The Trump administration has declared all-out war on leakers, and Attorney General Jeff Sessions is focusing on individuals who have given the news media comparatively small amounts of White House information. But the administration is battling the wrong enemy with the wrong weapons.
Digital secrets stolen from the National Security Agency represent the real — and critical — security problem. More than half a billion pages have been swiped, most of it above top secret, with the most recent theft reported in October alone.
Those NSA leaks can be used to attack the U.S. government or threaten the lives of millions of Americans. Yet the administration appears to be ignoring these grave thefts.
Allegedly leaked or stolen NSA cyber weapons have already been used to shut down hospitals around the world and forced millions of people to pay ransoms or face losing all the data on their computers. The weapons could potentially kill thousands of people by being used to sabotage everything from large urban transportation systems to massive dams.
Late last year, both Defense Secretary Ashton B. Carter and National Intelligence Director James R. Clapper Jr. recommended to President Barack Obama that he fire the NSA director, Admiral Michael S. Rogers, according to The Washington Post.
That never happened. Now it should.
Unknown to the public, the NSA has for years been negligent in protecting its top-secret material.
The stolen data includes some of the NSA’s most prized cyber weapons. Most were created by the agency’s own hacker team, the Tailored Access Operations (TAO) unit. Like bank robbers examining the walls of a vault, looking for a way to get in, government hackers search for ways to crack into widely used computer operating systems, such as Microsoft Windows.
When they discover a way in — a crack in a vault’s wall so to speak — rather than notify the companies that their products are dangerously flawed, the NSA often secretly stores these vulnerabilities and later converts them into powerful cyber weapons, known as “exploits.” Like burglar’s tools, the exploits can secretly open a crack in a system, such as Windows, and insert an “implant” containing NSA malware — enabling the agency to take control of any computer using that Windows program.
Among the cyber weapons the NSA developed is an exploit called EternalBlue, which allowed the agency access to Windows computers, and an implant known as DoublePulsar, malware designed to take over the computers entirely.
Unknown to the public, the NSA has for years been negligent in protecting its top-secret material, including these cyber weapons. In 2013, for example, Edward Snowden, an NSA contract employee, walked out with at least hundreds of thousands — the NSA claims nearly two million — pages of documents. He had been stealing data for months, smuggling it out on flash drives.
Yet the agency had no knowledge of this enormous theft until Snowden announced it after he fled to Hong Kong.
Then, in 2015, according to a recent Wall Street Journal report, an NSA contract employee took highly secret materials home with him. The contractor put them on a home computer, where they were reportedly stolen by Russian intelligence hackers.
Next, in August 2016, another NSA contractor, Harold T. Martin, was arrested and charged with stealing more than 50 terabytes of data over many years. Like Snowden and the other unnamed contractor, Martin relied largely on flash drives to swipe upwards of three-quarters of a billion pages of top-secret information. His take allegedly included more than 75 percent of TAO’s entire collection of hacking tools, according to The Washington Post, among them the EternalBlue “exploit” and DoublePulsar “implant.”
Rather than protecting the American public from Russia and North Korea, the NSA has been inadvertently providing them with its cyber weapons.
A group calling itself the Shadow Brokers surfaced around the same time. It began auctioning off what it said was a “full state-sponsored toolset” of “cyber weapons” stolen from the NSA.
“How much you pay for enemies cyber weapons?” the group announced. To prove it had the authentic cyber weapons, the Shadow Brokers made some public, and promised a virtual arsenal of far more destructive programs to the highest bidder.
Ex-NSA officials have confirmed the authenticity of the hacked weapons. Yet prosecutors were never able to show a link between the Shadow Brokers and either Martin or the other contractor — meaning all three may have independently stolen these cyber weapons.
The auction turned out to be a bust, but a number of “free” cyber weapons became public. Hackers were able to convert the NSA’s EternalBlue exploit and DoublePulsar implant into a vicious computer worm they called WannaCry. It was designed to take over computers and lock out owners until they paid a ransom to get the digital key to unlock their data.
On May 12, what Europol called the largest ransomware attack in history began: In Spain, at the start of the work day, large red banners began filling computer screens across the nation, demanding money to unscramble suddenly encrypted data. In England, hospitals and clinics began reporting problems as well.
Within hours, the WannaCry computer worm spread across borders, continents and oceans, locking up nearly a quarter of a million computer systems in 150 countries until ransoms were paid.
In central London, at Bartholomew’s Hospital, Patrick Ward, a salesman, was about to have open-heart surgery when all the computers turned into bricks. Ambulances were diverted and appointments were cancelled, as access was denied to medical histories, X-rays, and blood tests. Doctors frantically ordered computers shut down as the entire National Healthcare System, country-wide, went into crisis mode.
Despite the NSA’s horrendous security record, the agency has never been held accountable.
It was the same across Europe and Russia; In China, computers at more than 29,000 organizations were infected.
Cybersecurity experts say North Korea likely orchestrated the WannaCry attacks, using the stolen NSA cyber weapons released by the Shadow Brokers.
Moscow is also implicated in using stolen NSA weapons to launch attacks. In September, a group nicknamed Fancy Bear, believed to be controlled by Russia, began using the EternalBlue exploit in cyber assaults against hotels throughout Europe. They were apparently searching for personal information of all government officials and business people who had checked in.
Thus, rather than protecting the American public from Russia and North Korea, the NSA has been inadvertently providing them with its cyber weapons — perhaps even the ones used to penetrate the Democratic Party during the election. (Granted, this was through incompetence rather than wittingly.)
Following the WannaCry attack, the Shadow Brokers announced it would soon launch “TheShadowBrokers Data Dump of the Month Service,” offering its large collection of stolen NSA cyber weapons through a subscription service. It was similar, they said, to a wine of the month club. In August, the group sought to double its profits by offering new weapons twice a month.
Free of charge, they also made public another NSA cyber weapon, UnitedRake — like EternalBlue, designed to attack Microsoft Window’s machines. It came complete with the agency’s top-secret instruction manual outlining how to use it. At Microsoft, company president Brad Smith compared the NSA theft to the theft of Tomahawk missiles from the Pentagon.
Despite the NSA’s horrendous security record, however, the agency has never been held truly accountable.
Meanwhile, the Trump administration continues searching for someone who passed a few tidbits about White House bickering to a reporter, rather than focus on the NSA losing potentially deadly cyber weapons to U.S. adversaries and criminals worldwide.
The NSA also needs to find a better way to prevent thousands of megabytes and gigabytes of data — including cyber weapons — from walking out the door. In past, the agency’s focus seems to have been on trying to get into employees' minds and their computers by relying on polygraph machines and electronic surveillance to determine who might be a current or potential thief. But neither have worked.
The NSA also needs to find a better way to prevent thousands of megabytes and gigabytes of data from walking out the door.
Indeed, there are numerous examples of spies successfully passing polygraph machines, as Martin did. Nor is it practical to monitor every employee’s electronics 24/7.
So, rather than trying to figure out what’s in an employee’s mind, the agency should try focusing on what’s in their pockets.
Like Snowden, Martin and the other contractor, people usually steal digital data, including cyber weapons, by smuggling small flash drives out of buildings. Yet a department store may have more security at the exit than an NSA or contractor facility; at least department stores have electronic devises to catch shoplifters.
The NSA should adopt the same full-body imaging millimeter wave technology now familiar to anyone who’s recently boarded a plane. The technology that looks for weapons at airports can look for flash drives containing cyber weapons.
It likely won’t stop someone from passing a reporter details about a presidential lie or cover-up. But at least it could help deter someone from walking out with the digital equivalent of a loose nuke.
James Bamford is author of “The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America” and “The Puzzle Palace: A Report on America’s Most Secret Agency.”