TOPICS > Nation

Analyzing the NSA code breach in the context of recent cybersecurity events

August 17, 2016 at 6:10 PM EDT
On Saturday, programming code for National Security Agency hacking tools was shared online. The content appears to be legitimate, but it is not clear if it was intentionally hacked or accidentally leaked. Hari Sreenivasan speaks with The Washington Post’s Ellen Nakashima and Paul Vixie of Farsight Security about where this development fits in the context of other recent cybersecurity breaches.

HARI SREENIVASAN: The National Security Agency’s primary mission is to spy on the electronic communications of countries and people overseas.

Over the weekend, though, sophisticated code the NSA developed to penetrate computer security systems was posted online. This serious breach comes amid the ongoing revelations of the hacking of the Democratic National Committee and other organizations, allegedly by groups linked to Russian intelligence.

For more on this, we turn to The Washington Post national security correspondent Ellen Nakashima, and Paul Vixie. He designed and built some of the software that is the backbone of the Internet today. He is now chairman and CEO of Farsight Security, a computer security firm.

Ellen Nakashima, what happened this weekend? What got released?

ELLEN NAKASHIMA, The Washington Post: Over the weekend, apparently on Saturday, mysteriously, a cache of NSA hacking tools was released online through file-sharing sites such as BitTorrent and Dropbox.

It really wasn’t noticed until about Monday, when the computer security community started commenting on it and questions arose as to whether or not the NSA had been hacked.

HARI SREENIVASAN: So, Paul Vixie, if these lock picks, these digital tools to try break into different systems out are out in the open now, these are the tools that the American government was using, what is the consequence, if it is in the public sphere?

PAUL VIXIE, Farsight Security: Well, I think, every day, everybody is trying to hack everybody. So, this is not huge news.

What’s big news about it is that these tools were built by the U.S. government. Some of the lock picks, as you call them, are now obsolete. They are relying on vulnerabilities that have since been closed, because the files are about 3 years old.

But at least one of them is active against a very current piece of equipment from Cisco. And it is going to lead to a lot of break-ins while the patches are prepared and shipped and then applied.

HARI SREENIVASAN: Ellen Nakashima, what about the idea that some of these are as recent as 2013? Does the NSA know, if this was a hack, if this was something more recent?

ELLEN NAKASHIMA: The NSA officially is not commenting.

But former NSA operators, personnel I have interviewed were — actually recognized the tools that were released and said they were, indeed, legitimate. And they don’t believe that the NSA was actually hacked. They think it is more likely that perhaps one of the operators at the agency inadvertently uploaded a tool set, an entire tool set of tools to a server, a staging server in cyberspace, and didn’t recognize that, and didn’t pull it back down.

And once it was out there, other adversaries, other spy agencies around the world are also sometimes sitting on these same servers. One of them might have noticed it, got it, took a copy of it, and got it, without the NSA realizing it.

HARI SREENIVASAN: Paul Vixie, how many people, companies, governments does this make vulnerable?

PAUL VIXIE: I haven’t seen an estimate of the market size, but, really, we have got at least one of these vulnerabilities that is still current, and the patch is being prepared now.

Unfortunately, some of the ones that are not current are also going to work, because many enterprise networks are not patched up to date. They can’t afford the constant churn of updating their equipment, updating their software.

And so even though some of the vulnerabilities that have been used by these tools are no longer current, they’re still going to — those picks are still going to fit quite a few locks. I don’t really — I would say, in order of magnitude, anywhere between one-tenth and one-half of the customer bases for the largest firewall vendors should really be worried right now.

HARI SREENIVASAN: That still sounds like a pretty large number.

PAUL VIXIE: Yes, that is a large number.

The Internet was originally academic. And when it was built, every one that could reach you was trustworthy. And, of course, that changed in the mid-’90s, when we commercialized and privatized the Internet. And at that time, we started developing this firewall technology that was meant to limit sort of who could reach you or how various people could reach you.

And what that means is, the inside of these networks is very soft, full of soft targets, and tends to rely on firewall to keep it safe. So, any time you have a key that will unlock the firewall and let you do whatever you want to the other side, you suddenly have a very target-rich environment.

HARI SREENIVASAN: Ellen, the people that you have spoken to, are they concerned that kind of the design of these keys would tip off to whoever is using these tools exactly who the NSA targets, how they target them, how they create the breaches in these firewalls?

ELLEN NAKASHIMA: Well, absolutely.

So, that is one of the issues with, you know, a disclosure like this. And I should say there are also some former employees who think it’s more likely that some disgruntled insider stole all the tools and then put them out there, perhaps for some personal profit.

But, in any case, now that they are out there, they are available to other hackers, other spy agencies who could either target companies running these firewalls, or also look and watch to see what the NSA is targeting and exfiltrating as well.

HARI SREENIVASAN: Ellen, in the context the sort of cyberwar that seems to be escalating between Russia and other countries, the fact that this happens now, what are your sources telling you about how these tools could end up in the wrong hands in a political context?


Look, it’s — I don’t think we have any hard evidence as to who is behind the release. It’s, at this point, I think, largely circumstantial that it — some people think it might be Russia.

The timing is certainly notable, or suspect, coming, as you noted, on the heels of some of the hacks of the DNC and the DCCC and the releases of hacked e-mails from the DNC that have been linked to Russia or, more recently, of hacked personal cell phone numbers and e-mail addresses of Democratic lawmakers. That also appears to be coming from Russia.

So, some people think that maybe this is another signal from Russia to the Obama administration, to the White House that is no doubt right now discussing how they might respond to all of these Russian hacks and provocations. It’s a signal to them to say, hey, you know, if you are thinking about retaliating in some way, calling us out, stepping up sanctions, or even responding in kind in cyberspace, think twice, because we can cause you some pain.

HARI SREENIVASAN: And, finally, briefly, Paul Vixie, is there concern in the computer security committee — community whether the NSA can keep its secrets safe?

PAUL VIXIE: There is.

The NSA needs a lot of fairly controversial data and tools in order to accomplish its mission. And we depend on those type — that kind of data, those kind of tools not being generally available.

So, with this disclosure and with the Edward Snowden disclosures of a couple of years ago, there is some concern that maybe there are some types of data, some types of tools that shouldn’t be created at all, because there just isn’t a way to keep them perfectly safe.

HARI SREENIVASAN: All right, Paul Vixie, Ellen Nakashima, thanks so much.