Vendor Vulnerabilities: Is NSA Obligated to Let them Know?

Cisco’s Cloud Service Platform customers received word of exposures that could severely risk their data’s privacy. In September 2016, Cisco informed their virtual networking clients of the discovery that more than 840,000 devices are open to two serious vulnerabilities. Fortinet customers’ data were also exposed in the theft. These exploits can lead to man in the middle attacks around the globe.

Shadow Brokers 

A group identifying itself as Shadow Brokers allegedly stole exploits from Equation Group, linked to the National Security Agency three years ago. Using a Twitter account, Shadow Brokers recently announced an auction for firewall exploits they claim they found with a hacking tool used by the NSA. The group demanded Bitcoins in exchange for data with codenames such as EPICBANANA, EGREGIOUSBLUNDER, AND EXTRABACON.


One of the exploits that targets Cisco ASA, Cisco Firewall Services Model, and Cisco PIX is codenamed EXTRABACON. Here is how it works. If a device is set up for Simple Network Management Protocol (SNMP) with the SNMP-server enabled command, this allows for remote code commands on virtual private networks (VPNs). Meaning, an attacker could execute bogus codes and gain full control, erase, or reload an encrypted system.

These types of assaults are commonly called “Man in the Middle (MITM) attacks” An attacker secretly positions themselves between a sender and receiver, grabs information, changes it or keeps it, and sends the data, seemingly undisturbed, along to the receiver. Meanwhile, the sender and receiver think they securely linked to one another. Attacks such as these are known as zero-day flaws. Vendors are unaware of the hole or vulnerability, meanwhile hackers are busy exploiting it.

Patching the Holes

Cisco released a security patch for its customers exposed by the Shadow Brokers. About 24 hours after the fix was released, only about one third of vulnerable devices had been patched.  One major issue, raised in Wired Magazine, is what the NSA is responsible for doing once they discover holes such as these. Is the agency obligated to inform companies of their exposure or keep it undisclosed?

The exploits in question were allegedly taken by Shadow Brokers three years before they put the data up for auction. If the technique was stolen by the NSA, has the NSA known about these vulnerabilities all this time and not said a word? Have Cisco, Fortinet, and other vendors’ customers had the government snooping at their data for years? This is the debate information security professionals are currently having. According to Wired, “NSA Director Michael Rogers said in late 2014 that the NSA reports the majority of the vulnerabilities it finds.”

New York Times article cites sources close to this situation saying the NSA balances what could be gained by keeping the flaws secret versus what the exposure would risk the enterprise and its customers. Special Assistant to the President and Cybersecurity Coordinator Michael Daniel addressed the issue in 2014 by saying:

“[T]here are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences. Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”

The NSA reports a 91% disclosure rate when a vulnerability is discovered in a product made or used in the United States.


A group calling itself Shadow Brokers tried to sell encrypted data on virtual private networks (VPNs) that they exposed using NSA hacking techniques. The data was stolen by “man-in-the-middle” attacks. Customers were given patches to fix these exposures, but some security watchdogs argue that the problem is only beginning. Shadow Brokers stole the data three years before trying to auction it. If the NSA has known about these vulnerabilities for so long, why weren’t vendors informed?

CIPP Exam Preparation 

In preparation for the Certified Information Privacy Technologist (CIPT) Exam, a privacy professional should be comfortable with topics related to this post, including:

  • IT Risks (I.B.)
  • Network Controls (IV.D.e.)
  • Data Encryption (IV.E.)

In preparation for the Certified Information Privacy Professional (CIPP/US) Exam, a privacy professional should be comfortable with topics related to this post, including:

  • National Security and Privacy (III.B)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>