Suspected leak shines spotlight on the NSA's conflicting missions

WASHINGTON — A top National Security Agency official revealed this month that the agency's staff had rushed to the scene of virtually every major hack of a government computer network in the past two years.

Curtis W. Dukes, director of information assurance at the NSA, was trying to emphasize the Fort Meade-based spy outfit's lesser-known but growing role of helping to protect the nation's sensitive data.


But while Dukes was speaking to reporters in Washington, the cyber world was poring over a leaked cache of what appeared to be tools developed by the NSA for its more controversial activity: surveilling, spying and hacking.

The disclosure of the files — the NSA hasn't confirmed that they're authentic, but researchers and former NSA employees say they seem to be — underscored once again the tension between the two sides of NSA's dual mission: breaking into computer networks overseas in search of useful intelligence about foreign governments and terrorists and helping protect America's networks against foreign spies and other hackers.


Dukes, talking to reporters on the sidelines of an NSA conference last week, said his responsibilities included "fortifying public trust" in the agency — trust that suffered a major blow three years ago when former contractor Edward Snowden leaked details of its phone and email surveillance programs.

A group that called itself the Shadow Brokers posted files this month that it said came from the Equation Group, a name used in cyber circles for the NSA. Computer security analysts who have studied the files are mostly convinced they came from the agency.

In stilted English, the Shadow Brokers said they had more such files, which they would sell to the highest bidder.

A former NSA employee, who requested anonymity to discuss the agency's sensitive operations, said he recognized details in the leaked files.

"I don't think it was faked," the former employee said. "It's a big deal. Could be used to conduct active exploitation today."

The networking giant Cisco confirmed that the leak included a previously undiscovered weakness in its products. The weakness has attracted particular attention because it is a so-called zero day vulnerability, meaning it was unknown to the company.

The NSA's identification of such vulnerabilities is controversial. While the NSA says it does not use them to break into American computers, there is no guarantee that another country or group of hackers has not found the same flaw.

In recent years, the government has followed a formal process to determine whether a weakness should be kept secret so it can be used to gather intelligence, or whether it should be shared to protect computer users.


The government's policy is to favor sharing. The NSA said recently that it had done so in 91 percent of cases.

Andrew Crocker, an attorney at the Electronic Frontier Foundation, said too many questions about the Shadow Brokers files remain unanswered to know for sure what role the NSA might have played in their creation. But given all the fingers now pointing at Fort Meade, he said, he expects their disclosure to put pressure on the government to be more transparent.

"I think that's a good thing," he said.

Columbia University scholar Jason Healey got up in front of the audience at a major hacker conference this month to make the case that the government's process for sharing vulnerabilities strikes a good balance between intelligence collection and security. He said it didn't seem as if the NSA was stockpiling large numbers of secret weaknesses, he said.

"I was taking actual personal risk getting up in front of hackers and saying NSA is less evil than you think," Healey said in an interview. But after the Shadow Brokers disclosure, he said, he's reviewing whether that conclusion still stands.

At the least, he said, the incident certainly raises fresh questions.


The most recent of the files posted by the Shadow Brokers dates at least as far back as 2013, a time when Healey concluded that the disclosure process was not functioning as intended, so they could have fallen through the cracks.

Healey said he wants the NSA or the National Security Council to provide a public explanation of what happened in the new case.

"They need to come out on this," he said.

A spokesman for the National Security Council declined to respond to a request for comment.

The NSA is in the midst of a major reorganization aimed in large part at bringing together its offensive and defensive operations. The idea is that if the two sides work more closely together, they can spot threats more quickly and work to come up with solutions. But privacy activists have raised the concern that the agency's much larger offensive side will overpower the defensive one.

NSA officials are trying to persuade skeptics that that's not what will happen, and that the defensive mission remains at least as important as ever.


Dukes did not comment on the Shadow Brokers leak, and the NSA has not addressed it publicly. But in an era when the online spying business puts the private information of every American at risk, he said, his team is increasingly being called on to help the FBI and Department of Homeland Security respond to major breaches.

In the past two years, he said, members of his team have been involved in cleaning up after hacks on the White House, the State Department, the Pentagon and the federal government's personnel agency. The NSA's teams can be on site within hours of a problem being discovered.

The agency also works with private companies. It published guidance last month on how to solve security problems in a product made by Cisco — not the one implicated in the Shadow Brokers files — and Dukes said the agency has worked with Microsoft to suggest ways to make Windows more secure and proposed fixes for a problem called "Pass the Hash."

"This is something where we knew the adversary was exploiting," he said.

Microsoft declined to comment on its relationship with the NSA, but said in a statement that it reviews reports of security problems in its products thoroughly, whoever brings them to the company's attention.

Cisco has a relationship with Dukes' branch of the NSA. Company spokeswoman Yvonne Malmgren said working with the NSA is a necessity for many businesses.


Malmgren declined to comment on whether the Shadow Brokers disclosure might affect the company's work with the NSA. But she said the firm is troubled by the disclosure.

"We are deeply concerned with anything that may impact the integrity of our products or our customers' networks, and Cisco will continue to seek additional information," she said. "Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers."

The NSA's defensive role started to grow beyond the government's classified systems and other military and spying infrastructure after the North Korean attack on Sony Pictures in 2014, Dukes told The Baltimore Sun in an email.

The Morning Sun

The Morning Sun


Get your morning news in your e-mail inbox. Get all the top news and sports from the

It was a mission he would not have anticipated getting involved in years ago, he said, but now "there doesn't appear to be any network that's off limits."

The FBI and the Department of Homeland Security call on the NSA for its technical expertise — Dukes boasted that his teams are "arguably the best in the country."

Once called, NSA personnel can work on a breach for months. They gather information about the attack, work with other parts of the NSA to help figure out who might be behind it, and help the victim be better protected in the future.


For years, the NSA's defensive arm has been known as Information Assurance Directorate, but that organization is being dissolved as part of the shakeup.

The presentation Dukes gave to reporters featured his team's new logo. It's almost exactly the same as the old one: a bird of prey with its wings swept protectively forward.