NSA's Malware Heroics Questioned By Security Experts

NSA says it thwarted a nation state's BIOS-bricking malware plot, but info security and privacy experts say the agency is trying to snow the American public.



Hackers Outsmart Pacemakers, Fitbits: Worried Yet? (click image for larger view)

The National Security Agency (NSA) helped foil a "nation state" that planned to launch a BIOS-bricking malware attack against the United States.

That claim was delivered Sunday night in an Inside the NSA segment on CBS's 60 Minutes that was partially filmed inside the intelligence agency's headquarters.

The agency, of course, is struggling to repair its image -- and stave off additional oversight or curtailing of its intelligence-gathering techniques -- since documents leaked by former agency contractor Edward Snowden revealed how the NSA has created a massive digital dragnet that's been intercepting millions of Americans' communications and related tracking data. Industry analysts have said that the fallout from those revelations could cost technology businesses billions in lost revenue over the next few years.

If a classic counterinsurgency tactic is to make a "hearts and minds" appeal to the public at large (rather than adversaries), that's what the NSA appeared to be doing via 60 Minutes, in part by arguing that its tactics are required to stop foreign nations that are intent on disrupting US systems.

[Presidential advisers say government cybersecurity isn't pretty. Learn Why Fed Cybersecurity Reboot Plan Fails To Convince.]

For example, Deborah Plunkett, the NSA's information assurance director -- described in the newscast as the official who directs cyberdefense -- told CBS correspondent John Miller that the agency had foiled a malware attack that would have corrupted the BIOS inside a PC, thus turning the machine into a brick. "One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability -- to destroy computers," Plunkett said. "This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would've infected the computer."

She added: "Think about the impact of that across the entire globe. It could literally take down the US economy."

But the NSA's detailing of a BIOS-attack plot that it supposedly foiled drew a tepid response from many information security professionals. For starters, that's because during the interview, Plunkett wasn't holding the type of BIOS she described -- which would be installed on a motherboard -- but rather a serial ATA controller BIOS, according to Robert David Graham, CEO of Errata Security.

In addition, nothing Plunkett said suggested that the alleged plot was anything more than script kiddies brainstorming up potential future attacks. Furthermore, the supposed plot can't be verified, based on the details that were provided, which included an unnamed NSA official pointing the finger at China. "Same as with #badbios, there's no question it's possible, whether it happened in this case, nobody knows," tweeted computer security researcher Dan Kaminsky.

Other security professionals noted that BIOS-attacking malware isn't anything new, or really all that big of a threat. Perhaps the NSA simply couldn't come up with a scarier-sounding attack?

"We experts just aren't impressed. We know how viruses work, and see nothing special here. We know how stories get distorted. We know how paranoia makes minor things look scary," Errata Security's Graham said in a blog post. "If there were something momentous here, they would say so. But instead, they used techno mumbo jumbo to confuse the typical '60 Minutes' viewer into believing something that was never explicitly stated."

Stepping back from the BIOS plot, information security and privacy experts also criticized the entire 60 Minutes segment for failing to pose the "tough questions" promised by CBS correspondent Miller, who previously worked for both the Office of the Director of National Intelligence and the FBI.

As F-Secure chief research officer Mikko Hypponen summarized the segment via Twitter: "Turns out, NSA is doing an outstanding job and Snowden is the bad guy."

Gen. Keith Alexander

Miller's interviewees included NSA director Gen. Keith Alexander, who first approached CBS about doing the news segment. But Alexander relied on evasion and doublespeak when it came to addressing some of the NSA's more contentious practices, for example when responding to questions about whether the agency hacks into datacenters run by the likes of Google and Yahoo.

"We do target terrorist communications. And terrorists use communications from Google, from Yahoo, and from other service providers. So our objective is to collect those communications no matter where they are," Alexander said. "But we're not going into a facility or targeting Google as an entity or Yahoo as an entity. But we will collect those communications of terrorists that flow on that network."

A presidential commission is reportedly preparing to recommend that some of the NSA's mass data collection practices should be curtailed or stopped. But rather than advancing any nuanced arguments about how the NSA might respond to leading political, legal, and privacy criticisms, Alexander instead argued that the status quo should prevail. "My concern on that is [especially] what's going on in the Middle East, what you see going on in Syria, what we see going on-- Egypt, Libya, Iraq, it's much more unstable, the probability that a terrorist attack will occur is going up," he said. "And this is precisely the time that we should not step back from the tools that we've given our analysts to detect these types of attacks."

Will Alexander's 60 Minutes appeal for business as usual at the NSA succeed? Let us know your opinion in the comments section below.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.