The disclosure this week of a cache of files supposedly stolen from the National Security Agency has put a spotlight on secret cyber weapons the NSA has been holding -- and whether they should be disclosed.
Security researchers have been poring over a sample set of hacking tools that may have been stolen from the NSA.
An anonymous group called the Shadow Brokers has posted the samples online and is auctioning off the rest, claiming they contain cyber weapons that rival the Stuxnet computer worm.
Experts say the whole matter points to the danger of the NSA hoarding cyber weapons: they could fall into the wrong hands.
“This theory that the NSA can keep them safe, and that nobody will find out, doesn’t seem to hold water,” said Ross Schulman, a cyber security co-director at the New America think tank.
At the heart of the matter are zero-day vulnerabilities and whether the U.S. government should keep its knowledge of them a secret.
These zero-days are essentially holes in software products that not even the vendors know about. They can be extremely valuable to both hackers and governments, especially when it comes to cyberespionage. Intelligence agencies like the NSA can use them in hacking missions to uncover strategic information. However, for a zero-day to be useful, it has to be kept secret, or the vendor will patch it.
As a result, the NSA regularly collects and even buys vulnerabilities – reportedly spending millions -- but it doesn’t always publicly disclose them. That can leave vendors and customers exposed.
Security experts now wonder if that approach is backfiring. This week, Cisco was forced to roll out a security advisory in the wake of the new disclosure. An exploit included among the samples relies on a zero-day vulnerability in a Cisco firewall that could be more than three years old.
Jeremiah Grossman, chief of security strategy at SentinelOne, said he isn’t surprised that NSA hacking tools may have leaked.
“This is the risk when you have an increasingly large vulnerability repository that’s been around for a while,” he said. “You got to expect this will happen.”
Although the NSA has legitimate reasons for keeping some cyber weapons, Grossman said there needs to be more public discussion on what its policies should be and how vendors can ensure their products are protected.
“We’re going to need the government’s help to do defense, not just offense,” he said.
The government's disclosure policy isn’t very transparent today. Although the NSA claims to release 91 percent of the vulnerabilities it finds, there’s still no public data to verify that figure, said Jason Healey, a researcher at Columbia University.
Sign up for CIO Asia eNewsletters.