A Tale of Two Hacks: The National Security Agency and the Department of Defense
The U.S. National Security Agency (NSA) found itself the victim of a thorough and compromising hack by an anonymous group that has taken to mocking the famously secretive agency. It may have learned some lessons from the Department of Defense, which recently invited hackers to do their worst.
According to a New York Times story, the NSA was infiltrated by a hacker group called the Shadow Brokers – which now posts messages teasing the intelligence agency as it sells cyberweapons stolen from the attack to buyers of all stripes. A wave of cybercrimes has been linked to those cyberweapons, with more likely to come.
Was it the NSA’s fault? According to one of the Times’ sources, the NSA has been more focused on its cyber offense than its defense and is now paying the price. Former defense secretary and director of the CIA Leon Panetta added:
“The fundamental purpose of intelligence is to be able to effectively penetrate our adversaries in order to gather vital intelligence. By its very nature, that only works if secrecy is maintained and our codes are protected…every time [a leak] happens, you essentially have to start over.”
The agency might be wise to take a page from the Department of Defense. In the wake of government agency breaches like that of the Office of Personnel Management, the DoD’s Defense Digital Services group started “Hack the Pentagon,” offering cash rewards to hackers who find and disclose vulnerabilities (aka “bug bounties”).
Over 24 days, pre-selected security researchers hunted down bugs in public-facing DoD websites. The bug bounty hunters uncovered more than 138 vulnerabilities for the DoD to resolve. As a follow-up, the DoD launched similar bounties for Army and Air Force websites (it found more than 100 unique bugs on the Army sites and 207 on the Air Force sites), and has continued using the practice over the past year to keep its security fresh.