One of the NSA’s most vaunted teams lost top-secret cyberweapons to a group of unknown hackers. The question now is, what comes next?
Early Saturday morning, a group called the Shadow Brokers posted what they claimed to be data stolen from the NSA’s Equation Group, a team of American government hackers that’s been called "the most advanced" threat on the internet because of its planet-wide reach and top-of-the-line offensive hacking tools—what we call cyberweapons.
The Shadow Brokers leak seems increasingly legitimate: This really is likely to be NSA code, just like the hackers say it is. Crucial flaws in Cisco and Fortinet firewalls have been exposed. But no one knows for sure who the Shadow Brokers are, what their real motivation is, or if they’ll release even more stolen data, as they promised to do.
Unlike some other recent high-profile hackers, the thieves here have stayed silent since they took center stage. That leaves a deep, strange mystery to be solved in an election year colored by an intensifying but enigmatic cyberwar that promises to influence the United States in many ways for years to come.
The chain of investigation
What do you do when a mysterious group of hackers publishes state-sponsored hacking tools in an unprecedented attack of unknown origin?
First, the incident will be investigated by the National Security Agency as its track down exactly what went so wrong that top-secret offensive code and exploits ended up stolen and published for the world to see.
An FBI counterintelligence investigation will likely follow, according to experts with knowledge of the process.
“Some people think about responding in kind: A U.S. cyberattack.”
The FBI’s counterintelligence division leads American investigations involving leaks, foreign intelligence operations, and espionage, so it will be the outside agency charged with determining the facts of the case.
The FBI declined to comment on its potential role in an investigation into the Shadow Brokers incident.
The origins of this latest leak remains utterly unclear—there’s little real public evidence to back up the educated guesses—but one theory, backed by a former NSA staffer and other experts, points to the possibility that an insider at the NSA is responsible for the breach.
Following the investigation, the NSA and other entities within the United States government will have to decide on a response.
The process is called an IGL: Intelligence Gain/Loss. Authorities suss out a pro and con list for various reactions, including directly and publicly blaming another country.
That might involve burning intelligence resources. Would the consequences be worth it?
Loose lips sink cyberships
“In order for the government to come and out and say if this was a government-sponsored intrusion, that this is what we know, what would the advantage be?” Blake Darche, a former NSA Tailored Access Operations (TAO) operator for seven years and now chief security officer at Area 1 Security, said.
“To say this is what we know, this is how we know it, most of this information is so technical that the average person is not going to understand it anyway. It’s a real challenge.”
“You have to be really careful,” Chris Finan, a former director of cybersecurity legislation in the Obama administration and now the CEO of the security firm Manifold Technology, said when discussing the DNC hack last month. “Some people think about responding in kind: A U.S. cyberattack. Doing that gives up the asymmetric response advantage you have in cyberspace.”
A country like the U.S. might have small advantages capable of doing significant damage to a rival or enemy. Offense is easier than defense in cyberspace, and the element of surprise plays a major role. If your retaliation is telegraphed, you abandon one of your most potent advantages.
Finan urged authorities to look at all tools, including economic sanctions against individuals, companies, groups, governments, or diplomatic constraints, to send a message through money rather than possibly burning a cyberwar advantage.
“The great thing about cyber capabilities is that they can be really hard to detect and you can use them stealthily,” Finan explained. “If they’re expecting it, however, you’re swimming upstream. The best operators don’t have the best 0-days, they’re good because they’re clever. If i was at the table, I’d be discouraging all but the most creative responses in kind.”
“I think financial sanctions are a good idea,” said James A. Lewis, a computer expert at the Center for Strategic and International Studies, said. He added, “We shouldn’t expect to impose new sanctions and expect this to be over. We need a larger political strategy.”
Exactly if and how the U.S. responds to the Shadow Brokers incident will depend on the source of the attack. Attribution in cyberwar is tricky or even impossible much of the time. It quickly becomes a highly politicized process ripe with anonymous sources and little solid fact.
Media often does a poor job explaining to the public just how difficult genuine attribution can be. And sometimes, when outlets do put in an effort to illustrate the challenges, it’s often quickly undermined.
“We need a public discussion about espionage and attack and defense operations about cyber in the 21st century.”
“Then they’ll follow that up with quotes from unnamed sources in the U.S. government,” Jeffrey Carr, CEO at the cybersecurity firm Taia Global, said, “and who knows who they are. Just because you work for the U.S. government does not make you believable. If anything, that should be a danger sign that they don't know who they are talking about.”
Outside of the NSA, the private sector will have to deal with the aftermath of this hack as well. Companies like Cisco are discovering vulnerabilities used to attack their products, which means pouring time and money into fixes of both the software and their reputations. In 2014, Cisco CEO John Chambers personally appealed to President Barack Obama after reports emerged about the NSA inserting spyware into Cisco routers.
“We simply cannot operate this way, our customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security,” Chambers wrote.
The Shadow Brokers leak highlights many of the same issues.
“No one is saying what the economic impact of having to upgrade all these systems will be,” said Brendan Dolan-Gavitt, a cybersecurity specialist at New York University. “As we find out more about what kind of products are affected and what needs to be fixed, it’s going to be a bad time for systems administrators. How many hours will it take to upgrade? What is the impact on business? What’s the downtime and sales lost?”
Spying and hacking works so that when one country figures out a big vulnerability to use for offensive hacking, another country likely won’t be too far behind.
“My guess is that everybody basically knows that the big guys are in each others stuff,” cybersecurity specialist Bruce Schneier said. “They don’t know how much or where but attack is easier than defense.”Without anyone being too surprised at the generalities, secrets inevitably escape.
Let’s talk about our problems
What many security experts want is for this incident to inspire a broader conversation.
“We need a public discussion about espionage and attack and defense operations about cyber in the 21st century,” security expert Bruce Schneier insisted. “Not about this specific event but broadly. Americans aren’t good at that.”
Dolan-Gavitt hopes the barrage of hacking incidents sheds a little light on just how the internet works—it’s fractured and, in many ways, insecure even as our lives migrate deeper into cyberspace.
“Maybe one good outcome of this is people having a greater awareness of how many systems their internet traffic passes through on the way to its destination,” he said. “Each of those can be a point of vulnerability between two skilled adversaries. A way to prevent that is strong encryption, which keeps our data from being read.”