Pages

12 May 2017

WHO IS PUBLISHING NSA & CIA SECRETS — AND WHY? “THERE IS SOMETHING GOING ON IN THE INTELLIGENCE COMMUNITIES IN AT LEAST TWO COUNTRIES — AND, WE HAVE NO IDEA WHAT IT IS”

By RC Porter 

Noted, and internationally renowned cyber expert, Bruce Schneier, had an article on April 27, 2016 on the LawFare.com, with the title above. Mr. Schneier begins with this observation: “There is something going on inside the intelligence communities in at least two countries; and, we have no idea what it is. Consider these three data points,” Mr. Schneier wrote: “Someone, probably a country’s intelligence organization, is dumping a massive amount of cyber tools belonging to the NSA on the Internet; Two: someone else, or maybe the same someone, is doing the same thing to the CIA; Three: in March, Deputy Director of the NSA, Richard Ledgett, described how the NSA penetrated the computer networks of a Russian intelligence agency; and, was able to monitor them as they attacked the U.S. State Department in 2014. Even more explicitly, a U.S. ally — my guess (Mr Schneier) is the U.K. — was not only hacking the Russian intelligence agency’s computers; but, also the surveillance cameras inside their building,” Mr. Schneier wrote. “They [the U.S. ally], monitored the [Russian] hackers as they maneuvered throughout the U.S. systems, and as they walked in and out of the work-space, and were able to see faces,” the official said.

“Countries don’t often reveal intelligence capabilities: “sources and methods.” Because it gives their adversaries important information about what to fix, it is a deliberate decision done with good reason. And, it’s not just the target country who learns from a reveal. When the U.S. announces it can see through the cameras inside the buildings of Russia’s cyber warriors, other countries immediately check the security of their own cameras,” Mr. Schneier observes.


“With all this in mind,” Mr. Schneier wrote, “let’s talk about all the leaks at [the] NSA, and the CIA.”

“Last year, a previously unknown group known as ‘the Shadow Brokers,’ started releasing NSA hacking tools, and [associated] documents from about three years ago. They continued to do so this year — five sets of files in all — and implied that more classified documents are to come. We do not know how they got the files,” Mr. Schneier wrote. “When the Shadow Brokers first emerged, the general consensus was that someone had found an external NSA staging server. These are third-party computers that the NSA’s [Tailored Access Operations] TAO hackers use to launch attacks from. Those servers, are necessarily stocked with TAO attack tools. This matched the leaks, which included a “script” directory, and working attack notes. We’re not sure if someone inside the NSA made a mistake that left the files exposed; or, if the hackers that found the cache……got lucky,” Mr. Schneier noted.

“That explanation stopped making sense after the latest Shadow Brokers release, which included attack tools against Windows, PowerPoint presentations, and operational notes — documents that are definitely not going to be on an external NSA staging server. A credible theory, that I [Mr. Schneier] heard from Nicholas Weaver, is that Shadow Brokers are publishing NSA data from multiple sources. The first leaks were from an external staging server; but, the more recent leaks are from the inside of NSA itself.”

“So, what happened?,” Mr. Schneier asked. “Did someone inside the NSA accidentally mount the wrong server on some external network? That’s possible; but, seems very unlikely,” Mr. Schneier contends. “Did someone hack NSA itself? Could there be a mole inside NSA,” as Kevin Poulsen speculated?

“If it is a mole, my guess is that this individual has already been arrested,” Mr. Schneier wrote. “There are enough individualities in the files to pinpoint exactly where and when they came from. Surely, the NSA [already] knows who could have taken the files. No country would burn a mole working for it — by publishing what he delivered. Intelligence agencies know if they betray a source this severely, they’ll never get another one.” Unless of course, they want investigators to believe they have found their mole — when in reality, this particular mole was sacrificed in order to protect a much more valuable and well-placed spy.

Assuming you buy Mr. Schneier’s arguments, he writes “that points to two options: The first is the files came from Hal Martin. He’s the NSA contractor who was arrested in August for hoarding agency [NSA] secrets in his house for two years. He can’t be the publisher, because the Shadow Brokers are in business, even though he is in prison. But, maybe the leaker got the documents from his stash: either because Martin gave the documents to them; or, because he himself was hacked. The dates line up, so it is theoretically possible; but, the content of the documents speak to someone with a different sort of access. There’s also nothing in the public indictment against Martin that speaks to his selling secrets to a foreign power; and, I think it’s exactly the sort of thing that the NSA would leak. But, maybe I’m wrong about all this; Occam’s Razor suggests that it’s him.”

“The other option,” Mr. Schneier wrote, “is a mysterious second leak of NSA cyber attack tools. The only thing I have ever heard about this is from a Washington Post story about Martin: “But, there was a second, previously undisclosed breach of cyber tools, discovered in the summer of 2015, which was also carried out by a TAO employee,” one official said. “That individual also has been arrested; but, his case has not been made public. The individual is not thought to have shared the material with another country,” the official added, “But, not thought to have,” is not the same as — not having done so,” Mr. Schneier wrote. “On the other hand, it’s possible someone penetrated the internal NSA network. We’ve already seen NSA tools that can do that kind of thing to other networks. That would be huge, and explain why there were calls to NSA Director, ADM. Mike Rogers last year.” Not necessarily in my view.

“The CIA leak is both similar and different,” Mr. Schneier wrote. “It consists of a series of attack [offensive cyber] tools from about a year ago. The most educated guess amongst people who know this stuff, is that the data is from an almost-certainly, air-gapped, internal development wiki — a Confluence server — and either someone on the inside was somehow coerced into giving up a copy of it; or, someone on the outside hacked into the CIA, and got themselves a copy. They [then] turned the documents over to WikiLeaks — which continues to publish it.”

“This is also [would be] a big deal, and hugely damaging for the CIA. Those tools were new, and they’re impressive I [Mr. Schneier} have been told that the CIA is desperately trying to hire coders to replace what was lost.”

“For both of these leaks, one big question is attribution: Who did this? A whistleblower would act more like Snowden, or Manning, publishing documents that discuss what the U.S. is doing to whom, not simply [just] a bunch of attack [offensive hacking] tools.It just doesn’t make sense. Neither does random hackers, or cyber criminals,” Mr. Schneier argues. “I think it is being done by a country, or countries.”

“My guess was, and still is, Russia in both cases,” Mr, Schneier wrote. “Here’s my reasoning. Whoever got this information, years before and leaking it now has to 1) be capable of hacking the NSA, and/or the CIA, and 2) willing to publish it all. Countries like Israel and France are certainly capable; but, wouldn’t ever publish it. Countries like Iran and North Korea probably aren’t capable. The list of countries who fit both criteria is small: Russia, China, and…and…and I am out of ideas. And China is currently trying to make nice with the United States.”

“Last August, Edward Snowden guessed Russia to,” Mr Schneier wrote. 

“So Russia — or, someone else steals the secrets, and presumably uses them to both defend its own networks and hack other countries — while deflecting blame for a couple of years. For it to publish now, means that the intelligence value of the information is now lower than the embarrassment value to the NSA and the CIA. This could be because the U.S. figured out that its tools [offensive cyber weapons] were hacked, and maybe even by whom; which would make the tools less valuable against U.S. government targets — although still valuable against third-party targets,” Mr. Schneier wrote.

“The message that comes with publishing seems clear to me: “We are so deep into your business, that we don’t care if we burn these few years-old capabilities, as well as the fact that we have them. There’s just nothing you can do about it.” It’s bragging,” Mr. Schneier notes.

“Which is exactly the same thing Ledgett is doing to the Russians. Maybe the capabilities he talked about are long gone, so there’s nothing lost in exposing sources and methods. Or, maybe he too is bragging: saying to the Russians that he doesn’t care if they know. He’s certainly bragging to every other country that is paying attention to his remarks. (He maybe be bluffing of course, hoping to convince others that the U.S. has [offensive cyber] intelligence capabilities that others don’t,” Mr. Schneier wrote.

Mr. Schneier ends: “What happens when intelligence agencies go to war with each other and don’t tell the rest of us? I think there is something going on between the U.S. and Russia — that the public is just seeing pieces of it. We have no idea why, or where it will go next, and can only speculate.”

Mr. Schneier is a very smart man when it comes to all things cyber; but, I believe he missed a few other possibilities when speculating on who may have been responsible for the leak/s of the CIA and NSA hacking tools. First and foremost, we still do not know the full extent of the damage that Edward Snowden did when he absconded with the millions of files that contained all kinds of highly sensitive sources and methods with respect to the Intelligence Community. How do we know that what Mr. Snowden provided China and Russia — wittingly, and/or unwittingly didn’t lead to both Moscow and Beijing, and perhaps even others, being able to hack into the CIA and NSA’s highly guarded offensive cyber ‘tool-shed?’ If that potentially occurred, or is a possibility, then the current, ongoing search for a well-placed mole inside either, or both the CIA, and NSA, is nothing more than a wild goose chase instigated by Russia, and/or China. Another potential suspect/s is cyber patriots, or cyber militias, seeking retribution against what they view as an intelligence apparatus gone wild after 9/11; that, in their view — spied on its own citizens. These cyber patriots/militias, may have used the highly sensitive sources and methods that were exposed by Snowden and Hal Martin, and the other NSA employee who has not publicly been named; but, mentioned by Mr. Schneier. We already know cyber groups like Anonymous can and do wreak havoc on an entity’s network enterprise, when they believe such cyber hacks are the ‘noble’ thing to do. And of course, there are cyber militias and cyber criminal entities, especially in the former Soviet republics who would take pleasure in causing damage to U.S. intelligence.

Determining the source of these very damaging leaks, is not easy, and is fraught with false digital flags, dead-ends, and a complex, digital maze that can confound even the most savvy and seasoned cyber warrior/cyber sleuth. Our investigators have their work cut out for them. In the meantime, we run the risk of having our own cyber offensive units being paralyzed, and paranoid, as we try and find the culprit/s, and plug the leaks. And, there will always be a lingering concern and worry, that even if we eventually plug the leak and feel with certainty that we know exactly what happened and why — there could be stay-behinds, a Trojan Horse, or a doomsday digital IED lurking somewhere in our most sensitive, digital enterprises. How do, or will we know…that we have cleaned all our cyber pipes and there is no ‘gift that keeps on giving’ to our adversaries?

As former Secretary of Defense, Donald Rumsfeld likes to say: “The absence of evidence……does not constitute evidence of absence. Just because we can’t see it, or haven’t found a digital IED, doesn’t mean that is isn’t there, waiting to be used by our adversary/s at a most inopportune time for us. The best cyber thieves/spies, haven’t been caught yet. Does the second digital mouse always get the digital cheese?

Finally, there is one possibility that Mr. Schneier did not discuss — that I really hope is the case. That is, we know how and why the leak occurred; and, we are not saying, nor disclosing because we are now in a position to turn the tables on those responsible — at a most inopportune time for them; and, potentially, extremely beneficial for us.V/R, RCP

No comments:

Post a Comment