NOBUS, short for "NObody But US", are security vulnerabilities which the United States National Security Agency (NSA) believes that only it can exploit. As such, NSA sometimes chooses to leave such vulnerabilities open if NSA finds them, in order to exploit them against NSA's targets. More broadly, it refers to the notion that some signals intelligence capabilities are so powerful or otherwise inaccessible that only the NSA will be able to deploy them, though recent analyses suggest that this advantage may be under stress. Former NSA Director Michael Hayden acknowledged the concept of NOBUS:
You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch – it's one that ethically and legally we could try to exploit in order to keep Americans safe from others.— Former NSA chief Michael Hayden
In addition, critics argue that because NSA has a dual mission of both attacking foreign systems and defending U.S. systems keeping significant vulnerabilities which affect U.S. systems secret is a conflict of interest.
There are some examples of potential NOBUS-capabilities in practice. The researchers who wrote the paper on 1024-bit prime reuse Diffie–Hellman key exchange speculates that NSA have used on the order of hundreds of millions of dollars in computing power to break large amounts of encrypted traffic. This vulnerability also affects U.S. traffic, so this would be a good example of Hayden's "four acres of Cray computers" definition of NOBUS.
Not all NSA capabilities are NOBUS, however. As covered by The Washington Post, the NSA is believed to sometimes buy knowledge about security vulnerabilities on the gray market, from for example Vupen, in order to use them offensively. Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the ACLU's Speech, Privacy and Technology Project, has pointed out that these exploits are not NOBUS, in that anybody else can discover them at any time.
Other capabilities that once might have been NOBUS may in time be obtained by other actors. Parts of NSA's toolkit of exploits are believed to have somehow leaked or been hacked in 2013, and then published in 2016 (Edward Snowden speculates that the hacking and leaking party was the Russians). Among the exploits revealed was a zero-day exploit allowing remote code execution on some Cisco equipment. Cisco is a US company, and the vulnerable Cisco equipment was presumably used by US government institutions and US companies, however the NSA had apparently not notified Cisco of this vulnerability. NSA's lack of disclosure to Cisco was presumably because of the NOBUS policy, with NSA assuming that only it knew about the exploit.
There is some history for the pursuit of NOBUS capabilities, and further more recent examples to illustrate the challenges of maintaining NOBUS capabilities. In regards to asymmetric backdoors, NOBUS follows in the footsteps of kleptography that dates back to the mid-1990s. A case in point is the kleptographic backdoor which NSA is widely believed to have designed into the Dual_EC_DRBG standard, since finding the private key to that backdoor is a cryptographically hard problem (following the definition of a kleptographic attack). Though there is at least one example, ScreenOS, where the cryptovirology backdoor in Dual_EC_DRBG was hijacked by adversaries, possibly using it to attack the American people.
- Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (October 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" (PDF).
- A. Young, M. Yung, "The Dark Side of Black-Box Cryptography, or: Should we trust Capstone?" In Proceedings of Crypto '96, Neal Koblitz (Ed.), Springer-Verlag, pages 89–103, 1996.