Does the NSA have a duty to disclose zero-day exploits?

To say the National Security Agency (NSA) prefers to lay low and shuns the limelight is an understatement. One joke said about the secretive group, widely regarded as the most skilled state-sponsored hackers in the world, is NSA actually stands for “No Such Agency.”

But now a recent leak has put the group right where it loathes to be—squarely in the headlines. Last month, a group called “The Shadow Brokers” published what it claimed were a set of NSA “cyber weapons,” a combination of exploits, both zero day and long past, designed to target routers and firewalls from American manufacturers, including Cisco, Juniper and Fortinet.

+ Also on Network World: Cisco, Fortinet issue patches against NSA malware +

The exploits were advertised on a variety of outlets in two installments. The first release acted as a sort of teaser for the second, which allegedly had the “best files” for auction at a price of 1 million bitcoins (which at this moment converts to about $628 million). This posting violated Github’s policy forbidding the sale of stolen property, and the site moved quickly to delete the files.

Though the exploits were somewhat outdated, appearing to be from mid-2013, many attested to their authenticity and importance. A new set of documents published by The Intercept from Edward Snowden confirm the leaked files are authentic NSA hacking tools.

The leak marks the first time any full copies of the NSA’s infiltration software have been made available to the public.

One anonymous NSA employee who worked in the NSA’s special hacking division said of the leaked code, “They’re the keys to the kingdom. [The release of these files] would undermine the security of a lot of major government and corporate networks both here and abroad.”

Who did it?

The breach has raised a slew of troubling questions about the scale of the hack and who is ultimately responsible. While the true identity of The Shadow Brokers remains a mystery, Snowden in a set of Twitter messages said, “Circumstantial evidence and conventional wisdom indicates Russian responsibility.”

Obtaining the files was no small feat of espionage. The unchanged file names in the leak indicate they were directly copied from the source, meaning whoever is responsible infiltrated either the top-secret, highly compartmentalized NSA computer servers or other computer networks the agency used to store the files.

Further, the code’s date, mid-2013, indicates the period of time before Snowden’s disclosures to the wider world and before the NSA shuttered the compromised servers and moved code to new ones as a security measure. Some believe the hackers’ access was cut off around then.

Additional questions raised by the hack include why code stolen in 2013 would be released three years later in 2016. Also worth considering is the possibility that The Shadow Brokers is a collective attempting, for whatever reason, to impersonate Russian hackers and that this was an inside job. With so many questions and lack of definitive answers, it’s clear this leak will take a significant amount of time to sort through.

Offense and defense in cybersecurity

What is not murky is the fact that the NSA has been using these tools to spy on customers of technology companies such as Cisco, Fortinet and Juniper for at least a decade. The rise of state-paid cybersecurity in recent years has raised several troubling conflict-of-interest cases like these.

The fact is that cybersecurity tools can be used either for offense (infiltrating computer systems for nefarious purposes) or defense (protecting systems from being compromised by unauthorized users). How these tools are used depends entirely by the person wielding them.

This dichotomy exacerbates tensions between both various branches of government and between government and private industry. Within government, the NSA withholding zero-day exploits for their own use in spying and other offensive maneuvers conflicts with agencies tasked with protecting Americans from attack, like the Department of Homeland Security.

Further, does the NSA have the right to withhold zero-day exploit information from American tech manufacturers such as Cisco, Microsoft and Apple? The rules are still fuzzy. The Obama administration, according to a 2014 New York Times article, has ordered the NSA to disclose security holes it finds in most cases, but these holes can be held in secret if they can be used to serve “a clear national security or law enforcement need.”

Unfortunately, by withholding this information, the NSA has raised the troubling thought that these zero-day exploits may have been used by America’s adversaries for a similar length of time.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.