NOBUS

NOBUS ("Nobody But Us") is a term used by the United States National Security Agency (NSA) to describe a known security vulnerability that it believes the United States (US) alone can exploit.^[1]

As technology and encryption advance, entities around the globe are gravitating towards common platforms and systems, such as Microsoft, Linux, and Apple.^[2] This convergence in usage creates a conflict between patching system vulnerabilities to protect one's own information, and exploiting the same system vulnerabilities to discover information about an adversary.^[2] To handle this conflict, the NSA developed the NOBUS system in which they evaluate the likelihood that an adversary would be able to exploit a known vulnerability in a system.^[2][3] If they determine the vulnerability is only exploitable by the NSA for reasons such as computational resources, budget, or skill set, they label it as NOBUS and will not move to patch it, but rather leave it open to exploit against current or future targets.^[4]

Broadly, the concept of NOBUS refers to the gap in signals intelligence (SIGINT) capabilities between the US and the rest of the world.^[4] Critics believe that this approach to signals intelligence poses more of a threat to the US than an advantage as the abilities of other entities progress and the market for buying vulnerabilities evolves.^[5]

History

During the 20th century, protecting one's own communications while intercepting the communications of adversaries was not in conflict.^[4] World War I (WWI) and World War II (WWII) signals intelligence contained a mixture of eavesdropping on radio communications, and breaking target cipher messages, actions that did not weaken the security of one's own information.^[4] The Allies' Operation Ultra during WWII was responsible for breaking Enigma, the German cipher device used to transmit military messages.^[6] By breaking Enigma, the security of the Allies cipher machine, SIGABA, was not influenced, since they were separate systems using separate technology.^[4] As technology advanced, this separation between offensive SIGINT, the act of intercepting adversaries communications, and defensive SIGINT, the act of protecting one's own messages, began to disappear.^[4]

The advancement of telecommunications, the Internet, and large corporations such as Microsoft and Apple, meant that often times both sides of a conflict use the same system.^[4] As such, if a group discovers a vulnerability in a target's system, it also likely means they've discovered a vulnerability in their own system.^[4] Disclosing the vulnerability for fixing weakens intelligence, while withholding information about the vulnerability weakens security, making the decision of what to do with a discovered exploit incredibly complicated.^[4][2]

The intelligence alliance group known as the Five Eyes, consisting of the US, Canada, Australia, New Zealand, and the United Kingdom, became uniquely situated in the world to take advantage of the progress of technology for their SIGINT abilities.^[7] Almost all of the communications across the globe physically pass through one of the Five Eyes, allowing for a physical advantage in their eavesdropping abilities.^[4] This geographical positioning was one of the reasons that the US was leading the SIGINT charge early on.^[4]

In addition, many technology companies were US companies, giving the US legal power over the corporations that other entities and governments lacked.^[4] An example of this NOBUS advantage is the NSA program known as PRISM, which gives them the ability to demand information from companies such as Google, Apple, Microsoft, and others, about their targets.^[4]

Former NSA Director Michael Hayden has since acknowledged the concept of NOBUS:

You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch – it's one that ethically and legally we could try to exploit in order to keep Americans safe from others.^[5]

The commoditization of the Zero-Day exploit market changed the landscape of SIGINT in the 2000's.^[2] A Zero-Day (or 0-day) exploit is a software vulnerability that the software developer is not aware of and therefore has no immediate fix.^[8] In other words, when the exploit is used to steal information or corrupt a system, the developers have zero-days to fix it.^[2] Zero-day exploits were being developed and sold by a few individuals in the 1990's, but in the early 2000s companies dedicated to buying exploits of hackers around the world began popping up.^[8][2] This grey-market for zero-day exploits allowed anyone in the world with enough funds to buy exploits to commonly used systems.^[8]

In 2013, American whistleblower Edward Snowden leaked NSA documents that revealed that the NSA was spending considerable money in the zero-day market to accumulate exploits, likely the biggest buyer in the field.^[2] The ability to spend top dollar for exploits is considered a NOBUS capability since many other entities often cannot spend that much on an exploit.^[2] By 2012, a single iOS bug could earn as much as $250,000 on the grey market.^[8] In 2021, it is known that the NSA spends 10 times as much on offensive SIGINT than defensive, with 100 employees working on offense for every 1 employee on defense.^[2]

The Snowden leaks also revealed an NSA program in cooperation with its British counterpart Government Communications Headquarters (GCHQ) known as Muscular. This program involved tapping into the underwater internet cables of companies including Google and Yahoo.^[9] This collection of information as it travels unencrypted between internal company servers is known as "upstream" collection and the corporations affected were completely unaware of it.^[9] Muscular took place on British territory, exemplifying a NOBUS capability given that the NSA and GCHQ were allies and working together on the program.^[2]

US government response

Following the Edward Snowden leaks, in 2014 United States President Obama addressed the SIGINT tactics of the NSA.^[10] In his address he announces that he will be strengthening executive oversight of intelligence with the hope that individual security, foreign relations, and the intentions of corporations can all be considered.^[10] He also announced that he will be appointing a new senior official at the White House responsible for implementing new privacy safeguards.^[10] However, the usage of zero-day exploits was not directly discussed, with the focus of the address being on the NSA's collection of phone records within the US.

In 2014, a few months after President Obama's SIGINT address, a bug in popular encryption tool OpenSSL was discovered.^[2] This exploit, known as Heartbleed, permeated software around the world, including the US Pentagon.^[2] Following the discovery of Heartbleed, Michael Daniel, cybersecurity coordinator of the Obama administration, publicly addressed the procedure used by the NSA to determine what vulnerabilities to keep and what to disclose.^[3] Daniel listed numerous points that the agency took into consideration, namely how much harm the exploit could cause if disclosed and whether the intelligence could be gathered in another way.^[3] In addition, Daniel highlights that if the vulnerability was kept to be used, it would only be temporary and would be turned over to be patched after a short period of use by the agency.^[3] This was the first time the US government publicly acknowledged the use of zero-day exploits in SIGINT.^[2] This protocol outlined by Daniel in 2014 is known as the Vulnerabilities Equities Process (VEP).^[2]

Criticism

Critics argue that the NSA, and therefore the US, is no longer as significantly ahead of the rest of the world in SIGINT as it once was.^[2] Thus, it is dangerous for the NSA to leave a security vulnerability open just because it is believed to be NOBUS.^[2] A leaked NSA memo from 2012 is quoted saying "it is becoming apparent that other nation-states are honing their skill[s] and joining the scene", evidence that the NSA is aware of the ever closing gap in capabilities.^[2] In August 2016, a group of still unknown hackers known as the Shadow Brokers leaked NSA code that revealed the exact tools of the agency, effectively giving NOBUS capabilities to anyone who got their hands on the code.^[5] In April 2017, the Shadow Brokers went further and leaked twenty of the most effective zero-day exploits the agency had developed and collected.^[11][2] Following this leak, former NSA director Michael Hayden, who stood by the agency through the Snowden leaks in 2013, said he could not "defend an agency having powerful tools if it cannot protect the tools and keep them in its own hands".^[12]

By leaking the NSA's cyber arsenal, the Shadow Brokers also revealed that the NSA was keeping low level vulnerabilities that did not require extensive equipment or experience.^[2] Some of the tools were reportedly so easy to use they were essentially "point and shoot".^[12] These vulnerabilities are, by definition, not NOBUS, and keeping them in the NSA cyber arsenal rather than disclosing them so they could be fixed threatens the security of innocent people around the world who used the vulnerable software.^[2] The discovery that the NSA was withholding low level exploits for years directly contradicted the VEP outlined in 2014 by then cyber security coordinator Michael Daniel.^[3][2]

The Zero-Day exploit market has also caused the NSA to come under criticism.^[4] Vulnerabilities purchased on the grey-market are distinctly not NOBUS since anyone with sufficient funding has the ability to purchase them.^[5] There is also no way to ensure that if an entity sells a vulnerability to one group, it won't turn around and sell it to another.^[2] Critics are therefore concerned that keeping the vulnerabilities open instead of patching them threatens the security of innocent people who use vulnerable systems, since it cannot be confirmed who has access to the vulnerabilities.^[5]

Another common criticism of the NOBUS system is that since the NSA is exploiting vulnerabilities in systems used by US citizens and harvesting data from servers hosted in the US, there are ethical and legal concerns about the ability of the agency to avoid collecting data from US citizens.^[4]

Critics have also commented that there is no evidence that NOBUS strategy keeps people safe.^[13] In the past it has been reported that NOBUS has stopped 50 terrorist attacks, however the number was then amended to 1 or 2.^[13] In 2017, a study funded by the Office of the Director of National Intelligence (ODNI) recommended that the Intelligence Community shift away from signals intelligence as a source of information.^[14] Encryption methods are quickly becoming too advanced to break and laws in the US are prioritizing the privacy of American citizens over intelligence collection, meaning that the NSA and other intelligence agencies are facing an uphill battle for signals intelligence.^[14]

References

1. "What is NOBUS?". www.computerhope.com. Archived from the original on 22 October 2021. Retrieved 22 October 2021.
2. NICOLE., PERLROTH (2022). THIS IS HOW THEY TELL ME THE WORLD ENDS : the cyberweapons arms race. BLOOMSBURY. ISBN 978-1-63557-849-2. OCLC 1243263428.
3. "Heartbleed: Understanding When We Disclose Cyber Vulnerabilities". whitehouse.gov. 28 April 2014. Archived from the original on 4 December 2021. Retrieved 7 December 2021.
4. "Nobody But Us: The Rise and Fall of the Golden Age of Signals Intelligence". Lawfare. 7 September 2017. Archived from the original on 26 November 2023. Retrieved 22 October 2021.
5. Peterson, Andrea (4 October 2013). "Why everyone is left less secure when the NSA doesn't help fix security flaws". The Washington Post. Archived from the original on 5 January 2016. Retrieved 27 December 2015.
6. Hinsley, Sir Harry (26 November 1996). "The Influence of ULTRA in the Second World War" (PDF). Archived (PDF) from the original on 5 December 2015. Retrieved 2 December 2021.
7. "Canada and the Five Eyes Intelligence Community" (PDF). 10 September 2015. Archived from the original (PDF) on 10 September 2015. Retrieved 25 October 2021.
8. Ablon, Lillian (2014). "Zero-Day Vulnerabilities in the Black and Gray Markets". www.jstor.org. RAND Corporation: 25–28. JSTOR 10.7249/j.ctt6wq7z6.11. Archived from the original on 16 November 2021. Retrieved 16 November 2021.
9. "How we know the NSA had access to internal Google and Yahoo cloud data". Washington Post. ISSN 0190-8286. Archived from the original on 25 March 2018. Retrieved 7 December 2021.
10. "Remarks by the President on Review of Signals Intelligence". whitehouse.gov. 17 January 2014. Archived from the original on 8 December 2021. Retrieved 7 December 2021.
11. "Shadow Brokers Redux: Dump of NSA Tools Gets Even Worse". Lawfare. 14 April 2017. Archived from the original on 24 September 2023. Retrieved 7 December 2021.
12. Shane, Scott (17 May 2017). "Malware Case Is Major Blow for the N.S.A." The New York Times. ISSN 0362-4331. Archived from the original on 7 December 2021. Retrieved 7 December 2021.
13. Schneier, Bruce (6 January 2014). "How the NSA Threatens National Security". The Atlantic. Archived from the original on 25 October 2021. Retrieved 25 October 2021.
14. Williams, Brad D. (23 July 2019). "'Golden Age Of SIGINT May Be Over': New Encryption Foils IC Eavesdropping". Breaking Defense. Retrieved 25 October 2021.