The Equation Group was like something out of a Hollywood film: A hacking team of unparalleled sophistication and skill who cracked open computer systems around the world like pistachio shells, yet escaped detection for 14 years until being noticed by the security researchers at Kaspersky Lab last year. They were also widely believed to be affiliated with the National Security Agency—most likely working with or from the NSA’s elite Tailored Access Operations unit. Last weekend, the world learned that these hackers nonpareil had themselves apparently been hacked, when a group calling themselves the Shadow Brokers (likely a reference to the popular Mass Effect video game series) posted a cache of what they claimed were some of Equation Group’s “cyberweapons,” or computer exploitation tools, on the Web for all to see—along with an offer to sell even more valuable intrusion software they’d obtained to the highest bidder.
While the government hasn’t acknowledged the authenticity of the supposedly hacked files, security experts, including former NSA hackers who’ve spoken to press, agree that the files are the real deal. In fact, they included an exploit that attacks a critical “zero day” (i.e. previously unknown) vulnerability in network routers manufactured by the hardware giant Cisco. That’s particularly disturbing given that the files released this weekend all appear to date from 2013—which means that the “Shadow Brokers,” along with anyone they’d shared the code with—may have had up to three years to run wild on sensitive corporate networks. Moreover, most experts believe that the offer to “auction off” additional Equation Group tools (pitched in comically broken English) is a smokescreen: The most popular current theories are that the “Shadow Broker” files come from either an NSA insider or a foreign intelligence agency (Russia’s is the leading candidate) that managed to breach a “staging server” used to launch Equation Group attacks. Former NSA contractor Edward Snowden has publicly said that this is not the first time an NSA attack server has been similarly compromised by a foreign adversary—only the first time the hackers have chosen to publicize it.
Whatever the true identity and motives of the Shadow Brokers, there are some clear policy lessons to take away from this. The first concerns the “Vulnerability Equities Process”—which is how the American intelligence community decides whether and how long to hang on to software vulnerabilities they discover before notifying developers so that these cybersecurity holes can be patched. Back in 2014, federal cybersecurity coordinator Michael Daniel insisted in a post on the White House blog that the process is strongly weighted in favor of disclosure. The government, he assured the public, understands that “[b]uilding up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.”
Yet surely by every criterion of evaluation Daniel himself lays out, the Cisco vulnerability—key to an exploit tool codenamed ExtraBacon—was a prime candidate for disclosure. It’s a high-severity vulnerability that would allow an attacker to effectively monitor all traffic on a compromised network, affecting the leading manufacturer of network routing equipment, and thus leaving a vast number of both American and foreign companies subject to attack. For precisely those reasons, of course, the ExtraBacon exploit would have been of great value to the NSA, and the temptation to at least temporarily make use of it must have been equally strong. The decision to do so may well have been correct initially. Yet failing to notify Cisco of such a grave security hole for three full years is simply indefensible—and as we now know, left users and firms alike at the mercy of the malicious actors who had obtained the code. (The past tense is actually inappropriate here: As of this writing Cisco has not yet released a full patch, and many networks will doubtless remain vulnerable for some time even after a fix is available.) Almost by definition, a process that led to this outcome is dysfunctional.
This hack also ought to give pause to anyone swayed by the government’s assurances that we can mandate government backdoors in encryption software and services, allowing the “good guys” (law enforcement and intelligence agencies) to access the communications of criminals and terrorists without compromising the security of millions of innocent users. If even the NSA’s most closely guarded hacking tools cannot be secured, why would any reasonable person believe that keys to cryptographic backdoors could be adequately protected by far less sophisticated law enforcement agencies? The Equation Group hack is a disturbingly concrete demonstration of what network security experts have been saying all along: Once you create a backdoor, there is no realistic way to guarantee that only the good guys will be able to walk through it.