Published by The Lawfare Institute
in Cooperation With
The New York Times published a major story last week, drawing on research from the cybersecurity company Symantec. The story revealed how a group of elite Chinese hackers known as APT3 had apparently gained access to powerful American hacking tools and used them to penetrate governments and companies of American allies. The Times piece and much of the commentary it solicited linked this case to concerns about the National Security Agency’s (NSA’s) ability to protect its most closely guarded and powerful capabilities.
In particular, a lot of the critical analysis cited in the Times reporting focused on the Vulnerabilities Equities Process (VEP), the mechanism through which the U.S. government decides which software weaknesses to exploit for national security purposes and which to turn over to private companies for patching. Other analysts contextualized the Chinese success with the NSA’s repeated failures in operational security. These analysts noted that the very same exploit apparently repurposed by the Chinese was also included in a trove of files that a group known as the Shadow Brokers somehow took from the NSA and leaked online.
To be sure, the fact that the same files ended up in the hands of two different adversaries is not a good look for the agency. Nor does this new story come at a good time. The NSA has indeed suffered other egregious breaches of operational security in recent years. Even the agency’s former director, Michael Hayden, when asked to comment on the Shadow Brokers’s leaks and how they helped enable cyber attacks that caused more than $10 billion of damage, said of his former colleagues that “[i]f they cannot protect the tools, I just can’t mount the argument to defend that they should have them. This is the one that, unless resolved, I think actually could constitute a legitimate argument to do less.” Last week’s Times story adds fuel to the multiyear firestorm of withering criticism.
But, when considering the recent case, to focus on the VEP and operational security is to look only inward at American government policies and attend to only part of the problem, when one should also look outward at the growing capabilities of American adversaries and what that means for U.S. intelligence policy.
The NSA has a tough job: It must both assist with the defense of American computer networks as well as hack foreign computer networks, often running the exact same software, in order to gather intelligence. To balance these missions, the NSA has long used the term NOBUS—for “Nobody But Us”—to refer to situations in which its capabilities outmatch those of other actors. In theory, NOBUS permits a solution to the balancing act between offense and defense that the NSA must perform. Like a gymnast setting the high bar to a height only she can clear, NOBUS meant the agency could retain and deploy hacking capabilities that are so complex, esoteric or hidden that it alone can use them, while turning the ones others can employ over to vendors for remediation. For example, if exploiting a certain cryptographic backdoor required supercomputers only the NSA possessed, then that capability would be a NOBUS one.
The problem is that the NOBUS advantage is receding. I wrote a Hoover Institution paper almost two years ago that argued that the increasing capabilities of American adversaries, as well as a variety of other factors, were leveling the playing field of cyber operations and eroding key American advantages. With fewer NOBUS capabilities available, balancing acts like the one the VEP is meant to achieve become harder still; there are by definition fewer instances in which the United States can be confident that other nations cannot discover or match its capability. With more capable adversaries, operational security is likewise more difficult.
This recent case thus seems less like an egregious blunder or preventable failure of operational security—though the agency may have made mistakes we don’t know about—and more like a reminder of American adversaries’ growing sophistication and abilities. While the United States has long enjoyed a number of structural advantages and head starts in time and resources, nations like China and Russia have built up their own capable teams of hackers, engineers and forensic experts. They can, as in the case the Times reports, detect the NSA’s hackers and seemingly reuse the advanced American hacking tools they observe. In the world of unfettered signals intelligence competition, these adversaries get a vote. As the Shadow Brokers revelations and this case apparently show, they are not afraid to cast it.
The problem is what to do about it. Though it is hard to know for sure, it does not seem that the NSA’s operators made any major mistakes here. Nor is it clear that making different decisions in the VEP or changing operational security procedures would have led to a different outcome. The details are sparse, but the best working theory of what happened is that the Chinese hackers observed the NSA and its tools in action and then used that to enable their own operations. As I detailed in my book “The Cybersecurity Dilemma,” the NSA does the same thing to the foreign hackers it tracks. This sort of operational discovery and reuse is relatively rare but seems to be part of the price for carrying out cyber operations in a world in which adversaries are increasingly powerful. If the agency is going to hack to collect intelligence, it inevitably runs the risk of discovery, as Rob Lee points out.
Much of the world of modern cyber operations is often hidden from view, obscured by classification and technical complexity. Occasionally, revealing events emerge, often aided by private-sector research. This seems to be one of those cases. While the case will no doubt be used to argue for various policy agendas, its best utility is as a reminder of an important overarching fact: At least based on public information, the era of NOBUS is ending rapidly, and the United States is no longer alone.