Team’s vulnerabilities in their cyber weapons? We are all embroiled in a cyber arms race — finding, buying, stockpiling, using, and exposing vulnerabilities — and our actions will affect the actions of all the other players.

It seems foolish that we would not take every opportunity to neutralize the cyberweapons of those countries that would attack the United States or use them against their own people for totalitarian gain. Is it truly possible that when the NSA intercepts and reverse-engineers a cyberweapon used by one of our enemies — whether a Hacking Team customer or a country like China — we don’t close the vulnerabilities that that weapon uses? Does the NSA use knowledge of the weapon to defend the U.S. government networks whose security it maintains, at the expense of everyone else in the country and the world? That seems incredibly dangerous.

In my book Data and Goliath, I suggested breaking apart the NSA’s offensive and defensive components, in part to resolve the agency’s internal conflict between attack and defense. One part would be focused on foreign espionage, and another on cyberdefense. This Hacking Team discussion demonstrates that even separating the agency would not be enough. The espionage-focused organization that penetrates and analyzes the products of cyberweapons arms manufacturers would regularly learn about vulnerabilities used to attack systems and networks worldwide. Thus, that section of the agency would still have to transfer that knowledge to the defense-focused organization. That is not going to happen as long as the United States prioritizes surveillance over security and attack over defense. The norms governing actions in cyberspace need to be changed, a task far more difficult than any reform of the NSA.

facebooktwittergoogle_plusredditpinterestlinkedinmail

Dr. Bruce Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School and the Chief Technology Officer at Resilient Systems. He is the author of a variety of books, including Data and Goliath, as well as hundreds of articles, essays, and academic papers regarding privacy, cyber security, and cryptography. Dr. Schneier maintains an active blog about privacy and cyber security issues.

39 Comments

  • February 24, 2017

    ig

    I read this article fully on the topic of the comparison of newest and previous technologies,
    it’s awesome article.

  • February 25, 2017

    ig

    If you desire to obtain a great deal from this post then you have to apply these methods to your won web
    site.

  • I’m not that much of a online reader to be honest but your sites really nice, keep it up!
    I’ll go ahead and bookmark your site to come back down the road.
    Cheers

  • March 18, 2017

    www.furniturefromhome.com

    No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • March 18, 2017

    AGS Capital

    No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • March 18, 2017

    www.furniturefromhome.com

    No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • March 18, 2017

    Beverly Diamonds

    No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • March 18, 2017

    Alan Symons

    No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • March 18, 2017

    AGS Capital

    No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • March 18, 2017

    Beverly Diamonds

    No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • March 18, 2017

    Beverly Diamonds

    No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • March 18, 2017

    AGS Capital

    No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • March 18, 2017

    Alan Symons

    No better a kook bigger than the internet from Furniture From Home, BRIAN WILLIS Brockstar, BROCKSTAR BY BRIAN NELSON WILLIS, Richard Ellenbogen – Beverly Hills Body,LuxSauna, Alan Symons, park ward, nationwide home comfort, AGS Capital and kaonsoftware and the kind. Poggi, Michael Michael Poggi Poggi’s Animal House like.Elite Client Services – Private Client Management Group TRUSTED as well. Furniture From Home Beverly Diamonds Elite Client Services – Private Client Management Group TRUSTED Mountain Business Center LLC, Rebecca Bextel

  • BROCKSTAR BY BRIAN NELSON WILLIS SFO probes US lender over missing millions Brockstar Finance

  • March 19, 2017

    Brockstar

    BROCKSTAR BY BRIAN NELSON WILLIS SFO probes US lender over missing millions Brockstar Finance

  • March 19, 2017

    Wilma

    These are actually impressive ideas in on the topic of blogging.

    You have touched some pleasant factors here.

    Any way keep up wrinting.

  • March 20, 2017

    Egli Diana Pinto

    Very shortly this website will be famous amid all
    blog people, due to it’s nice posts

  • March 20, 2017

    design tips

    Hi there would you mind letting me know which hosting company you’re working with?
    I’ve loaded your blog in 3 different web browsers and I must say this blog loads a lot faster then most.
    Can you suggest a good hosting provider at a reasonable price?

    Thanks a lot, I appreciate it!

  • March 20, 2017

    velashape uses

    Thanks for ones marvelous posting! I actually enjoyed reading it, you
    will be a great author.I will be sure to bookmark your blog and definitely will come back very soon. I want to
    encourage you to ultimately continue your great work, have a nice evening!

  • March 20, 2017

    Greta

    Quality posts is the key to invite the visitors to go to
    see the web site, that’s what this website is providing.

  • March 21, 2017

    e currency exchange

    hello!,I like your writing very much! share we keep in touch more approximately your post on AOL?
    I need an expert in this area to unravel my problem.
    Maybe that is you! Having a look ahead to see you.

  • March 21, 2017

    audio book publishers

    That is a really good tip particularly to
    those new to the blogosphere. Brief but very accurate
    info… Thanks for sharing this one. A must read article!

  • March 22, 2017

    Beverly Diamonds

  • The other day, while I was at work, my sister stole my iPad and tested to see if it can survive a twenty five foot drop,
    just so she can be a youtube sensation. My iPad is now destroyed and
    she has 83 views. I know this is totally off topic but
    I had to share it with someone!

  • March 22, 2017

    Egli Diana Pinto

    I’d like to find out more? I’d like to find out more details.

  • March 23, 2017

    mlm marketing strategy

    I’ve been surfing online more than 2 hours today,
    yet I never found any interesting article like yours.
    It is pretty worth enough for me. Personally, if all site
    owners and bloggers made good content as you did,
    the internet will be a lot more useful than ever before.

  • March 23, 2017

    resistant bacteria

    It’s fantastic that you are getting thoughts from this
    piece of writing as well as from our dialogue made here.

  • March 23, 2017

    Itamar Serpa Fernandes

    It’s in fact very complex in this active life to listen news on Television, so
    I just use the web for that purpose, and take the most
    recent news.

  • Admiring the commitment you put into your website and
    detailed information you provide. It’s great to come across a
    blog every once in a while that isn’t the same unwanted rehashed material.
    Fantastic read! I’ve saved your site and I’m including your RSS feeds
    to my Google account.

  • March 24, 2017

    corrupt financial

    Pretty section of content. I just stumbled
    upon your web site and in accession capital to assert that I get in fact enjoyed account your blog posts.
    Anyway I’ll be subscribing to your feeds and even I achievement
    you access consistently quickly.

  • March 24, 2017

    lottery reality show

    Hi there just wanted to give you a quick heads up. The words in your article seem to be running off the screen in Ie.
    I’m not sure if this is a format issue or something to do
    with internet browser compatibility but I figured I’d post to let you know.
    The design look great though! Hope you get the problem fixed soon. Cheers

  • March 24, 2017

    fungus medication

    When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get four emails with the same
    comment. Is there any way you can remove me from that service?
    Thank you!

  • March 25, 2017

    car computer exchange

    Hello, after reading this amazing article i am too glad to share my experience here with mates.

  • March 25, 2017

    Egli Diana Pinto

    Do you mind if I quote a couple of your articles as long as I provide credit
    and sources back to your webpage? My website is in the exact same area of interest as yours and my visitors would certainly benefit
    from a lot of the information you present here.
    Please let me know if this alright with you. Cheers!

  • March 26, 2017

    Itamar Serpa Fernandes

    Hi there! I know this is kind of off topic but I
    was wondering if you knew where I could locate a captcha plugin for
    my comment form? I’m using the same blog platform as yours and I’m having trouble finding one?

    Thanks a lot!

  • March 29, 2017

    business problems

    I think what you wrote made a great deal of sense.
    However, think on this, suppose you were to write a awesome headline?
    I mean, I don’t wish to tell you how to run your website, but suppose you
    added a post title that makes people want more?
    I mean Hacking Team, Computer Vulnerabilities, and the NSA | is kinda boring.

    You might peek at Yahoo’s home page and watch how they create news titles
    to get viewers to click. You might add a related video or a related picture or
    two to grab people interested about what you’ve written. Just my opinion,
    it could bring your posts a little livelier.

  • March 30, 2017

    normal exercise classes

    I’m gone to convey my little brother, that he should also go to see this web site on regular basis to take updated from latest news.

Leave a Reply