A double whammy has the NSA reeling. First came the Shadow Brokers 2016 heist, then WikiLeaks released Vault 7 and Vault 8 collections of hacking tools and manuals stolen from C.I.A.’s Center for Cyber Intelligence. National Security Agency honchos are scrambling to explain how Fort Meade’s cyberweapons ended up being used against civilian U.S. businesses. Worse yet, more attacks are coming. Taxpayer-funded hacking tools are loose in the wild, pointed right at U.S. citizens.
The gaping wounds hacked into our national security program by Edward Snowden now seem like a minor scratch. Snowden released program code names and descriptions, Shadow Brokers and WikiLeaks unleashed the specific code.
For more than a year, a trickle of leaks has deeply disturbed the security community. Considered the best on the planet at prying their way into target networks, NSA dropped the ball on defending their own. “We have had a train wreck coming,” confirms former N.S.A. director Mike McConnell. “We should have ratcheted up the defense parts significantly.”
N.S.A. linguist Reality Winner was arrested in June, after stuffing a sensitive document down her pantyhose and leaking it to the Intercept. What she did seems to be politically motivated and probably an isolated incident but the other arrests are much more substantial.
Both of the other two accused spies were former members of the NSA’s super-secret squad of elite hackers, Tailored Access Operations (TAO). The most famous example of the group’s work was the attack on Iran’s Natanz nuclear weapons centrifuges, which were made to spin out of control, and is one of the operations that Shadow Brokers released.
Experts report “None of the leaked files dates from later than 2013 but they include a large share of T.A.O.’s collection.” Included were three “ops disks containing the software to bypass computer firewalls, penetrate Windows and break into the Linux systems most commonly used on Android phones.”
One unnamed software developer was arrested secretly in 2015 for sneaking tools home with him, which allowed hackers to snag them from his home PC. The other was contractor Harold T. Martin III who was thrown in the slammer last year. He liked to work from home too. “F.B.I. agents found his home, garden shed and a car stuffed with sensitive agency documents and storage devices.” Martin’s huge assortment of files included the ones released by Shadow Brokers and could have been the source but if so, they don’t think he gave the data directly to them on purpose.
Last April, freelance security expert Jake Williams checked his twitter to find the Shadow Brokers had outed him as a former member of T.A.O. The details they posted were astounding. “They had operational insight that even most of my fellow operators at T.A.O. did not have. I felt like I’d been kicked in the gut. Whoever wrote this either was a well-placed insider or had stolen a lot of operational data.”
Williams concluded from their verbal attacks that they knew exactly who he was and what he worked on. “It’s a disaster on multiple levels,” Mr. Williams said. “It’s embarrassing that the people responsible for this have not been brought to justice.”
For the past fifteen months, F.B.I. counterintelligence arm, Q Group, has been digging into the Shadow Brokers intrusion. They still have no idea if the N.S.A. is “the victim of a brilliantly executed hack, an insider’s leak, or both.”
A lot of the clues indicate that the toolkits were taken all at once in one piece, which makes it look like an insider used a flash drive to harvest the files and walk out the door. Employees are being subjected to lie detector tests and suspended, pending the investigation.
Former employees say investigators are “clearly worried that one or more leakers may still be inside the agency.” A number of staffers were required to “turn over their passports, take time off their jobs and submit to questioning.” The fraction that worked for both T.A.O. and the C.I.A. are getting particular scrutiny because “a single leaker might be responsible for both the Shadow Brokers and the C.I.A.’s Vault7 breaches.”
The hunt for moles has “created an atmosphere of suspicion and anxiety,” the ex-employees relate. Anyone with access to the exposed data is looked at as the thief. “Snowden killed morale but at least we knew who he was. Now you have a situation where the agency is questioning people who have been 100 percent mission-oriented, telling them they’re liars.”
“The fundamental purpose of intelligence is to be able to effectively penetrate our adversaries in order to gather vital intelligence. By its very nature, that only works if secrecy is maintained and our codes are protected,” scolds former C.I.A. director and defense secretary, Leon Panetta. “These leaks have been incredibly damaging to our intelligence and cyber capabilities. Every time it happens, you essentially have to start over.”
Even if the leaker or hacker is caught, it may not stop the disclosures. Williams points out, “a dead man’s switch” might be used “to release all remaining files automatically upon their arrest,” he warns. “We’re obviously dealing with people who have operational security knowledge. They have the whole law enforcement system and intelligence system after them. And they haven’t been caught.”