It’s old news by now that all of our most secret data is vulnerable, no matter how hard we try to protect it. If you’re surprised that the Russian government was apparently able to steal code developed by the National Security Agency, then you haven’t been paying attention to how consistently every level of computer security, in pretty much every sector of the government and in the private world, has been breached over and over again.
But this summer’s high-profile data breaches—first the Democratic National Committee, now the NSA—have been different. The sophisticated adversaries didn’t just steal sensitive data. They posted it publicly (or at least handed it over to someone else to post publicly) for the whole world to see. As Edward Snowden tweeted, “NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.”
Usually when a government is able to access a rival nation’s closely guarded information, it goes to great lengths to try not to get caught. Traditional espionage is about everybody gathering as much information as they can as quietly as possible, and it’s a little disconcerting to see that model so completely upended—not least because it changes the nature of what the U.S. government and other governments are trying to protect themselves from with counterespionage efforts.
To understand why this is a big deal, it’s important to keep in mind that while the specific technical mechanisms that are used to steal data change and evolve relatively rapidly, the list of things criminals can do with that purloined data has remained relatively static over the years. We’re used to the financially motivated data breaches perpetrated by criminals who are out to make money off the info they’ve stolen. And we’re familiar with the old-fashioned espionage breaches in which foreign governments gather troves of secret information as part of their covert intelligence operations. Most breaches fall into these first two categories—the 2016 Verizon Data Breach Investigations Report estimates that 89 percent of the breaches it analyzed had a financial or espionage motive—though this is hardly the first time we’ve seen hackers wield a successful data breach as a tool for publicly humiliating the victims. (Sony Pictures and Ashley Madison both come to mind.)
But the NSA breach seems to have been driven by a confusing and largely unprecedented combination of motives including greed, espionage, and public revenge. The stolen information itself seems to indicate an espionage breach: What’s been released so far looks to be code that would help the United States penetrate computer systems in nations like Russia and China and set up back doors to allow them future access. The people who would be most obviously interested in acquiring that information would presumably be the targets of those espionage efforts, and a lot of the initial speculation about who is responsible has focused on Russia.
But this is no textbook case of espionage—the perpetrators also appear to be interested in making money and publicly embarrassing the U.S. government. The group claiming responsibility, which calls itself the “Shadow Brokers,” stole data that is clearly primarily of interest to anyone conducting political espionage against the United States, then announced it would sell the stolen data to the highest bidder, while WikiLeaks simultaneously began releasing what it said was the full set of stolen documents to the public.
So what were the Shadow Brokers after, really: secrets or money or vengeance? There’s some speculation that their real agenda may have been intimidation. Perhaps they wanted to make it easier for other parties to more definitively attribute cyberattacks to the United States government by releasing the code, or even just wanted to make it clear to the United States that they could access NSA servers or clearly link the NSA to past attacks.
Understanding the motives behind data breaches is important because it’s part of how we figure out ways to try to contain the harm. If someone steals millions of credit card numbers, then we monitor or cancel those accounts—this doesn’t change the fact that the data was stolen, but it restricts the thieves’ ability to use that data to steal money, which is the thing they really care about (and the thing we really care about preventing). When North Korea published business records, emails, and movie scripts belonging to Sony, the studio tried to seed fake online content to make it more difficult for people to find the actual stolen files by forcing them to keep clicking on dummy downloads planted by Sony instead. Again, this wasn’t about protecting against the breach itself—it was about protecting against the aftereffects of the breach, the widespread media coverage and public humiliation that resulted from everyone being able to easily view all of Sony’s data. Another ways to do this is try to persuade people viewing the information that it’s all lies—take, for instance, the DNC’s announcement this week that further publicly released documents purporting to be stolen from its servers might be completely false and planted by the perpetrators. After the Office of Personnel Management breach—allegedly an act of espionage by China—the United States removed some CIA agents from the U.S. Embassy in Beijing in order to make the stolen information less useful. It was too late to prevent the breach but not too late to prevent the perpetrators from being able to use some of what they had stolen.
Protecting against breaches after the fact is hard no matter what, but it’s even harder when you don’t know what your adversary’s next steps will be. You may think you’re dealing with a closely guarded intelligence operation that will keep its stolen secrets close to the vest and strategize accordingly, only to discover that you’re instead facing a much bolder, more reckless nemesis who just wants to wreak havoc. Even—perhaps especially—in the largely lawless world of espionage, it’s helpful to know what rules everyone else is playing by.
That’s not to say there aren’t any advantages to the shift we seem to be witnessing in how nations treat the data they steal for espionage purposes. More such public incidents could potentially help us aggregate more information about how and when cybersecurity incidents occur. It might even make it easier to have concrete, productive discussions about the appropriate limits and scope of international espionage efforts and what lines different nations do and don’t actually cross.
But it’s always been somewhat comforting that the most powerful players involved in this space—the ones with the greatest resources and most sophisticated technical expertise—have been pretty rational in their pursuit of money or state secrets. We knew basically what they were going to do with their skills and why. The brazenness of the public release of the NSA data may be just as rational and calculated, but it also seems like it could conceivably be the act of a less careful adversary, one with expertise and resources to rival the best but who’s tired of playing spy games and wants, on some level, to watch the world burn.
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.