NOBUS are security vulnerabilities which the United States National Security Agency believes that only it can exploit. As such, NSA sometimes chooses to leave such vulnerabilities open if NSA finds them, in order to exploit them against NSA's targets. More broadly, it refers to the notion that some signals intelligence capabilities are so powerful or otherwise inaccessible that only the NSA will be able to deploy them, though recent analyses suggest that this advantage may be under stress.
History
Former NSA DirectorMichael Hayden acknowledged the concept of NOBUS: In addition, critics argue that because NSA has a dual mission of both attacking foreign systems and defending U.S. systems keeping significant vulnerabilities which affect U.S. systems secret is a conflict of interest. There are some examples of potential NOBUS-capabilities in practice. The researchers who wrote the paper on 1024-bit prime reuse Diffie–Hellman key exchange speculates that NSA have used on the order of hundreds of millions of dollars in computing power to break large amounts of encrypted traffic. This vulnerability also affects U.S. traffic, so this would be a good example of Hayden's "four acres of Cray computers" definition of NOBUS. Not all NSA capabilities are NOBUS, however. As covered by The Washington Post, the NSA is believed to sometimes buy knowledge about security vulnerabilities on the gray market, from for example Vupen, in order to use them offensively. Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the ACLU's Speech, Privacy and Technology Project, has pointed out that these exploits are not NOBUS, in that anybody else can discover them at any time. Other capabilities that once might have been NOBUS may in time be obtained by other actors. Parts of NSA's toolkit of exploits are believed to have somehow leaked or been hacked in 2013, and then published in 2016. Among the exploits revealed was a zero-day exploit allowing remote code execution on some Cisco equipment. Cisco is a US company, and the vulnerable Cisco equipment was presumably used by US government institutions and US companies, however the NSA had apparently not notified Cisco of this vulnerability. NSA's lack of disclosure to Cisco was presumably because of the NOBUS policy, with NSA assuming that only it knew about the exploit. There is some history for the pursuit of NOBUS capabilities, and further more recent examples to illustrate the challenges of maintaining NOBUS capabilities. In regards to asymmetric backdoors, NOBUS follows in the footsteps of kleptography that dates back to the mid-1990s. A case in point is the kleptographic backdoor which NSA is widely believed to have designed into the Dual_EC_DRBG standard, since finding the private key to that backdoor is a cryptographically hard problem. Though there is at least one example, ScreenOS, where the cryptovirology backdoor in Dual_EC_DRBG was hijacked by adversaries, possibly using it to attack the American people.