The massive data dump by the Shadow Brokers has become a kind of fun house mirror for the security industry. People come at it with all of their suppositions, biases, and baggage, and walk away with a distorted view of what’s actually there and what it means.
There are nearly as many opinions on what the apparent theft and release of a big pile of NSA tools, binaries, and exploits says about the agency and its methods as there are files in the dump itself. Most of them have their merits, and nearly all of them have focused on the NSA’s practice of finding, hoarding, and using vulnerabilities for offensive intelligence gathering purposes. Whether that’s a moral practice can and has been debated ad nauseam in the security community, and not just for the last couple of weeks. For decades.
But that’s the wrong line of thinking, at least in this case. It is explicitly part of the NSA’s mission to penetrate adversaries’ networks and gather intelligence. Finding and using vulnerabilities and exploits is an integral part of that process, and the NSA has proven to be quite adept at it. The agency’s Tailored Access Operations (TAO) unit, which does much of that work, has taken on mythic status since the Snowden theft exposed part of what it does, and by all knowledgeable accounts, the group is very, very good at its work. Perhaps as good as any team anywhere.
Spies spy and hackers hack. This incident hasn’t changed any of that.
And to maintain that level of success and skill, TAO and the NSA as a whole need the best and most up-to-date tools. That can come in the form of training, methods, or, yes, software vulnerabilities. The agency has done its own vulnerability and exploit research for many years, and nearly all of what its teams find stays in Fort Meade for the NSA’s own use. For an agency tasked with offensive operations against foreign countries, that only makes sense. NSA was not set up as a CERT or bug clearinghouse. It’s an intelligence agency with a specific mission, and sharing vulnerability information generally isn’t part of that mission.
But collecting and storing that kind of valuable information carries with it a lot of inherent risk and makes the agency a natural target for many classes of attacker. But that’s no different from any other kind of data on sources, methods, and capabilities that the agency houses. Foreign intelligence services actively target one another constantly, and the knowledge that the NSA own a repository of bugs and exploits doesn’t change that equation. It’s a safe bet that Iran, Russia, North Korea, China, and any other adversary you’d care to name already had a good inkling about the NSA’s capabilities before this dump, not to mention having their own stockpiles of vulnerabilities and offensive tools.
Spies spy and hackers hack. This incident hasn’t changed any of that.
One thing it has illuminated, though, is that perhaps the NSA isn’t as good at keeping its secrets as the agency’s officials would like us to believe. A big part of being an organization thats is tasked with keeping secrets is not only being able to defend them, but convincing people–both allies and adversaries–that you can defend them. For decades, most Americans didn’t even know the NSA existed, let alone what it did or how. That changed gradually as journalists put the pieces together, and the agency became known as the repository and defender of the country’s most valuable secrets.
That image was shattered the day that Edward Snowden walked out the door with a still-unknown amount of the NSA’s most closely guarded information on methods and capabilities. Apart from the damage that Snowden’s actions did to ongoing intelligence operations, it also let Americans and, more importantly, the world at large, know that the NSA could be gotten. That’s where the true long-term effects from his decision may be felt, and we’re beginning to see them even now.
Whoever stole the information in the Shadow Brokers cache–be it an insider or an outside attacker–did so with the knowledge that someone had done the same thing before. And now the NSA, once seen as inscrutable and possibly invincible, has gotten got not once, but twice.