Archive for the ‘NSA’ Category

Should CYBERCOM Split From the NSA? – International Policy Digest (press release) (blog)

Health + Tech /02 Jun 2017

On December 23, 2016, Congress passed the National Defense Authorization Act for Fiscal Year 2017. This in itself is nothing extraordinary. What came as a shock was the news that US Cyber Command (CYBERCOM) would be elevated to the unified command plan (UCP) as the fourth functional combatant command, pending review of CYBERCOMs efficacy by the Pentagon of course. The National Defense Authorization Act allocates $75 million a year to CYBERCOM for upkeep of current facilities, training of personnel, acquisition of hardware, and development and deployment of new programs.

Since its inception in 2009, CYBERCOM has occupied a unique position within the Department of Defense. On one hand, it was a subordinate combatant command of US Strategic Command (STRATCOM), the same command responsible for military affairs in space and the nuclear arsenal. On the other hand, it has been and is still headed by the director of the National Security Agency, an intelligence organization separate from the conventional military hierarchy.

CYBERCOMs elevation is important for three reasons. First, as a part of the UCP (Unified Command Plan), the combatant commander (CCDR), Admiral Mike Rogers, can directly appeal to the Secretary of Defense (SECDEF) and the President (POTUS). Second, Admiral Rogers has a seat at the table so to speak regarding budgeting decisions. Finally, the elevation of CYBERCOM into the UCP is symbolic. It is a signal of intent for both domestic and international audiences and indicates that the US considers cyber security a major aspect of national security and that it will continue to invest in its cyber capabilities in the future.

As significant as this elevation is, this is actually just the first step on the road to an independent CYBERCOM. Recall my mention of the NSA. There have been voices calling for the end of the dual-hat arrangement, most notably former President Obama, and these voices are growing louder. After all, if CYBERCOM can stand alone as a combatant command, perhaps it is ready to stand apart from the NSA. Ending the dual-hat arrangement would mean that Admiral Rogers would most likely lead CYBERCOM while a new director for the NSA is chosen, possibly a civilian, but that is a discussion for another time.

Initially, the dual-hat arrangement made sense. Simply put, CYBERCOM was a fetus incapable of surviving on its own without the constant nourishment of its mother and this arrangement was the umbilical cord. As a fledgling command, CYBERCOM lacked the funding, personnel, hardware, and leadership to operate effectively so command was given to Lt. General Alexander as a means of quickly bringing CYBERCOM to operational status.

Some are afraid that splitting the two organizations will lead to needless rivalry, competition for resources and authority, and a decline in overall cooperation between the two organizations. So why are others encouraging a split?

Like many issues in the DOD, its complicated and cannot be adequately covered in the length of one article, but those who advocate for the end of the dual-hat arrangement come generally in three flavors.

The first group maintains that CYBERCOM is mature enough to act without NSA input. These individuals argue that with adequate funding, CYBERCOM possesses the leadership and the groundwork for programs needed to operate independently. They seem to be in the minority. Even Admiral Rogers believes that CYBERCOM and the NSA should split eventually, but he stated explicitly that now is not that time.

The second group advocates for the split on functional grounds. The NSA is an intelligence agency that focuses on signals intelligence (SIGINT). CYBERCOM is a military organization with the mission to protect DOD information networks and conduct operations in cyberspace. Saying all operations done in cyberspace are the same is like saying that a firecracker, pistol, and cruise missile are the same because they are based on the same medium: gunpowder. A split is necessary to highlight the different functions of CYBERCOM and the NSA.

The final group seeks a split based on legal motives. CYBERCOM, and all military branches, take their authority from Title 10 of the federal regulations. Title 10 is what outlines the conditions and appropriate conducts of war; it tells the US military what powers it has and does not have.

The NSA is not a strictly military agency despite the fact that an admiral is its current director. Instead, as an intelligence agency, it gathers its authority from Title 50, the part of the federal regulations dealing in national defense and intelligence. The basic argument is that no individual should have command over so much of national security; thats too much power concentrated into one man. Having a clear separation of legal authority will keep both organizations more accountable.

Most experts in Washington are of the opinion that CYBERCOM needs its independence. The question is now a matter of time and method. When will CYBERCOM be mature enough to stand on its own legs? How will we know? What can we do to make the transition as smooth as possible? The elevation of CYBERCOM and its likely separation from the NSA will mark a new age in cyber security, recognition of its place as a combat discipline by the most powerful nation in the world.

Read more here:
Should CYBERCOM Split From the NSA? - International Policy Digest (press release) (blog)

ShadowBrokers launch subscription service for stolen NSA tools – FCW.com

Cybersecurity

How much would you pay for access to stolen hacking tools developed by some of the NSA's most elite computer scientists? The enigmatic entity calling itself TheShadowBrokers thinks that $23,000 is a fair price.

The mysterious group that first appeared in August 2016 claiming to have a trove of tools pilfered from the Equation Group, which has been identified as an NSA hacking operation, have been periodically releasing bits of that stash for free.

In April, TheShadowBrokers dumped tools and exploits that led to the WannaCry ransomware attack as well as other malware that has been used in recent attacks.

The group then issued a long blog post written in pigeon English, complaining that no one had offered to buy the stolen data and make them "go dark," and contemplating the launch of a "wine of month" style subscription service.

In a new blog post, TheShadowBrokers announced that interested subscribers can sign up during the month of June for a fee of 100 ZEC or Zcash cryptocurrency worth about $235 a share -- and then in the first two weeks of July patrons will receive the next dump of hacking tools.

TheShadowBrokers said they have not decided what will be in the next release, but said it will include "Something of value to someone."

"The time for 'I'll show you mine if you show me yours first' is being over," states the post. "Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers' first. This is being wrong question. Question to be asking 'Can my organization afford not to be first to get access to theshadowbrokers dumps?'"

In the May 15 blog post, TheShadowBrokers stated that future releases of tools could include, "web browser, router, handset exploits and tools; select items from newer Ops Disks, including newer exploits for Windows 10; compromised network data from more SWIFT providers and Central banks; compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs."

Cybersecurity experts continue to speculate over who is or are TheShadowBrokers and how they acquired the NSA data -- possibly from an insider such as former contractor Hal Martin, who has been charged under the Espionage Act with stealing classified data from the NSA and CIA.

About the Author

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

Visit link:
ShadowBrokers launch subscription service for stolen NSA tools - FCW.com

Hackers Are Crowdfunding Cryptocurrency to Buy Alleged NSA Exploits – Motherboard

The Shadow Brokers are not going away. Earlier this month, the group of self-described hackers said it planned to launch a paid "subscription" service, where customers could apparently gain access to more exploits allegedly stolen from the NSA.

On Tuesday, the Shadow Brokers provided some more details of this service in an online post and said that June's cache of exploits would cost 100 Zcasha more privacy focused cryptocurrencyor around $23,000 at the time of writing. In response, a few information security researchers are trying to crowdfund enough funds to get in on the action. The point, according to the researchers, is to inform affected vendors and get any lingering security vulnerabilities fixed.

"What's better: the tool everyone, including the good guys and bad guys, know about, or the one which only your adversaries have?" Matthew Hickey, co-founder of UK cybersecurity company Hacker House, and who is one of the researchers trying to raise funds, told Motherboard in a Twitter direct message.

Along with the security researcher known as x0rz, Hickey has launched a Patreon campaign. At the moment, 11 people have pitched in, raising just over $1,200. If the campaign doesn't reach its goal, the researchers will donate the funds to an as of yet undecided human or digital rights charity.

"This patreon is a chance for those who may not have large budgets (SME, startups and individuals) in the ethical hacking and whitehat community to pool resources and buy a subscription for the new monthly released data," the Patreon reads.

Since last year, the Shadow Brokers have publicly released a variety of exploits for hardware firewalls, Unix, and Windows systems. In a previous post, the group claimed they have access to exploits for popular web browsers, Windows 10, and routers, although the group has not presented concrete evidence for these alleged tools yet.

Hackers have incorporated some of the released Windows exploits into new, powerful pieces of malware. WannaCry, a ransomware variant, infected networks in Spain, Russia, China, and elsewhere, and hit the UK's National Health Service (NHS) particularly hard.

Indeed, this what the researchers want to avoid by purchasing the alleged exploits.

"By paying the Shadow Brokers the cash they asked for we hope to pool resources and avert any future WannaCry type incidents," the Patreon page explains. (According to a report in The Washington Post, the NSA provided Microsoft with details of the Windows exploits, including those used in WannaCry. In turn, the company issued patches for an array of different operating systems).

"As a harm reduction exercise it is important that any compromised parties are notified, vulnerabilities in possession of criminals are patched and tools are assessed for capabilities. We will release any and all information obtained from this once we have assessed and notified vendors of any potential 0days," the Patreon adds.

Of course, this episode brings up all sorts of ethical questions: should researchers pay criminals for exploits at all? What if the intention is ultimately to patch systems?

However, those questions also rest on the premise that the subscription service is genuine. The Shadow Brokers have ostensibly tried to sell exploits before: first, in an auction, and then individually, with little to no success. But the group ended up dumping the hacking tools anyway, making it plainly obvious that this isn't about the money at all. Instead, this increasingly bizarre, public showmanship is about a feud between the Shadow Brokers, whoever they are, and Equation Group, a hacking unit allegedly part of the NSA.

"TheShadowBrokers is not being interested in stealing grandmother's retirement money. This is always being about theshadowbrokers vs theequationgroup," the group wrote in a recent post.

Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.

View post:
Hackers Are Crowdfunding Cryptocurrency to Buy Alleged NSA Exploits - Motherboard

Ransomware and the NSA – Bloomberg

Some questions, admiral.

The effects of this months global ransomware attackseem to be fading, fortunately.But a crucial question the incidentraisedis only getting more urgent. When it comes to online security, the U.S. governments priorities -- preventing terrorism and protecting cyberspace-- are in permanent tension.Is there a way to resolve it?

The National Security Agency routinely seeks out flaws in common software and builds tools, known as exploits, to take advantage of them. Doing so is an essential part of the agencys mission of spying on terrorists and foreign adversaries, yet it comes with grave risks.

The latest attack --still evolving-- is an example. Researchers say it takes advantage ofa stolen NSA tool to exploit a flaw in some versions of Windows. Microsoft Corp.hassuggestedthat the NSA knewof the flaw for some time, yet didnt disclose it until the theft.

That may sound unnerving. Windows is ubiquitous, and governments are generally expected to respect online security, not undermine it. Microsoft is understandably unhappy. Worse, the initial attack crippled everything from banks to hospitals. Its fair to say that lives were at risk.

So why keep such a harmful vulnerability secret? Simple:Exploiting it proved hugely effective in swooping up intelligence -- like fishing with dynamite, as one former NSA employeeput it.

Deciding whether such intelligenceis worth the risk isa fraught and secretive process. When a significant new flaw is found by a federal agency, its shared among experts from the intelligence, defense and cybersecurity bureaucracies (among others), who debate whether to disclose or exploit it, according tonine criteria. A review board then makes a final decision. In almost all cases involving a product made or used in the U.S. -- more than 90 percent, according to the NSA -- the flaws are disclosed.

Although its an imperfect process, a better way isnt obvious. Simply disclosing all vulnerabilities, as some activistsdemand, would be nuts. Intelligence would dry up, investigations would be hobbled, and the Pentagon would lose crucial insight into foreign militaries, for starters. Other countries would continue exploiting such flaws to their advantage. To echo a Cold Warlocution, it would amount to unilateral disarmament.

Likewise, Microsoft hasproposeda digital Geneva Convention, or a global agreement to disclose flaws. But the worst actors online -- thieves, gangsters,North Korea-- would hardly feel constrained by such a protocol, while the restraints put in place could well eliminate crucial methods of tracking them.

Clear thinking from leading voices in business, economics, politics, foreign affairs, culture, and more.

Share the View

Abetter approachis to improve the current system. One problem is that the secrecy required makes it hard to know how well the stated criteria for retaining vulnerabilities are being followed. Reporting the total number found and disclosed each year might offer some reassurance to tech companies and the public, without divulging anything sensitive. Periodic audits of those that have been retained could help ensure that agencies arent hoarding dangerous stuff thats no longer useful. Most important, though, is to better secure these flaws -- and the tools meant to exploit them -- whilehaving a strategy tomitigate the risks if theyre once again leaked.

Failing that, the public may quickly lose confidence in this process. And that may be the biggest risk of all.

--Editors: Timothy Lavin, Michael Newman.

To contact the senior editor responsible for Bloomberg Views editorials: David Shipley at davidshipley@bloomberg.net.

Continued here:
Ransomware and the NSA - Bloomberg

Secret court rebukes NSA for 5-year illegal surveillance of US citizens – Pittsburgh Post-Gazette


Pittsburgh Post-Gazette
Secret court rebukes NSA for 5-year illegal surveillance of US citizens
Pittsburgh Post-Gazette
WASHINGTON U.S. intelligence agencies conducted illegal surveillance on American citizens over a five-year period, a practice that earned them a sharp ...
Government Says Trust Us on Surveillance, But Here's Why We ...Townhall

all 2 news articles »

Visit link:
Secret court rebukes NSA for 5-year illegal surveillance of US citizens - Pittsburgh Post-Gazette