by Shane Harris
“All the work they do is . . . pure white hat,” Neuberger continued, meaning not malicious and intended solely to defend encryption and promote security. “Their only responsibility is to set standards” and “to make them as strong as they can possibly be.”
That is not the NSA’s job. Neuberger seemed to be giving the NIST a get-out-of-jail-free card, exempting it from any responsibility for inserting the flaw.
The 2006 effort to weaken the number generator wasn’t an isolated incident. It was part of a broader, longer campaign by the NSA to weaken the basic standards that people and organizations around the world use to protect their information. Documents suggest that the NSA has been working with NIST since the early 1990s to hobble encryption standards before they’re adopted. The NSA dominated the process of developing the Digital Signature Standard, a method of verifying the identity of the sender of an electronic communication and the authenticity of the information in it. “NIST publicly proposed the [standard] in August 1991 and initially made no mention of any NSA role in developing the standard, which was intended for use in unclassified, civilian communications systems,” according to the Electronic Privacy Information Center, which obtained documents about the development process under the Freedom of Information Act. Following a lawsuit by a group of computer security experts, NIST conceded that the NSA had developed the standard, which “was widely criticized within the computer industry for its perceived weak security and inferiority to an existing authentication technology,” the privacy center reported. “Many observers have speculated that the [existing] technique was disfavored by NSA because it was, in fact, more secure than the NSA-proposed algorithm.”
From NSA’s perspective, its efforts to defeat encryption are hardly controversial. It is, after all, a code-breaking agency. This is precisely the kind of work it is authorized, and expected, to do. If the agency developed flaws in encryption algorithms that only it knew about, what would be the harm?
But the flaws weren’t secret. By 2007, the backdoor in the number generator was being written about on prominent websites and by leading security experts. It would be difficult to exploit the weakness—that is, to figure out the key that opened NSA’s backdoor. But this wasn’t impossible. A foreign government could figure out how to break the encryption and then use it to spy on its own citizens, or on American companies and agencies using the algorithm. Criminals could exploit the weakness to steal personal and financial information. Anywhere the algorithm was used—including in the products of one of the world’s leading security companies—it was vulnerable.
The NSA might comfort itself by reasoning that code-breaking agencies in other countries were surely trying to undermine encryption, including the algorithms that NSA was manipulating. And surely they were. But that didn’t answer the question, why knowingly undermine not just an algorithm but the entire process by which encryption standards are created? The NSA’s clandestine efforts damaged the credibility of NIST and shredded the NSA’s long-held reputation as a trusted, valued participant in creating some of the most fundamental technologies on the Internet, the very devices by which people keep their data, and by extension themselves, safe. Imagine if the NSA had been in the business of building door locks, and encouraged every homebuilder in America to install its preferred, and secretly flawed, model. No one would stand for it. At the very least, consumer groups would file lawsuits and calls would go up for the organization’s leaders to resign.
But the reaction to the NSA’s anti-encryption campaign was relatively subdued. In part, that’s because many experts, cryptologists among them, had long presumed that the agency was up to this kind of work in the shadows. The revelations were informative but not exactly surprising. But there was also a strong sense among lawmakers and US officials that this is what the NSA does. It breaks codes in order to steal information. NIST sets standards through an open, transparent process. That’s anathema to the NSA’s secretive nature. From the NSA’s perspective, the standards-setting body threatens to propagate hard-to-break algorithms and encryption technologies that would do a very good job protecting information—all things that run counter to the NSA’s mission. For years lawmakers who approved the NSA’s budget, and administration officials who oversaw its work, sided with the agency. To the extent that they had any misgivings, they could take some solace that as long as the NSA’s handiwork stayed secret, the damage to Internet security and the United States’ reputation might be minimal. The revelations of 2013 upended those calculations.
Of all the NSA’s dark arts, perhaps none has put the security of the Internet and the people using it more at risk than its secretive quest to build cyber weapons.
For the past two decades, NSA analysts have been scouring the world’s software, hardware, and networking equipment looking for vulnerabilities for which it can craft computer attack methods known as zero day exploits, so called because they take advantage of previously unknown flaws for which no defense has been built. (The target has had “zero days” to prepare for the attack.)
A zero day is the most effective cyber weapon. It provides the element of surprise, which is the ultimate advantage in battle. The zero day exploit is bespoke, tailor-made to use against a specific vulnerability. And because that defenseless point in a system is likely to be patched as soon as the target realizes he’s been hit with a zero day, it may be used only once.
Zero day attacks are especially hard to design because unknown vulnerabilities are hard to find. But the NSA has been stockpiling them for years. In 1997, according to a recently declassified NSA newsletter, at least eighteen organizations in the agency were secretly collecting vulnerability data on technology used by people, businesses, and governments around the world. Today the NSA is widely believed by security experts and government officials to be the single largest procurer of zero day exploits, many of which it buys in a shadowy online bazaar of freelance hackers and corporate middlemen.
This gray market is not precisely illegal, but it operates on the fringes of the Internet. It works like this: security researchers—another term for hackers—find vulnerabilities. (Many of these researchers are based in Europe, where local and national laws against computer hacking are weaker than in the United States.) The researchers then design exploits, or methods for attacking the vulnerability, that only they know about at this point. Next, they sell the exploits to middlemen, which are mostly large defense contractors. Raytheon and Harris Corporation are two major players in the zero day market. They also design traditional weapons systems for the military and are two of the best-established and largest Pentagon contractors. Their ties to the military and to the NSA are deep and long-standing. Also collecting and selling zero days are smaller boutique firms, a number of which are run by former military officers or intelligence officials.
Once the middlemen have the zero days, they sell them to their customer—the NSA. But the supply chain begins with the hacker. To be a good zero day hunter, a hacker has to put himself in the original programmer’s shoes and find the flaws in his design. Automated technology can help. “Fuzzing,” for instance, is a technique that throws unexpected or random data into the inputs of a computer program, hoping to make it crash. Then the hacker looks for the flaw in the system that caused it to fail.
But to find the deepest cracks, a hacker has to devise novel and more clever techniques that force the computer to show him where it’s weak. For instance, in 2005 a PhD student at UCLA discovered that by measuring the “small, microscopic deviations” in the internal clocks of computers, he could uniquely identify one computer out of a network of thousands. The technique would be especially useful, he later wrote in a research paper, to “adversaries thousands of miles” away from the targeted machine who wanted to overcome software meant to hide the machine’s physical location—software such as Tor, the anonymizing router system that the NSA was so keen to disrupt. A year after the paper was published, a researcher at Cambridge University discovered that one could
, in fact, find which server in a network was actually running Tor’s anonymizing software, thus defeating its all-important feature. He did this by sending an anonymous Tor server an especially intensive request for information that literally forced the machine to heat up because it was working so hard. The heat changed the rate at which electrons in the computer moved, which in turn affected the accuracy of the clock. He still didn’t know where the anonymous server was located, but he took the unique “clock skew” and queried computers on the public Internet to see if he could find a match. He did. The clock skew gave away the location of the supposedly hidden Tor server. The classified NSA document, “Tor Stinks,” which shows how the NSA tried to defeat the network, indicates that the agency studied both these clock-skew techniques in an attempt to find routers on a network.
The ingenious ability to suss out such an obscure, barely discernible flaw is what separates good hackers from great ones and leads to the discovery of zero days. Hackers charge a high price for zero day exploits. If they come in “weaponized” form, that is, ready to use against a system, exploits start at around $50,000 and run to more than $100,000 apiece, according to experts. But some exploits command a higher price because their targets are more valuable or harder to penetrate. The going rate on an exploit for Apple’s iOS operating system, used on the iPhone and the company’s other mobile devices, is half a million dollars, says one expert. And more complicated exploits, such as those that rely on flaws in the internal mechanics of a piece of hardware, can cost millions. Those exploits are so expensive because they target the engineering of the machine itself, which cannot be patched in the way software can, with new lines of code. The only organizations with the means and the motive to buy such a weapon are organized criminal groups and governments.
Serious buyers of zero days, such as the NSA, don’t procure them in one-off fashion. They make stockpiles to use in future attacks. The NSA has stored more than two thousand zero day exploits for potential use against Chinese systems alone, according to a former high-ranking government official who was told about the cache in a classified meeting with NSA officials. That is an astonishingly large number of exploits. The Stuxnet computer worm, which the United States built in conjunction with Israel to disable the Iranian nuclear facility, contained four zero day exploits, which is itself a lot for one attack. A collection of two thousand zero day exploits is the cyber equivalent of a nuclear arsenal.
It also puts people around the world at risk. If the NSA is hoarding those vulnerabilities, rather than telling the makers of technology products that they have found flaws in their hardware and software, then the agency is arguably covering up valuable information that could be used to defend against malicious hackers. To be sure, the NSA does use knowledge of zero day exploits to plug holes in technology that it’s using or that might be deployed within the military or intelligence community. But it doesn’t warn the wider world—that would render the zero day exploit less effective, possibly even useless. One of the agency’s eventual targets in China or Iran might be tipped off if the NSA alerted technology companies to flaws in their technology.
But in the shadowy zero day market, there are no guarantees that the NSA is always buying exclusive knowledge about zero days. One controversial vendor, the French company Vupen, sells the same zero day vulnerability information and exploits to attack them to multiple clients, including government agencies in different countries. The NSA is a Vupen client—publicly disclosed documents show the agency has purchased zero day vulnerability information under a subscription plan, through which the agency would have received a minimum number of zero days during the contract period. (Armed with that information, the NSA can build its own weapons.) Vupen also maintains a catalog of sophisticated, ready-to-launch zero day attacks, which cost more than the information available through its subscription plan.
The NSA knows that Vupen doesn’t always make exclusive contracts, so it has to keep buying up more and more zero days, figuring that at least some percentage of them will be rendered useless once another country—or company, or criminal group—uses them. Critics have faulted Vupen for perpetuating a “cyber arms race,” pitting government intelligence agencies and national militaries against one another. Vupen clients know that if they pass on a chance to buy a zero day, the company will find a willing customer someplace else. The vulnerabilities Vupen discovers aren’t unique to one country. Many of them are found in widely sold technology products that are installed around the world. Countries have an incentive, therefore, to buy up as many zero days as they can, both to defend themselves and to attack their adversaries.
Vupen says that it only sells zero day information to “trusted organizations,” which it defines as “security vendors providing defensive solutions,” government organizations in “approved countries,” and “worldwide corporations,” to include those ranked among the top 1,000 by Fortune magazine. This is a long list of potential customers, and Vupen admits that it has no way of ensuring that those who buy its zero day subscription plan or choose a weapon from its catalog won’t turn around and give it to people Vupen might never sell to directly. Executives give vague assurances that they have an internal process for making sure the dangerous products and knowledge they sell aren’t handed off by governments to freelance hackers or mercenaries. This has been a particular concern in North Africa and the Middle East, where repressive regimes trying to crack down on democracy activists have enlisted hackers to unleash commercially available malware to spy on or track down protestors—malware purchased from companies that, like Vupen, say they’d never sell their products for such unsavory purposes. Yet those products show up on the computers and cell phones of activists, some of whom have been rounded up and treated harshly by the authorities and others acting on their behalf.
In any market—gray or otherwise—the biggest buyers have an outsized ability to set terms and conditions. As the reputedly single largest purchaser of zero day vulnerabilities and exploits, the NSA could turn the market on its head if it bought up zero days for the express purpose of disclosing them. The agency has billions of dollars to spend on cyber security. Why not devote some portion of that to alerting the world to the presence of fixable flaws? What responsibility does the agency have to warn the owners and operators of vulnerable technology that the capability of an attack against them exists? That’s an ethical dilemma that the agency hasn’t had to address. But if there is ever a cyber attack on the United States that results in significant physical damage, or causes widespread panic—or deaths—the agency will be called to account for its failure to prevent that disaster. There’s a good chance that some future NSA director, sitting at a witness table before members of Congress and television cameras, will have to explain having known about the vulnerability America’s enemies had exploited, but deciding to keep quiet, because the NSA wanted to use it one day.
The targets that are most vulnerable to a devastating zero day attack are the same ones that the NSA is trying to protect: electrical power plants, nuclear facilities, natural gas pipelines, and other critical infrastructures, including banks and financial services companies. Not all of these companies have a system for easily sharing information about vulnerabilities and exploits that have been discovered and publicly disclosed, often by more defensive-minded hackers who see their job as warning technology manufacturers about problems with their products, rather than trying to profit from them. When companies find out about a risk in their system, it’s up to them to apply patches and defensive fixes, and their technological fluency varies. Some may be prepared to patch systems quickly, others may not even realize they’re using a vulnerable piece of software. They, quite literally, may not have received the memo from the vendor warning that they need to install an update or change the security settings on a product in order to make it safer. Even if a company is using software that receives regular updates over the Internet, the company’s systems administrators have to consistently download those fixes,
make sure they’re applied across the company, and stay on watch for more updates. Some find doing that for hundreds or thousands of computers in a single facility a daunting task.
By buying so many zero day exploits, the NSA is helping to prop up a cyber arms market that puts American businesses and critical facilities at risk. The chances are good that if another country or a terrorist group knocks out the lights in a US city, it will use an exploit purchased from a company that also sells them to the NSA. The sellers of zero day exploits also bear at least some notional responsibility for making the Internet less safe. But they tend to blame software manufacturers for building programs that can be penetrated in the first place. “We don’t sell weapons, we sell information,” the founders of exploit seller ReVuln told a reporter for Reuters, when he asked whether the company would be troubled if some of their programs were used in attacks that destroyed systems or caused people to die. “This question would be worth asking to vendors leaving security holes in their products.”
This line of defense is a bit like blaming a locksmith for a burglary. Yes, the locksmith is supposed to make a product that keeps intruders from getting into someone’s home. But if a burglar manages to break in and steal a television or, worse, attack the homeowners, we don’t prosecute the locksmith. Companies such as ReVuln aren’t burglars, but they are selling the equivalent of lock picks. Surely they bear some measure of responsibility, as well, for crimes that are committed—if not a legal responsibility, then a moral one.
And what about the NSA? In the world of burglary, there’s no equivalent for what the agency is doing. No one is out there buying up lock picks. But the NSA also wants to be a kind of security guard for the Internet. What would happen if the guard hired to watch over a neighborhood discovered an open window but didn’t tell the owner? More to the point, what if he discovered a design flaw in the brand of window that everyone in the neighborhood used that allowed an intruder to open the window from the outside? If the security guard didn’t alert the homeowners, they’d fire him—and probably try to have him arrested. They wouldn’t accept as a defense that the security guard was keeping the windows’ flaw a secret in order to protect the homeowners. And the police surely wouldn’t accept that he’d kept that information to himself so that he could go out and rob houses.