Written by Shannon Vavra

U.S. military commanders say that when U.S. Cyber Command and the National Security Agency use a capability against targets abroad, they understand it might eventually be used by an adversary.

The threat of having the NSA’s tools leaked has been an issue inside the agency for years now — former NSA contractor Edward Snowden brought it into the public domain when he revealed a trove of NSA programs in 2013 — but the risk of having adversaries detect, obtain or reverse engineers NSA-used tools has become especially salient in the last week. Researchers from cybersecurity firm Symantec revealed that a Chinese-linked hacking group had repurposed tools linked with the NSA as early as March of 2016 and used them to attack various targets around the world.

Although Cyber Command’s Director of Capabilities and Resource Integration, Maj. Gen. Karl Gingrich, did not directly address this report, when asked how Cyber Command protects tools from being used or acquired by adversaries, he said safeguarding them is a “priority … but at the end of the day once you have used the tool, it’s out there.”

It is unclear how the group — known as Buckeye — obtained the tools, but Symantec assesses it is possible it observed an NSA-linked attack, then gathered enough info to repurpose the code. It is also possible Buckeye stole the tools from an unsecured server or leaked the code to the group, although Symantec said that was less likely.

“There’s always a risk calculus in any sort of operation that we take on in Cyber Command,” said David Luber, the executive director of U.S. Cyber Command, during a recent media roundtable. “ The commander [Gen. Paul Nakasone] looks at those scenarios every single day.”

Gingrich says that Cyber Command determines the risk attached to a capability by examining what the target is, what tool is being used, how risky it is to deploy the tool, and whether the command is willing to use it at the examined time.

According to The George Washington University’s National Security Archive, which obtained documents through a Freedom of Information Act request, Cyber Command runs an internal deliberation process before deciding to launch a mission. The deliberation includes an assessment of intelligence gain loss, a blowback assessment, an assessment of collateral effects, a legal review and a risk assessment report.

Rosa Smothers, a former cyberthreat analyst at the Central Intelligence Agency, told CyberScoop she was not surprised by the Symantec report, adding that the loss of capabilities is something NSA wrestles with all the time.

“That’s part of the risk-gain analysis that goes into any cyber-operation; when you’re willing to put your tool or tools out there, there is always going to be a risk of discovery,” Smothers said.

Although it remains unclear how exactly Buckeye obtained the tools, critics say the research also highlights the risks in the process that U.S. government undergoes when it uncovers security flaws in products and instead of disclosing them to vendors, uses them for espionage or military purposes or collects them for later use.

Through its Vulnerabilities Equities Process (VEP), government officials determine to either withhold or disclose information to tech companies about newly discovered software flaws. The VEP allows the government to keep certain “limited categories” from being shared, the details of which remain classified.

According to an appendix the White House released two years ago, one of the factors officials consider in VEP deliberations is how widely used the affected product is. But the trade-off is to also consider whether flaws can be exploited to support intelligence collection and cyber operations.

Jordan Rae Kelly, the former director for Cyber Incident Response on the National Security Council who oversaw the VEP, said the deliberation is a balancing act.

“It’s about really looking and understanding vulnerabilities in a deep way,” Kelly, who is now senior managing director at FTI Consulting, told CyberScoop. “Understanding how agencies might use individual exploits or if the exploits will be used in a series of tools is part of the evaluation equation.”

Neil Jenkins, a former cyber adviser at the Department of Homeland Security, tells CyberScoop that the Symantec research highlights possible flaws in the VEP.

“We have to be taking into better consideration how prominent an exploit is in the ecosystem. … This was a vulnerability in a Microsoft product in Windows,” Jenkins, now the chief analytic officer of the Cyber Threat Alliance, told CyberScoop. “That alone should have been enough to say … we should disclose this exploit.”

Kelly said she “wouldn’t say that any one factor is weighed more heavily” in the process.

Smothers says she understands both sides.

“I know what it is on the intelligence side to have an awareness of a vulnerability … to build a tool to exploit that vulnerability … to have a very real possibility to get on to a terrorist’s phone or laptop,” Smothers, who now serves as senior vice president of cyber-operations for KnowBe4, told CyberScoop. “Conversely, if you’re on the private sector side, you want your systems patched and secured.”

The NSA, which is the executive secretariat of the VEP, has said in the past it’s disclosed 91 percent of the vulnerabilities it finds. In the case of the vulnerabilities that Buckeye was found to be using, the NSA shared its software vulnerabilities with Microsoft so it could patch the flaws, according to The New York Times.

The NSA would not comment on the VEP. Cyber Command and the White House’s National Security Council did not respond to request for comment.

The VEP’s review process, which traces its development back to the Obama administration, was only publicly disclosed for the first time in 2014. In those deliberations, the reviewers are supposed to consider whether exploiting the vulnerability will cause harm or if adversaries are likely to use the vulnerability for their own purposes.

Luber said that Cyber Command, just like other parts of the Department of Defense, participates in the review process.

“When it comes to working in an environment where our tools will be used in our operations, we participate just like other parts of the U.S. government in the VEP,” Luber said.