The NSA's hoard of cyber weapons makes some experts nervous

An alleged hack has raised questions about the agency's practices

The disclosure this week of a cache of files supposedly stolen from the National Security Agency has put a spotlight on secret cyber weapons the NSA has been holding -- and whether they should be disclosed.

Security researchers have been poring over a sample set of hacking tools that may have been stolen from the NSA.

An anonymous group called the Shadow Brokers has posted the samples online and is auctioning off the rest, claiming they contain cyber weapons that rival the Stuxnet computer worm.

Experts say the whole matter points to the danger of the NSA hoarding cyber weapons: they could fall into the wrong hands.

“This theory that the NSA can keep them safe, and that nobody will find out, doesn’t seem to hold water,” said Ross Schulman, a cyber security co-director at the New America think tank.

At the heart of the matter are zero-day vulnerabilities and whether the U.S. government should keep its knowledge of them a secret.

These zero-days are essentially holes in software products that not even the vendors know about. They can be extremely valuable to both hackers and governments, especially when it comes to cyberespionage. Intelligence agencies like the NSA can use them in hacking missions to uncover strategic information. However, for a zero-day to be useful, it has to be kept secret, or the vendor will patch it.

As a result, the NSA regularly collects and even buys vulnerabilities – reportedly spending millions -- but it doesn’t always publicly disclose them. That can leave vendors and customers exposed.

Security experts now wonder if that approach is backfiring. This week, Cisco was forced to roll out a security advisory in the wake of the new disclosure. An exploit included among the samples relies on a zero-day vulnerability in a Cisco firewall that could be more than three years old.

Jeremiah Grossman, chief of security strategy at SentinelOne, said he isn’t surprised that NSA hacking tools may have leaked.

“This is the risk when you have an increasingly large vulnerability repository that’s been around for a while,” he said. “You got to expect this will happen.”

Although the NSA has legitimate reasons for keeping some cyber weapons, Grossman said there needs to be more public discussion on what its policies should be and how vendors can ensure their products are protected.

“We’re going to need the government’s help to do defense, not just offense,” he said.

The government's disclosure policy isn’t very transparent today. Although the NSA claims to release 91 percent of the vulnerabilities it finds, there’s still no public data to verify that figure, said Jason Healey, a researcher at Columbia University.

He’s been studying the U.S. policy on keeping zero-days. He said the White House generally favors disclosing them if they affect widely used infrastructure, like Cisco products. But the U.S. tries to do this without diminishing its own intelligence-gathering efforts.

“We have to have a balance here, as much as I can get frustrated with the NSA keeping things to themselves,” Healey said.

It’s still not clear if the stolen hacking tools are actually from the NSA. Although the sample files do allude to past NSA-related codenames, security researchers say the documents could have been doctored. 

Still, the fear is that the stolen hacking tools are real and that more zero-day vulnerabilities may be in the hands of malicious actors. 

“I wouldn’t be surprised if Congress started asking some questions,” Schulman said. The recent hack against the Democratic National Committee, and this new dump of hacking tools, has caused enough controversy to warrant U.S. lawmakers to investigate, he said. 

"If this may have happened once, are there other times this has happened?" Schulman asked. "What zero-days have been in those breaches?"

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place