My coverage of the NSA’s massive data gathering and attacks on fundamental security technology has been focused on the expected impact on the IT security industry. I was one of the first to publish trepidation a day after the first Snowden report (NSA Surveillance Threatens US Competitiveness, June 7, 2013) and again a week later (Crisis Of Confidence Could Spur Flight From US Tech, June 14, 2013).
Recent events appear to validate my concerns that loss of faith in US tech companies is hurting financial results, at least for the major vendors:
Anecdotal evidence from vendors who are being requested to attest to the lack of NSA complicity in their products and data centers indicates that dis-trust is having a wider impact than just major vendors trying to expand in China.
Der Spiegel has reported on the contents of a 50-page catalog of exploits and technology to compromise gear from major vendors including Cisco, Juniper, Dell, and hard drive manufacturers. The NSA’s Tailored Access Operation (TAO), headquartered in San Antonio, Texas, develops these exploits. TAO, a relatively small team of uber hackers, reportedly systematically breaks technology to make them accessible to NSA spying. Der Spiegel cites one program, FEEDTROUGH, which targets Juniper firewalls. FEEDTROUGH is a “persistent” threat in that it remains even after the Juniper gear is wiped and rebooted.
Unlike the massive effort to record and capture all communications, the development and use of exploits are, I believe, arguably part of the purview of the NSA. According to General Michael Hayden, who led the NSA as it embarked on its post-9/11 growth of universal surveillance, the NSA is well aware of the need to balance its mission with the need to protect at least US companies from dangerous vulnerabilities. I asked General Hayden to reiterate his description of this balance, he told securitycurrent:
“In cryptology, both offense and defense revolve around the concept of vulnerability. When vulnerability is discovered, the stark choice is to exploit it ( providing “security” by penetrating an otherwise inaccessible target) or to patch it (providing “security” in a more direct and traditional way). NSA is responsible for both (and operationally that is a VERY good idea). The SIGINT division plays offense; the Information Assurance division plays defense. And in making a decision which way to play, a very powerful consideration is always who else has knowledge of, or the ability to exploit, the weakness. Some vulnerabilities are such that they marginally (but importantly) weaken a system but exploitation still depended on skills, systems and technologies that few, if any, can match. If the judgment is what is called NOBUS (nobody but us could do this), the risk management decision is pretty easy. Of course, that judgment could change over time and still requires continuous due diligence.”
But the publication of this Exploit Catalog poses yet another blow to the brand and reputation of US technology providers. Although there are no new allegations that US tech vendors work directly with the NSA, their products are under attack.
What does this mean for vendors of security products? It means that they are going to have to take security seriously, much more so than in the past. Historically the greatest threats to hardware and software vendors were hackers and security researchers who sought the positive exposure of being the ones to discover a new vulnerability. The actual exploit of published vulnerabilities of network gear is rare and in most cases of responsible disclosure the vendor is given an opportunity to release a patch before the vulnerability is published.
In light of the disclosure of the presence of new exploits, security vendors should immediately create internal task forces to address this new threat vector: the Tailored Access Operations (TA0) of the NSA. They have to develop a strategy to harden their products against a well-funded adversary. The Black Budget reported by the Washington Post identifies over $10 billion a year devoted to the NSA.
An enterprise TAO task force must:
- Develop tools to detect when their systems have been compromised and make these available to their customers.
- Conduct a comprehensive review of their architectures with an eye towards a much more sophisticated attacker than ever before. All security is a compromise. But too often compromises justified by underestimating an attacker’s resources eventually succumb.
- Assign a Red Team to break their own products.
- Use network-fuzzing tools to discover previously unknown vulnerabilities.
- Evaluate how hardware roots of trust that store keys to authenticate software and updates can be incorporated in product designs.
- Look at architectures that use separate monitoring devices in front of and behind their products to detect when they have been compromised.
Cisco’s response to the Der Spiegel story is here. In response to an inquiry Juniper provided a similar statement of their concern.
Organizations that have large investments in the named products should also take steps to regain confidence that their systems have not been compromised. Network monitoring is the best way to do this. Treat every firewall, switch, router, server and hard drive, as untrusted. Watch them for unusual behavior. And push your vendors of critical networking gear to demonstrate the defenses they are putting in place for the higher levels of assurance needed in this new threat environment.
There is no going back. Once vulnerabilities are even hinted at security vendors have to take drastic measures to re-establish trust. Even General Hayden acknowledges that the NSA operations should be reviewed, saying:
“It is also a fair question to ask whether NSA’s overall approach to this (which dates from the Agency’s founding in 1952 and NOT from the digital age) and the delicate balance that it requires might need recalibration in an era of massive cyber theft and lawlessness as well as an era in which certain hardware and operating systems are near ubiquitous.”
Regardless of any re-calibration that occurs, be it more oversight from Congress, or actual curtailment of some NSA programs, doubt has been cast on the ability of our fundamental layers of security. Industry must, and will, respond.