Brighten their holiday. Enrich their everyday.Give The Atlantic

A Stolen NSA Tool Is Being Used in a Global Cyberattack

The magnitude of the event shows the danger of insider threats to the U.S. intelligence community.

An ambulance for Britain's National Health Service, which was targeted in a cyberattack on Friday (Reuters / Stefan Wermouth)

The shadow of ousted FBI director James Comey hung over the Senate Intelligence committee’s worldwide threat hearing yesterday. Like Banquo’s ghost in Macbeth, the presence of Comey’s absence was everywhere. But it wasn’t the most surreal aspect of the day. Here was a hearing on external threats at a moment when internal threats are growing more serious and scary than any time in recent memory. Just 24 hours later, the magnitude of that danger came into sharp focus as cyber attacks using stolen NSA tools hit an estimated 45,000 computers in more than 70 countries, disrupting Britain’s health system and sending officials from Moscow to Madrid back to paper and pens.

Insider threats are not new but the speed and scale of their destructive impact are. In 2001, Robert Philip Hanssen, a 25-year veteran of the FBI, was caught hiding a garbage bag full of classified documents in a “dead drop” under a Virginia park bridge. His arrest ended a 15-year mole hunt for one of the most damaging traitors in American history. Hanssen was found to have passed a few thousand highly classified documents to the Soviets over two decades, including the names of dozens of American agents. Several were killed as a result of his treachery.

Today, trusted insiders can steal and release classified information in terabytes, not trash bags, all in a matter of days, not decades. Chelsea Manning downloaded the contents of more than 250,000 State Department cables on a fake Lady Gaga CD, lip syncing to Lady Gaga's “Telephone” as he exfiltrated the data. Former NSA contractor Edward Snowden stole an estimated 1.5 million documents, including information about some of the most highly classified programs in the U.S. government—and not just by copying what he happened to see on his desktop.

A bipartisan review by the House Intelligence Committee found that Snowden deliberately sought access to classified programs by tricking coworkers into giving him their security credentials and by searching their network drives without their permission, downloading away. The “vast majority of the documents he stole,” the report concludes, “have nothing to do with programs impacting individual privacy interests—they instead pertain to military, defense, and intelligence programs of great interest to America’s adversaries.” Snowden’s operation took just 10 months before he high-tailed it to Hong Kong.

And for all the efforts to glue shut thumb drives and call for better procedures to detect when trusted officials become untrustworthy, the breaches just keep coming. In the past year, press reports have made public another wave of breaches believed to have been perpetrated by insiders at both the NSA and CIA that stole and released some of nation’s most sophisticated cyber hacking tools, including the WannaCry ransomware used today. In February, a second former NSA contractor, Hal Martin, was indicted for stealing classified documents. How many exactly? The Justice Department believes it could be as much as 50 terabytes—that’s the equivalent of 500 million pages.

At yesterday's hearing, Director of National Intelligence Dan Coats delivered a 28-page threat assessment about the dangers confronting the United States. Two lines look awfully ominous today: “Trusted insiders who disclose sensitive or classified US Government information without authorization will remain a significant threat in 2017 and beyond. The sophistication and availability of information technology that increases the scope and impact of unauthorized disclosures exacerbate this threat.”