Leaks of computer vulnerability exploits from the NSA and CIA in recent months have erased any doubt that the intelligence agencies are in the business of collecting and using exploits as part of their surveillance missions. The unleashing of WannaCry ransomware on aging Windows systems also erased any doubt that the agencies have their own security holes.
“The fact that security agencies are creating and collecting vast quantities of exploits should be a concern to everyone,” says Lee Munson, security researcher at Comparitech. “No intelligence service is going to share potent cybertools or weapons with commercial organizations when they can be put to far better use through industrial espionage or even cyberwarfare.”
The recent exploit leaks, still not confirmed by either agency, have prompted Microsoft and some digital-rights groups to renew their calls for the agencies to share vulnerabilities with tech vendors instead of hoarding them for their own use. By stockpiling exploits, they argue, intelligence agencies are withholding information that could lead to more secure computing devices. And because of inevitable leaks of stockpiled exploits, they say, the agencies are also making the Internet far less secure.
Previously undisclosed exploits held by government agencies are “getting out regularly enough that we have many clear examples of how dangerous unpatched vulnerabilities can be,” says Andi Wilson, a cybersecurity policy analyst with the New America Foundation’s Open Technology Institute, or OTI.
Wilson acknowledges, however, that U.S. intelligence workers, like their peers abroad, have no plans to stop stockpiling exploits.
There’s a race among intelligence agencies around the world to stockpile these exploits, she says. “There is an incentive structure that encourages the intelligence community to keep vulnerabilities—especially the most dangerous ones—they find secret.”
There are no easy answers to the problem.
Some digital-rights groups, including OTI and Public Knowledge, are backing legislation called the Protecting Our Ability to Counter Hacking Act. The so-called Patch Act, introduced by a bipartisan group of U.S. lawmakers in May, would require federal agencies to establish policies on when they share vulnerabilities. A new Vulnerabilities Equities Review Board, including the secretary of homeland security, the director of the FBI, and the director of national intelligence, would lead the policy development process.
Getting intelligence agencies to share more vulnerabilities isn’t pure fantasy, given that “they tell us that they already do,” Wilson says. The NSA, in 2015, reported having shared 91 percent of the vulnerabilities it found with vendors, though some critics questioned the timing of the disclosures.
The best way to address the incentive against sharing is “to ensure that there is a transparent review process with strict limitations on what vulnerabilities can be kept secret and how long that they can be held for,” Wilson says. “The Patch Act is a great step toward this.”
Still, many security experts believe that it’s unreasonable to expect the NSA and CIA to disclose many of the exploits they use to spy on terrorism suspects and others.
Some security experts point to a need for improved cybersecurity at the NSA and CIA, though it’s unclear how the recent leaks happened, and the agencies aren’t forthcoming about their current security practices and technologies.
There are numerous avenues for information to escape the agencies. Famed NSA leaker Edward Snowden smuggled a huge amount of data outside of the agency on a thumb drive. In early June, a 25-year-old contractor was arrested for allegedly leaking a classified NSA report she’d printed to a news organization.
“There’s only so much you can do to protect the information,” says former NSA staffer Oren Falkowitz, now CEO of Area 1 Security. “There’s really nothing to stop an individual from printing everything out and walking out the door with it.”
Intelligence agencies should look into better ways to encrypt data at rest, including proxy re-encryption, says Phillip Hallam-Baker, principal scientist at security vendor Comodo. “Every sensitive document should be protected using strong cryptography at all times,” he says.
But the leaks at intelligence agencies may be more closely related to organization culture than technology, say Falkowitz and fellow NSA veteran Charles “Hank” Thomas, COO of cybersecurity VC firm Strategic Cyber Ventures.
The information-sharing culture of the Internet has devalued information to the point where intelligence agency workers don’t think about the consequences of leaking classified documents, Falkowitz says.
It’s not a coincidence that these latest leaks come at the same time as Congress voted to allow Internet service providers to sell customer-browsing histories and other personal information, he says. And many Internet users are perfectly willing to trade their personal information to play an online game or use an app.
“If we’re careless with our own data, it becomes easier to be careless with other people’s data,” Falkowitz adds.
Meanwhile, the U.S. Department of Defense and intelligence agencies seem to de-emphasize operational security as a core priority, Thomas says.
Operational security “used to be a part of everything you did,” the former Army intelligence officer says. But in recent years, “a lot of these agencies are unwilling to try to impose the same level of [operations security] requirements on their employees…It’s almost as if the HR departments have more power than the operational-security folks.”
Thomas says tech companies shouldn’t expect intelligence agencies to start sharing significantly more information on exploits. The intelligence community, he says, “should never compromise its ability to break into every known communication system in the world, by any constituently permissible means necessary, that an adversary might be using or might use in the future.”
Instead, Thomas recommends that civilian government agencies such as the Department of Homeland Security work independently from intelligence agencies to find vulnerabilities and report them to technology vendors.
DHS, he says, “should be working just as hard to identify these vulnerabilities and share them with the public.”