NOBUS ("Nobody But Us") is a term used by the United States National Security Agency (NSA) to describe a known security vulnerability that it believes the United States (US) alone can exploit. [1]
As technology and encryption advance, entities around the globe are gravitating towards common platforms and systems, such as Microsoft, Linux, and Apple. [2] This convergence in usage creates a conflict between patching system vulnerabilities to protect one's own information, and exploiting the same system vulnerabilities to discover information about an adversary. [2] To handle this conflict, the NSA developed the NOBUS system in which they evaluate the likelihood that an adversary would be able to exploit a known vulnerability in a system. [2] [3] If they determine the vulnerability is only exploitable by the NSA for reasons such as computational resources, budget, or skill set, they label it as NOBUS and will not move to patch it, but rather leave it open to exploit against current or future targets. [4]
Broadly, the concept of NOBUS refers to the gap in signals intelligence (SIGINT) capabilities between the US and the rest of the world. [4] Critics believe that this approach to signals intelligence poses more of a threat to the US than an advantage as the abilities of other entities progress and the market for buying vulnerabilities evolves. [5]
During the 20th century, protecting one's own communications while intercepting the communications of adversaries was not in conflict. [4] World War I (WWI) and World War II (WWII) signals intelligence contained a mixture of eavesdropping on radio communications, and breaking target cipher messages, actions that did not weaken the security of one's own information. [4] The Allies' Operation Ultra during WWII was responsible for breaking Enigma, the German cipher device used to transmit military messages. [6] By breaking Enigma, the security of the Allies cipher machine, SIGABA, was not influenced, since they were separate systems using separate technology. [4] As technology advanced, this separation between offensive SIGINT, the act of intercepting adversaries communications, and defensive SIGINT, the act of protecting one's own messages, began to disappear. [4]
The advancement of telecommunications, the Internet, and large corporations such as Microsoft and Apple, meant that often times both sides of a conflict use the same system. [4] As such, if a group discovers a vulnerability in a target's system, it also likely means they've discovered a vulnerability in their own system. [4] Disclosing the vulnerability for fixing weakens intelligence, while withholding information about the vulnerability weakens security, making the decision of what to do with a discovered exploit incredibly complicated. [4] [2]
The intelligence alliance group known as the Five Eyes, consisting of the US, Canada, Australia, New Zealand, and the United Kingdom, became uniquely situated in the world to take advantage of the progress of technology for their SIGINT abilities. [7] Almost all of the communications across the globe physically pass through one of the Five Eyes, allowing for a physical advantage in their eavesdropping abilities. [4] This geographical positioning was one of the reasons that the US was leading the SIGINT charge early on. [4]
In addition, many technology companies were US companies, giving the US legal power over the corporations that other entities and governments lacked. [4] An example of this NOBUS advantage is the NSA program known as PRISM, which gives them the ability to demand information from companies such as Google, Apple, Microsoft, and others, about their targets. [4]
Former NSA Director Michael Hayden has since acknowledged the concept of NOBUS:
You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch – it's one that ethically and legally we could try to exploit in order to keep Americans safe from others. [5]
The commoditization of the Zero-Day exploit market changed the landscape of SIGINT in the 2000's. [2] A Zero-Day (or 0-day) exploit is a software vulnerability that the software developer is not aware of and therefore has no immediate fix. [8] In other words, when the exploit is used to steal information or corrupt a system, the developers have zero-days to fix it. [2] Zero-day exploits were being developed and sold by a few individuals in the 1990's, but in the early 2000s companies dedicated to buying exploits of hackers around the world began popping up. [8] [2] This grey-market for zero-day exploits allowed anyone in the world with enough funds to buy exploits to commonly used systems. [8]
In 2013, American whistleblower Edward Snowden leaked NSA documents that revealed that the NSA was spending considerable money in the zero-day market to accumulate exploits, likely the biggest buyer in the field. [2] The ability to spend top dollar for exploits is considered a NOBUS capability since many other entities often cannot spend that much on an exploit. [2] By 2012, a single iOS bug could earn as much as $250,000 on the grey market. [8] In 2021, it is known that the NSA spends 10 times as much on offensive SIGINT than defensive, with 100 employees working on offense for every 1 employee on defense. [2]
The Snowden leaks also revealed an NSA program in cooperation with its British counterpart Government Communications Headquarters (GCHQ) known as Muscular. This program involved tapping into the underwater internet cables of companies including Google and Yahoo. [9] This collection of information as it travels unencrypted between internal company servers is known as "upstream" collection and the corporations affected were completely unaware of it. [9] Muscular took place on British territory, exemplifying a NOBUS capability given that the NSA and GCHQ were allies and working together on the program. [2]
Following the Edward Snowden leaks, in 2014 United States President Obama addressed the SIGINT tactics of the NSA. [10] In his address he announces that he will be strengthening executive oversight of intelligence with the hope that individual security, foreign relations, and the intentions of corporations can all be considered. [10] He also announced that he will be appointing a new senior official at the White House responsible for implementing new privacy safeguards. [10] However, the usage of zero-day exploits was not directly discussed, with the focus of the address being on the NSA's collection of phone records within the US.
In 2014, a few months after President Obama's SIGINT address, a bug in popular encryption tool OpenSSL was discovered. [2] This exploit, known as Heartbleed, permeated software around the world, including the US Pentagon. [2] Following the discovery of Heartbleed, Michael Daniel, cybersecurity coordinator of the Obama administration, publicly addressed the procedure used by the NSA to determine what vulnerabilities to keep and what to disclose. [3] Daniel listed numerous points that the agency took into consideration, namely how much harm the exploit could cause if disclosed and whether the intelligence could be gathered in another way. [3] In addition, Daniel highlights that if the vulnerability was kept to be used, it would only be temporary and would be turned over to be patched after a short period of use by the agency. [3] This was the first time the US government publicly acknowledged the use of zero-day exploits in SIGINT. [2] This protocol outlined by Daniel in 2014 is known as the Vulnerabilities Equities Process (VEP). [2]
Critics argue that the NSA, and therefore the US, is no longer as significantly ahead of the rest of the world in SIGINT as it once was. [2] Thus, it is dangerous for the NSA to leave a security vulnerability open just because it is believed to be NOBUS. [2] A leaked NSA memo from 2012 is quoted saying "it is becoming apparent that other nation-states are honing their skill[s] and joining the scene", evidence that the NSA is aware of the ever closing gap in capabilities. [2] In August 2016, a group of still unknown hackers known as the Shadow Brokers leaked NSA code that revealed the exact tools of the agency, effectively giving NOBUS capabilities to anyone who got their hands on the code. [5] In April 2017, the Shadow Brokers went further and leaked twenty of the most effective zero-day exploits the agency had developed and collected. [11] [2] Following this leak, former NSA director Michael Hayden, who stood by the agency through the Snowden leaks in 2013, said he could not "defend an agency having powerful tools if it cannot protect the tools and keep them in its own hands". [12]
By leaking the NSA's cyber arsenal, the Shadow Brokers also revealed that the NSA was keeping low level vulnerabilities that did not require extensive equipment or experience. [2] Some of the tools were reportedly so easy to use they were essentially "point and shoot". [12] These vulnerabilities are, by definition, not NOBUS, and keeping them in the NSA cyber arsenal rather than disclosing them so they could be fixed threatens the security of innocent people around the world who used the vulnerable software. [2] The discovery that the NSA was withholding low level exploits for years directly contradicted the VEP outlined in 2014 by then cyber security coordinator Michael Daniel. [3] [2]
The Zero-Day exploit market has also caused the NSA to come under criticism. [4] Vulnerabilities purchased on the grey-market are distinctly not NOBUS since anyone with sufficient funding has the ability to purchase them. [5] There is also no way to ensure that if an entity sells a vulnerability to one group, it won't turn around and sell it to another. [2] Critics are therefore concerned that keeping the vulnerabilities open instead of patching them threatens the security of innocent people who use vulnerable systems, since it cannot be confirmed who has access to the vulnerabilities. [5]
Another common criticism of the NOBUS system is that since the NSA is exploiting vulnerabilities in systems used by US citizens and harvesting data from servers hosted in the US, there are ethical and legal concerns about the ability of the agency to avoid collecting data from US citizens. [4]
Critics have also commented that there is no evidence that NOBUS strategy keeps people safe. [13] In the past it has been reported that NOBUS has stopped 50 terrorist attacks, however the number was then amended to 1 or 2. [13] In 2017, a study funded by the Office of the Director of National Intelligence (ODNI) recommended that the Intelligence Community shift away from signals intelligence as a source of information. [14] Encryption methods are quickly becoming too advanced to break and laws in the US are prioritizing the privacy of American citizens over intelligence collection, meaning that the NSA and other intelligence agencies are facing an uphill battle for signals intelligence. [14]
The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collection, and processing of information and data for foreign and domestic intelligence and counterintelligence purposes, specializing in a discipline known as signals intelligence (SIGINT). The NSA is also tasked with the protection of U.S. communications networks and information systems. The NSA relies on a variety of measures to accomplish its mission, the majority of which are clandestine. The NSA has roughly 32,000 employees.
Cisco PIX was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.
Signals intelligence by alliances, nations and industries comprises signals intelligence (SIGINT) gathering activities by national and non-national entities; these entities are commonly responsible for communications security (COMSEC) as well.
National intelligence programs, and, by extension, the overall defenses of nations, are vulnerable to attack. It is the role of intelligence cycle security to protect the process embodied in the intelligence cycle, and that which it defends. A number of disciplines go into protecting the intelligence cycle. One of the challenges is there are a wide range of potential threats, so threat assessment, if complete, is a complex task. Governments try to protect three things:
A zero-day is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.
Tails, or "The Amnesic Incognito Live System", is a security-focused Debian-based Linux distribution aimed at preserving Internet privacy and anonymity. It connects to the Internet exclusively through the anonymity network Tor. The system is designed to be booted as a live DVD or live USB and never writes to the hard drive or SSD, leaving no digital footprint on the machine unless explicitly told to do so. It can also be run as a virtual machine, with some additional security risks.
Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.
The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.
XKeyscore is a secret computer system used by the United States National Security Agency (NSA) for searching and analyzing global Internet data, which it collects in real time. The NSA has shared XKeyscore with other intelligence agencies, including the Australian Signals Directorate, Canada's Communications Security Establishment, New Zealand's Government Communications Security Bureau, Britain's Government Communications Headquarters, Japan's Defense Intelligence Headquarters, and Germany's Bundesnachrichtendienst.
Bullrun is a clandestine, highly classified program to crack encryption of online communications and data, which is run by the United States National Security Agency (NSA). The British Government Communications Headquarters (GCHQ) has a similar program codenamed Edgehill. According to the Bullrun classification guide published by The Guardian, the program uses multiple methods including computer network exploitation, interdiction, industry relationships, collaboration with other intelligence community entities, and advanced mathematical techniques.
Dishfire is a covert global surveillance collection system and database run by the United States of America's National Security Agency (NSA) and the United Kingdom's Government Communications Headquarters (GCHQ) that collects hundreds of millions of text messages on a daily basis from around the world. A related analytic tool is known as Prefer.
During the 2010s, international media news reports revealed new operational details about the Anglophone cryptographic agencies' global surveillance of both foreign and domestic nationals. The reports mostly relate to top secret documents leaked by ex-NSA contractor Edward Snowden. The documents consist of intelligence files relating to the U.S. and other Five Eyes countries. In June 2013, the first of Snowden's documents were published, with further selected documents released to various news outlets through the year.
Global mass surveillance can be defined as the mass surveillance of entire populations across national borders.
Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.
Sentry Eagle, the National Initiative Protection Program, is a compartmented program of the National Security Agency's (NSA) Central Security Service (CSS) and the US Strategic Command Joint Functional Component Command - Network Warfare (JFCC-NW). Its existence was revealed during the 2013 global surveillance disclosure by Edward Snowden.
Attempts, unofficially dubbed the "Crypto Wars", have been made by the United States (US) and allied governments to limit the public's and foreign nations' access to cryptography strong enough to thwart decryption by national intelligence agencies, especially the National Security Agency (NSA).
The market for zero-day exploits is commercial activity related to the trafficking of software exploits.
The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.
Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS, and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the C.I.A.
EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was based on a vulnerability in Microsoft networking software that the NSA had known about for several years but had not disclosed to Microsoft. When the NSA discovered in 2017 that the exploit was stolen, Microsoft was informed and released security patches in March 2017. The Shadow Brokers hacker group publicly released EternalBlue on April 14, 2017.