As The New York Times reported on November 12th, Jake Williams awoke last April in an Orlando, Florida hotel where he was leading a training session. Checking Twitter, Mr. Williams, a cybersecurity expert, found that he had been thrust into the middle of one of the worst security nightmares of American intelligence.
Mr. Williams had written on his company blog about the Shadow Brokers, a mysterious group that had somehow obtained many of the hacking tools the United States used to spy on other countries. Now the group had replied angrily online. It identified him as a former member of the National Security Agency's hacking group, Tailored Access Operations, or TAO, a job he had not publicly disclosed. Then the Shadow Brokers revealed technical details that made it clear they knew about highly classified hacking operations that he had conducted.
Conclusion? America's largest and most secretive intelligence agency had been deeply infiltrated.
The shock to Mr. Williams was part of a much broader disaster that has shaken the NSA to its core. Current and former agency officials say the Shadow Brokers disclosures, which began in August 2016, have been catastrophic for the NSA, calling into question its ability to protect potent cyberweapons and its value to national security. The agency hailed as the world's leader in breaking into adversaries' computer networks had failed to protect its own.
Fifteen months into a wide-ranging investigation by the agency's counterintelligence arm, known as Q Group, and the FBI, officials still do not know whether the NSA is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider's leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. There is widespread agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden.
Created at enormous expense to American taxpayers, our cyberweapons have now been picked up by hackers from North Korea to Russia and fired back at the United States and its allies.
Much of the NSA's arsenal is still being replaced, limiting operations. Morale is in the tank, and experienced specialists are leaving the agency for better-paying jobs — including with firms defending computer networks from intrusions that use the NSA's leaked tools.
Russia is the prime suspect in a another leak of hacking tools and secret documents from the CIA's Center for Cyber Intelligence, posted week after week since March to the WikiLeaks website under the names Vault7 and Vault8. That breach, too, is unsolved. The tsunami of digital secrets leaked from agencies that invest huge resources in preventing such breaches is raising profound questions.
Some veteran intelligence officials believe a focus on offensive weapons and hacking tools has left American cyberdefense dangerously weak. "We have had a train wreck coming," said Mike McConnell, the former NSA director and national intelligence director. "We should have ratcheted up the defense parts significantly."
In the meantime, Russia's most prominent cybersecurity firm, Kaspersky Lab, had started hunting for the spying malware planted by NSA hackers, guided in part by the keywords and code names in the files taken by Mr. Snowden and published by journalists. The TAO hackers knew that when Kaspersky updated its popular antivirus software to find and block the NSA malware, it could defeat spying operations around the world. Therefore, TAO hackers moved to replace implants in many countries with new malware they did not believe the Russian company could detect.
In February 2015, Kaspersky published its report on the Equation Group — the company's name for TAO hackers — and updated its antivirus software to extract the NSA malware wherever it had not been replaced. The agency temporarily lost access to a considerable flow of intelligence.
The leaks have reinvigorated a debate over whether the NSA should be permitted to stockpile vulnerabilities it discovers in commercial software to use for spying rather than immediately alerting software makers so the holes can be plugged. The agency claims it has shared with the industry more than 90 percent of flaws it has found, reserving only the most valuable for its own hackers. But if it can't keep those from leaking, as the last year has clearly demonstrated, the resulting damage to businesses and computer users around the world can be monumental. The Trump administration says it will soon announce revisions to the system, making it more transparent.
I am not holding my breath waiting for that to happen. But I do worry that Russia is outpacing us in cybersecurity offensive and defensive measures – and that we have been woefully slow to response to a clear case of "throwing the gauntlet down."
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology