NOBUS (‘nobody but us’) are security vulnerabilities which the U.S. National Security Agency (NSA) believes that only it can exploit.

As such, the agency sometimes chooses to leave such vulnerabilities open, in order to exploit them against NSA’s targets. More broadly, it refers to the notion that some signals intelligence capabilities are so powerful or otherwise inaccessible that only the NSA will be able to deploy them, though recent analyses suggest that this advantage may be under stress.

Former NSA Director Michael Hayden acknowledged the concept of NOBUS: ‘You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there’s a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think ‘NOBUS’ and that’s a vulnerability we are not ethically or legally compelled to try to patch – it’s one that ethically and legally we could try to exploit in order to keep Americans safe from others.’

Critics argue that because NSA has a dual mission of both attacking foreign systems and defending U.S. systems, keeping significant vulnerabilities which affect U.S. systems secret is a conflict of interest.

There are some examples of potential NOBUS-capabilities in practice. The researchers who wrote the paper on 1024-bit prime reuse Diffie–Hellman key exchange speculates that NSA have used on the order of hundreds of millions of dollars in computing power to break large amounts of encrypted traffic.

Not all NSA capabilities are NOBUS, however. As covered by ‘The Washington Post,’ the NSA is believed to sometimes buy knowledge about security vulnerabilities on the gray market, from information security companies such as Vupen, in order to use them offensively. Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the ACLU’s Speech, Privacy and Technology Project, has pointed out that these exploits are not NOBUS, in that anybody else can discover them at any time.

Other capabilities that once might have been NOBUS may in time be obtained by other actors. Parts of NSA’s toolkit of exploits are believed to have somehow leaked or been hacked in 2013, and then published in 2016 (Edward Snowden speculates that the hacking and leaking party was the Russians). Among the exploits revealed was a zero-day exploit allowing remote code execution on some Cisco equipment. Cisco is a US company, and the vulnerable Cisco equipment was presumably used by US government institutions and US companies, however the NSA had apparently not notified Cisco of this vulnerability. NSA’s lack of disclosure to Cisco was presumably because of the NOBUS policy, with NSA assuming that only it knew about the exploit.

There is some history for the pursuit of NOBUS capabilities, and further more recent examples to illustrate the challenges of maintaining NOBUS capabilities. In regards to asymmetric backdoors, NOBUS follows in the footsteps of kleptography that dates back to the mid-1990s. A case in point is the kleptographic backdoor which NSA is widely believed to have designed into the Dual_EC_DRBG standard, since finding the private key to that backdoor is a cryptographically hard problem (following the definition of a kleptographic attack). Though there is at least one example, ScreenOS, where the cryptovirology backdoor in Dual_EC_DRBG was hijacked by adversaries, possibly using it to attack the American people.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.