Sources close to the investigation into how NSA surveillance tools and zero-day exploits ended up in the hands of hackers has found that the agency knew about the loss for three years but didn’t want anyone to know.
Multiple sources told Reuters last night that the investigation into the data dump released by a group calling itself the Shadow Brokers had determined that the NSA itself wasn't directly hacked and the software didn't come from exiled whistleblower Edward Snowden. Instead it appears one of the NSA staffers got sloppy.
It appears at this stage that the staffer, who has since left the NSA for other reasons, stashed the sensitive tools on an outside server – likely a bounce box – after an operation. Miscreants then found that machine, raided it and hit the jackpot. The staffer informed his bosses after the incident, but rather than warning companies like Cisco that their customers were at risk, the NSA kept quiet.
The reasoning for this secrecy seems to have been that the NSA wanted to see who was going to use them. It monitored the world's internet traffic to try and catch sight of the tools or someone using the software or the holes it exploited. Since no signs appeared the agency didn’t tell anyone of the loss.
According to US government guidelines the NSA is supposed to assess the seriousness of zero-day flaws it finds and inform companies if it feels they are serious enough. Documents obtained by the EFF stated that the NSA told manufacturers about 91 per cent of the flaws it found.
That didn't happen, and a lot of security people are going to be asking why not. ®