CYBERSECURITY AND THE DEVASTATING LEAK OF THE NSA’S CYBER TOOLS
My previous post on computer hacking and cyberwarfare began my overview of New York Times cybersecurity reporter Nicole Perlroth’s book, This Is How They Tell Me the World Ends. [1] My post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare, while also outlining two examples from the book:
· The 2017 worldwide ransomware attack by North Korea using a Microsoft Windows vulnerability stolen from the U.S. National Security Agency (NSA), and
· The 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant.
This post provides an overview of the book’s reporting on:
· Electronic surveillance in the U.S. and the use of encryption technology to protect privacy, and
· Leaks from the NSA, including of its cyberwarfare tools.
After the September 11, 2001, attacks, the U.S. greatly expanded its electronic surveillance within the U.S. In 2013, Edward Snowden, a consultant for the NSA and a former CIA employee, released thousands of classified NSA documents. They described activities the NSA was engaged in, including mass surveillance of Americans. Among many other things, the documents revealed that the NSA was secretly surveilling users of Microsoft, Facebook, Google, and Yahoo and that in a single day it had collected roughly 445,000 Yahoo email address books, 105,000 from Hotmail, 83,000 from Facebook, 34,000 from Gmail, and 23,000 from other providers.
Snowden was charged with espionage. He left the country prior to releasing the NSA documents and is living in Russia under a grant of asylum. In 2020, a U.S. federal court ruled that the NSA's mass surveillance program exposed by Snowden was illegal and possibly unconstitutional.
As a response to U.S. government surveillance and cyber hacking, software and hardware providers started offering users’ the ability to encrypt their data. Initially, intelligence agencies and law enforcement had ways to overcome the encryption and access the data, typically with the assistance of the product’s provider. Then in 2014, in the wake of the Snowden revelations, Apple announced that the iPhone 6 would automatically encrypt everything on the phone using the phone user’s unique password, making the data impossible to unencrypt by anyone else. Previously, Apple had a key that could unencrypt a user’s data when requested by law enforcement. The FBI and those running government surveillance programs were upset and concerned about this truly secure encryption, but there was strong support from users because they valued their privacy.
A year later, two terrorists, who had sworn allegiance to ISIS, shot and killed 14 people and injured 22 at the San Bernadino, CA, health department. The terrorists fled and were killed in a shootout within hours. One piece of evidence recovered was an encrypted iPhone. The FBI demanded that Apple unencrypt the phone, which apparently it could not, and also demanded that Apple change its software to allow the FBI to unencrypt data in the future. Apple refused, pointing out that if there was such a capability others would want access to it too and that hackers would be able to find it as well.
The FBI initiated a court case to force Apple to allow it access to iPhone data, but four months after the shooting it abruptly dropped the case. It turned out that an unidentified hacker had sold the FBI a way to overcome the encryption. Surprisingly, the FBI Director, Comey, admitted that it had paid the hacker at least $1.3 million for this capability. This was the first time the U.S. government had admitted to paying a hacker a large sum to give it access to a vulnerability in a widely used electronic device or piece of software. The FBI claimed that it did not know what the underlying flaw was and that it had no intention of letting Apple know so it could fix it.
Apple was correct, of course, in stating that any ability of the FBI or U.S. intelligence agencies to circumvent the encryption of users’ data would eventually be available to others, including those with less scrupulous intentions(assuming you believe U.S. intelligence agencies and the FBI always have scrupulous intentions). International adversaries and individual computer hackers are constantly uncovering computer software and hardware vulnerabilities. They use or sell these vulnerabilities to obtain unauthorized access to data, for use in international cyberwarfare, or for use for private gain through theft of money, trade secrets, or other valuable information. These computer vulnerabilities can also be used in ransomware attacks, where computer systems are disabled or data stolen for nefarious use unless a ransom is paid.
Probably the worst piece of news for the U.S. intelligence agencies in the history of cyberwarfare was the leak of the NSA’s tools and techniques in 2016 and 2017. While Snowden’s leaks revealed what the NSA was doing, these leaks revealed, in detail, specifically how it was doing its cyber espionage and cyberwarfare.
Over a nine-month period, an unknown individual or individuals leaked specific software vulnerabilities and the computer code the NSA was using to exploit them. These NSA hacking tools had been stolen and were now being released publicly on the Internet, sharing the world’s most powerful cyber arsenal with anyone and everyone who might want to use it. These NSA cyber weapons were used, for example, by North Korea in its global ransomware attack (described in my previous post) and by Russia in its devastating attack on the Ukraine in 2017 (to be described in my next post).
The leak of the NSA’s cyber weapons exposed what was probably the biggest federal program the public had never heard of, a cyber espionage and warfare effort so classified it was invisible: hidden through blacked out budgets, large cash transactions, shell companies, contractors, and nondisclosure agreements required of everyone involved in it.
In subsequent posts, I will outline the Perlroth book’s reporting on:
· Russia’s cyberattacks on Ukraine,
· The Chinese attack on Google and Google’s response,
· The cyberattacks on U.S. elections and the Trump administration’s response, and
· What can be done to counter cybercrime and warfare at the individual and governmental levels.
[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.