Exactly what prompts this loyalty? A security industry source says it is not unrelated to the fact that a lot of outsourced work from the NSA ends up being given to outfits run by – yes, you guessed it, ex-NSA spooks. And the NSA has a massive budget so these contracts are not trivial.
Last week, The New York Times ran a story based on a leak from security firm Symantec, claiming that Chinese spies had gained access to a number of NSA exploits and used them for attacks, well before they were leaked on the Web by a group known as the Shadow Brokers.
Symantec's contention was that a group called Buckeye, which appears to be a Chinese-affiliated group, had been using tools from the NSA — which Symantec referred to as the Equation Group, using nomenclature that has been employed by Kaspersky Lab — to gain persistent access to targets at least a year before the Shadow Brokers leaked a trove of exploits on the Web.
EternalBlue was used to craft the WannaCry ransomware which wreaked havoc on companies and organisations in May 2017.
The US isn’t perfect. The NSA has deserved some black eyes. But I am a staunch advocate of countries spying on each other for intelligence and ideally better statecraft. And the US intel community trying to think of the community while they do that is great. Unpopular take I know— Robert M. Lee (@RobertMLee) May 8, 2019
News stories in the NYT always contain comment, and probably what irked the ex-NSA types was stuff like this: "The Chinese action shows how proliferating cyber conflict is creating a digital wild West with few rules or certainties, and how difficult it is for the United States to keep track of the malware it uses to break into foreign networks and attack adversaries’ infrastructure.
"The losses have touched off a debate within the intelligence community over whether the United States should continue to develop some of the world’s most high-tech, stealthy cyber weapons if it is unable to keep them under lock and key."
The theft of the exploits by the Brokers has given the NSA a considerable black eye: three years on from the first announcement, nobody is any the wiser as to the identities of the thieves.
I’m honestly confused by the coverage on this one and the outrage shown by some folks. I feel I must be missing something. If you lose control and things get leaked; that’s one thing. But proliferation and abuse through use? That’s not new nor unique to the NSA.— Robert M. Lee (@RobertMLee) May 7, 2019
The sideshow that took place after the NYT story was put online was infinitely more interesting than the NYT story itself; the only point of interest around these leaked NSA exploits is the identity of the Shadow Brokers. Some say they are Russian, others see it as more plausible that they are a homegrown unit.
But no matter that this article was all about a sideshow, ex-NSA spooks, one after another, lined up to take up cudgels for their former employer.
Among them was Dave Aitel, the chief of Immunity, a security company that was bought by Cyxtera Technologies in January. Aitel wrote a blog post, claiming, "I want to point out that Nicole Perlroth, David E. Sanger and Scott Shane (the authors of the NYT article) have, as usual, written an article... that is more advocacy than news.
I've seen a lot of anti-NSA rants after the new @symantec report about EternalSynergy and DoublePulsar. Exploits serve an obvious purpose which we should all agree is valuable - gaining intelligence on those who wish us harm. Those arguments miss this. 1/9https://t.co/rzyP35QMWF— Jake Williams (@MalwareJake) May 7, 2019
"They say never to pick a fight with someone who buys ink by the barrel, but this article is pure nonsense. Let's let Rob Lee, who knows what he's talking about, say it succinctly."
Aitel inserted a tweet from Lee, also an NSA alumnus, which read: "My late night take: if we’re going to yell at the NSA for making an exploit that an adversary saw in an intrusion and learned from as an example of 'losing control of weapons' then we should just argue that no one should make exploits ever because they can all be lost in that way."
Aitel does not always spar with journalists; he is not averse to a bit of publicity himself and this writer interviewed him at length in 2005 when he was under pressure from proprietary software vendors and a senior researcher over the way he ran his company. At the time, Aitel and his researchers followed a business model of providing clients with inside knowledge of the vulnerabilities they found without ever informing the vendor of the software in question.
Recently, however, Aitel seems to have taken a dislike to those who call themselves journalists, banning media from the annual Infiltrate security conference that Immunity organises.
In another tweet, Lee, who runs his own security firm, Dragos, said: "I’m honestly confused by the coverage on this one and the outrage shown by some folks. I feel I must be missing something. If you lose control and things get leaked; that’s one thing. But proliferation and abuse through use? That’s not new nor unique to the NSA."
And referring to Aitel's blog post, Lee wrote: "Anyway – Dave’s blog had me thinking. Our intel professionals do amazing work far outside the scathing view of infosec. They should strive to do better but I’m also proud to have been part of the US IC and thank those still in doing the grind."
Jake Williams, an extremely well-known former NSA man who now runs his own infosec outfit, Rendition Infosec, and at times takes the middle ground, also defended his former employer, saying: "I've seen a lot of anti-NSA rants after the new @symantec report about EternalSynergy and DoublePulsar. Exploits serve an obvious purpose which we should all agree is valuable - gaining intelligence on those who wish us harm."
He followed up with another eight tweets, explaining why this case — that of the NSA exploits being stolen — was more a matter of faults in the Vulnerabilities Equities Process, a US government process that outlines when zero-day exploits can be kept hidden in order to craft exploits for attacking foreign enemies, and when they should be disclosed to vendors for patching.
Old loyalties it would appear die hard – especially when the wheels are greased well.