GAO: Keeping NSA and CYBERCOM Together Makes Hacking Tool Leaks More Likely

Pablo Martinez Monsivais/AP

Pablo Martinez Monsivais/AP Adm. Michael Rogers testifies about the U.S. Cyber Command budget on Capitol Hill in Washington, Tues., May 23.

The release of high-value NSA hacking tools in recent month sparked widespread concern about how securely those tools are stored.

The fact the National Security Agency shares so many of its hacking tools with its sister organization U.S. Cyber Command makes it more likely those tools will be leaked to nefarious hackers, a watchdog says.

NSA shares its tools with several elements of the military and intelligence community, but because NSA and CYBERCOM share a single leader in Adm. Michael Rogers, cooperation with CYBERCOM is particularly prevalent—and particularly risky, according to the Tuesday report from the Government Accountability Office.

Numerous leaks of high-value NSA hacking tools in recent months by the group Shadow Brokers has sparked widespread concern about how securely those tools are stored.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Leaked NSA hacking tools cause two discrete problems. First, if non-U.S. governments and organizations patch their systems against the secret digital vulnerabilities NSA found, that impedes the agency from doing its main job of spying on U.S. adversaries.

Second, hackers can use the exposed vulnerabilities to target unsuspecting victims.

An NSA vulnerability leaked by Shadow Brokers was at the root of the recent WannaCry ransomware attack that affected computers across the globe, as well as WannaCry's successor, known as Not Petya. That attack posed as ransomware—in which a hacker seizes and holds the victim’s data until a ransom is paid—but was actually aimed at destroying information, according to cybersecurity researchers.

GAO’s concern about hacking tools leaking came as part of a broader assessment of the advantages and disadvantages of splitting CYBERCOM from NSA.

Advocates and privacy hawks in Congress have pushed for that split for several years. The Defense Department officially supports the division once CYBERCOM is sufficiently mature, but there’s no firm time frame for when it will happen.

There are several other arguments in favor of ending the “dual hat” relationship, according to GAO, including that the scope of responsibilities for the joint position may simply be too broad for one person.

There’s also an inherent tension between the priorities of an intelligence agency that wants to retain digital exploits to spy on adversaries, and a military command that would, in many cases, prefer to alert industry to those vulnerabilities to ensure U.S. companies and consumers are secure, GAO said.

Finally, other agencies are concerned that NSA will prioritize CYBERCOM requests for assistance over requests from their agencies, the congressional watchdog said.

The argument for retaining the dual hat structure is that it allows NSA and CYBERCOM to use resources more efficiently, make decisions faster and collaborate more effectively, GAO said.

Tuesday’s report also found the DOD has been lax in implementing some of its cybersecurity development priorities and has marked others as complete before they were truly completed.

The report recommends that DOD implement stricter criteria for when it has completed the tasks listed in its 2015 Cyber Strategy and establish a better time frame for objectives in its Cybersecurity Discipline Implementation Plan.  

DOD mostly agreed with the recommendations.

A separate GAO blog post published Tuesday noted confusion about CYBERCOM’s role when the Homeland Security Department requests help during domestic cyber incidents.

CYBERCOM is the lead command for such support according to DHS and the command itself, but U.S. Northern Command and Pacific Command told GAO they “consider cyber incident response to be in their authority, and expect their command to lead civil support activities for cyber incidents in their regions, with U.S. Cyber Command acting in a supporting role.”

That “lack of command clarity could hinder the timeliness or effectiveness of critical DOD support to civil authorities in response to a cyber incident,” GAO found.

NORTHCOM’s region covers the continental United States and Alaska; PACOM’s region includes Hawaii.