NSA Confronts a Problem of Its Own Making

The National Security Agency campus in Fort Meade, Md.

The National Security Agency campus in Fort Meade, Md. Patrick Semansky/AP File Photo

Recent cyberattacks show what happens when America’s secret-keepers can’t keep their secrets.

It is hard to imagine more fitting names for code-gone-bad than WannaCry and Eternal Blue. Those are just some of the computer coding vulnerabilities pilfered from the National Security Agency’s super-secret stockpile used in two separate global cyber attacks in recent weeks.

An attack Tuesday featuring Eternal Blue was the second of these to use stolen NSA cyber tools—disrupting everything from radiation monitoring at Chernobyl to shipping operations in India. Fort Meade’s trove of coding weaknesses is designed to give NSA an edge. Instead, it’s giving NSA heartburn. And it’s not going away any time soon.

As with most intelligence headlines, the story is complicated, filled with good intentions and unintended consequences.

Home to the nation’s codebreakers and cyber spies, NSA is paid to intercept communications of foreign adversaries. One way is by hunting for hidden vulnerabilities in the computer code powering Microsoft Windows and all sorts of other products and services that connect us to the digital world. It’s a rich hunting ground.

The rule of thumb is that one vulnerability can be found in about every 2,500 lines of code. Given an Android phone uses 12 million lines of code, we’re talking a lot of vulnerabilities. Some are easy to find. Others are really hard. Companies are so worried about vulnerabilities that many—including Facebook and Microsoft—pay “bug bounties” to anyone who finds one and tells the company about it before alerting the world. Bug bounties can stretch into the hundreds of thousands of dollars.

NSA, which employs more mathematicians than any organization on Earth, has been collecting these vulnerabilities. The agency often shares the weaknesses it finds with American manufacturers so they can be patched. But not always.

As NSA Director Mike Rogers told a Stanford audience in 2014, “the default setting is if we become aware of a vulnerability, we share it,” but then added, “There are some instances where we are not going to do that.” Critics contend that’s tantamount to saying, “In most cases we administer our special snake bite anti-venom that saves the patient. But not always.”

In this case, a shadowy group called the Shadow Brokers (really, you can’t make these names up) posted part of NSA’s collection online, and now it’s O.K. Corral time in cyberspace. Tuesday’s attacks are just the beginning. Once bad code is “in the wild,” it never really goes away. Generally speaking, the best approach is patching. But most of us are terrible about clicking on those updates, which means there are always victims—lots of them—for cyber bad guys to shoot at.

WannaCry and Eternal Blue must be how folks inside NSA are feeling these days. America’s secret-keepers are struggling to keep their secrets. For NSA, this new reality must hit especially hard. For years, the agency was so cloaked in secrecy, officials refused to acknowledge its existence. People inside the Beltway joked NSA stood for “No Such Agency.” When I visited NSA headquarters shortly after the Snowden revelations, one public-affairs officer said the job used to entail watching the phones ring and not commenting to reporters.

Now, NSA finds itself confronting two wicked problems—one technical, the other human. The technical problem boils down to this: Is it ever possible to design technologies to be secure against everyone who wants to breach them except the good guys?

Many government officials say yes, or at least “no, but…” In this view, weakening security just a smidge to give law-enforcement and intelligence officials an edge is worth it. That’s the basic idea behind NSA’s vulnerability collection: “If we found a vulnerability, and we alone can use it, we get the advantage.” Sounds good, except for the part about “we alone can use it,” which turns out to be, well, dead wrong.

That’s essentially what the FBI argued when it tried to force Apple to design a new way to breach its own products so special agents could access the iPhone of Syed Rizwan Farook, the terrorist who, along with his wife, killed 14 people in San Bernardino. Law-enforcement and intelligence agencies always want an edge, and there is a public interest in letting them have it.

As former FBI Director James Comey put it, “There will come a day—and it comes every day in this business—where it will matter a great deal to innocent people that we in law enforcement can’t access certain types of data or information, even with legal authorization.”

Many leading cryptographers (the geniuses who design secure communications systems) and some senior intelligence officials say a technical backdoor for one is a backdoor for all. If there’s a weakness in the security of a device or system, anyone can eventually exploit it. It may be hard, it may take time, it may take a team of crack hackers, but the math doesn’t lie.

It’s nice to imagine the FBI and NSA are the only ones who can exploit coding vulnerabilities for the good of the nation. It’s also nice to imagine I’m the only person my teenage kids listen to. Nice isn’t the same thing as true. Former NSA Director Mike Hayden publicly broke with many of his former colleagues last year.

“I disagree with Jim Comey,” Hayden said. “I know encryption represents a particular challenge for the FBI. ... But on balance, I actually think it creates greater security for the American nation than the alternative: a backdoor.”

Hayden and others argue digital security is good for everyone. If people don’t trust their devices and systems, they just won’t use them. And for all the talk that security improvements will lock out U.S. intelligence agencies, that hasn’t happened in the 40 years of this raging debate. That’s right. 40 years.

Back in 1976, during the first “crypto war,” one of my Stanford colleagues, Martin Hellman, nearly went to jail over this dispute. His crime: publishing his academic research that became the foundational technology used to protect electronic communications. Back then, some NSA officials feared securing communications would make it harder for them to penetrate adversaries’ systems. They were right, of course—it did get harder. But instead of “going dark,” U.S. intelligence officials have been “going smart,” finding new ways to gather information about the capabilities and intentions of bad guys through electronic means.

NSA’s second wicked problem is humans. All the best security clearance procedures in the world cannot eliminate the risk of an “insider threat.” The digital era has supersized the damage one person can inflict. Pre-internet, traitors had to sneak into files, snap pictures with hidden mini-cameras and smuggle documents out of secure buildings in their pant legs or a tissue box. Edward Snowden could download millions of pages onto a thumb drive with some clicks and clever social engineering, all from the comfort of his own desktop.

There are no easy solutions to either the technical or human challenge NSA now faces. Tuesday’s global cyber attack is a sneak preview of the movie known as our lives forever after.

Talk about WannaCry.

NEXT STORY: Writing the Rules of Cyberwar

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.