Earlier this month the folks at Cisco were sent into a frenzy when Wikileaks disclosed Cisco exploits in their Vault 7 CIA tool data dump.
Wikileaks disclosed that the CIA had been hacking Cisco Internet switches for over a year to eavesdrop on users, but didn’t disclose how. Wikileaks and a number of the tech vendors are at odds regarding revealing the details of the hacks because of conditions Wikileaks is imposing prior to giving the manufacturers the details.
Given the resources at John Chambers disposal, Cisco reassigned teams of engineers, working around the clock for days first trying to figure out how the CIA did it – without any help from Wikileaks. Then they had to craft a warning to customers regarding the 300 products affected. Finally, they had to come up with fixes, test them and get them into the distribution channel.
Due to the way the government (in the form of the NSA and CIA particularly) prioritize cyber risk, offensive cyber is much more important than defensive cyber (more about this later).
So even though the CIA had known about these bugs for at least a year, they prioritized using the bug against their surveillance targets over protecting U.S. citizens.
This has been the argument since the creation of USCYBERCOM. USCYBERCOM is headed by the same person as the NSA – Admiral Mike Rogers.
The problem is that the NSA’s mission is to hack into targets of interest and Cybercom’s mission is to protect the U.S. In case of a ‘conflict of interest’, who wins?
The original idea was to help USCYBERCOM get off the ground by being able to leverage NSA’s considerable cyber expertise, but for the last year or two, there have been calls to split the two (see Washington Post article here.) In fact, there were conversations about President Obama separating the two toward the end of his term. This idea was endorsed by both Defense Secretary Ash Carter and Director of National Intelligence James Clapper. President Obama signed a bill bars the splitting until the Joint Chiefs of Staff certify that splitting it would not be harmful. We have no idea what President Trump thinks about the subject.
Laura Pfeiffer, a former senior director of the White House situation room suggested that now that our adversaries’ cyber capabilities were catching up to ours, we might ought to think about reconsidering our strategy.
According to Reuters, 90 percent of all spending on cyber across the federal government is dedicated to offensive cyber.
President Trump is proposing to spend $1.5 billion on defensive cyber inside DHS. Compare that to $50 billion for the U.S. Intelligence budget in 2013 – about 3 percent.
Departing NSA Deputy Director Rick Ledgett confirmed that 90% number and said that it needed to be adjusted.
In a recent NSA reorg, IAD, the division of the NSA responsible for defensive cyber was buried inside a new operations division, meaning even less attention may be given to defense.
In early 2014 President Obama issued a directive that said that the NSA had to disclose bugs unless they have clear national security or law enforcement value, in which case they can be kept secret. Almost any serious cyber bug could be said to have clear national security or law enforcement value.
In any case, it is possible that our adversaries were also aware of and using the Cisco bugs against us and our allies. Such is the conflict the USCYBERCOM faces every day – use the bug or disclose it? Are we (USCYBERCOM) the only ones who know about the bug or do our adversaries know also.
Whether we think what Wikileaks did was right or wrong, it is clear that a number of potentially serious bugs will be patched as a result.
From the CIA’s standpoint, it is possible that even if our adversaries knew about some of the same bugs that they knew about, our ability to exploit them or the value in keeping the bugs in place and continuing to collect data for as long as possible might outweigh the disadvantage that our enemies were using the same bugs against us.
This is clearly a mess and I am not confident that politicians understand the problem well enough to actually fix it, but we can hope.
Information for this post came fro Reuters.