#1 By: Cory Doctorow, February 21st, 2014 14:05
#2 By: Boundegar, February 21st, 2014 14:23
We need the fox's expertise to secure our critical henhouses.
#3 By: Bruce Bordner, February 21st, 2014 14:31
Whoa - I agree completely with what's here, but how does he deal with the pink elephants?
I have the impression that a lot of NSA action is financially motivated or trying to help out (i.e. get data in return) foreign agencies. There could be billion$ in that, and his structure simply leaves it out - good luck with that.
We can't afford this secrecy and corruption in the people who spend our money. "Privacy is over" - that goes both ways. We need to be sure that the visibility extends into all areas of government. BUT you need to make the Path of Light pay better than the Dark way to make it stick...how?
#4 By: Phillip Hallam Baker, February 21st, 2014 14:53
No, that is a very bad way to approach the problem.
If the NSA had been remotely competent at COMSEC then Snowden would never had the access that he had or used it in the way he did without getting caught.
I only met Alexander once and he was in read-only mode at the time so I have no idea what his thinking is. But I have met ex-directors on several occasions.
Hayden's thinking is very narrow. Cyber is a domain to be dominated the same way that the US dominates Air, Sea and Land. Dominating a domain means having the biggest attack capability. So the US will acquire more and bigger cyber-offense weapons than anyone else, end of story.
The biggest tell in Snowdonia is that there is no discussion of COMSEC at all. Majors looking to make Colonel and Colonel's looking to make General do that by breaking the enemy's defenses, not building defenses for the US or its allies.
Another really big problem is that there is a huge amount of money to be made selling cyber-offense capabilities if only the Generals of the US, China and Russia can all persuade their governments to start a cyber arms race.
I agree with Bruce's plan as to the first two elements. We just have to get the military out of police work. But the problem with the third is that the NSA has completely destroyed the credibility of the US govt. on the third. I think we have to build non government institutions to develop Internet security. I will be in London next week for the IETF meeting and STRINT workshop where we will be discussing that work.
#5 By: Phillip Hallam Baker, February 21st, 2014 15:02
There are good reasons why Obama had need of the NSA and CIA but his successor will not owe them the same favors.
Obama's principal achievements in office are Obamacare and cleaning up the mess left by George W. Bush. In particular two wars which the US was losing on inauguration day. NSA intelligence and CIA drone flights allowed Obama to disengage from both wars without loss of face. I doubt that he ever bothered to ask too many questions about how it was done.
The NSA is really Hillary's only major liability for the 2016 campaign[*]. I don't expect the GOP nominee to raise it as a campaign issue but it will certainly be raised in the GOP nomination race and at least one candidate will emerge as a serious contender for a week or two because he is raising NSA governance as an issue. So Hillary has to have an answer and she does not owe them any favors.
[*] No, Benghazzi is not a campaign liability. When the best that the GOP can claim for their version of events is that it hasn't been proven false but they have absolutely no evidence to show it is true, they can't call Hillary a liar and be believed outside Faux News.
#6 By: Miles, February 21st, 2014 16:51
I am a security professional and this gives me nightmares. It feels like nobody is thinking strategically. I believe that the Defense industry has decided to continue the practice of Mutually Assured Destruction (MAD) into the info-war realm without examining any of the basic assumptions.
The economics of MAD don't work on the Internet. Attack is easy. The weapons can be easily duplicated. Attack requires almost no infrastructure. One capable person can knock a country off the internet. Bringing down the internet is NOT an accomplishment. Frankly, I get a pleasant surprise every day when I come in and see that things are still functional.
We don't need to harness the power of our economy to create offensive cyberwar weapons. All it takes is a few motivated individuals. We need to harness the power of our economy to create Defense.
For example, the NSA/CyberCommand should not be allowed to purchase exploit. When they purchase exploit, they create an economy of exploit. But, we don't need an economy of exploit for 3 important reasons:
- Exploit is easy. If NSA/Cybercommand can't create their own exploit/attack tools on demand, then they should fire their incompetent warriors.
- Exploit requires secrecy. If the exploit is known, then it can be addressed. Devoting an economy to exploit means devoting an economy to secrecy. This makes for ineffective economies. Also, all this secrecy is bad for democracy. Fortunately, it is unnecessary.
- Exploit is dangerous. We don't want easily replicated tools of mass destruction distributed across an entire economy. An exploit economy threatens us all.
Instead, NSA/CyberCommand should be forced to publicly disclose a significant percentage (maybe 1/3) of their working exploits every year. This has several beneficial effects. They include:
- It forces our NSA/Cybercommand to be functional. Secrecy allows them to be incompetent. Disclosure proves they are effective. We can measure their performance by their yearly, tangible product. WITHOUT NEEDING TO DESTROY ANYBODY.
- It greatly reduces the economic pressures to create an economy of exploit.
- It creates yearly, tangible product that can be used to measure and improve the effectiveness of our defenses.
- It allows effective defense to occur without crippling secrecy.
But, instead, all I hear are crazy talk. Security experts who say things like: We can spend billions on attack without destroying ourselves. Or: We can have effective defense, after we bind it under layers of secrecy.
#7 By: Phillip Hallam Baker, February 21st, 2014 17:08
What worries me is just how has the NSA been disrupting standards activities. I think that more than a few people got sidelined in their careers in industry because some NSA mole wanted to make sure that certain roles were only being performed by people they could trust to see things their way.
One of the reasons I don't support beating up on RSA for the random number generator issue is that I think it much more likely than not that it was something the NSA managed to do going through informal channels than by paying a bribe up front.
The MAD thinking is definitely a problem. It is one of the first things that becomes apparent at the cyber workshops held at MIT and Harvard that I have been going to. (Bruce is currently a fellow at the Berkman institute so we have had him along this year as well.)
The state dept and DoD people have all built their careers on cold war strategic arms limitation talks. And that is the only mental framework most of them have. At one workshop we had a very senior person as in former cabinet rank suggest that the approach to cyber should be to draw a red line and say that we start dropping bombs if it is crossed (he used the cute catchphrase kinetic instead of dropping bombs though).
So I pointed out that if that is his strategy, I am going to play Israel, or rather I'll play a group of Israeli wingnut hacktivists. And we are going to breach machines in Iran and then use them as a platform to launch an all out DoS on the US power and water grids. And then we can have the US go fight our war for them.
The barrier to entry is very low but it does not need to be. The US is the only major industrialized country with a power grid that is vulnerable to squirrel attack. Why don't we take $2 billion out of the NSA budget and use $1 billion of that to replace all the PID controllers and MODBUS junk with systems that have built in authentication for every message. The country would be much more secure and we have cut the deficit by a billion.
#8 By: Miles, February 21st, 2014 19:54
My mind boggles at how thoroughly they have worked to destroy their own credibility. The approvals for BULLRUN must have gone all the way to the top. How could they all believe that BULLRUN was:
- In the best interest of the USA;
- Not going to destroy the effectiveness of everybody involved;
- Going to remain a secret?
Then, a glance at the Black Budget , seems to indicate that a zero return on investment is an expected practice here. At least BULLRUN had concrete deliverables.
At least the complete lack of positive results gives us the opportunity to push reform. I dread to think where we would be if any branch of the NSA had succumbed to a noble impulse.
Eliminated spoofed DoS attack streams. Spoofed DoS attack streams on the internet can only exist because the NSA tolerates them. If the NSA wished, they could easily, trivially do the traffic analysis and identify all the sources of Spoofed packets. The NSA has enough listening points they can track a stream of spoofed packets back to it's source. Then those sources would be identified, fixed/shunned, and eliminated. Instead, it appears the NSA maintains those sources as cover for their own activities.
Provided effective tools and epidemiology to fight malware. The NSA is in a unique position to track the dissemination and activity of malware. With those stats, we could make accurate determinations of the effectiveness of different security measures. With accurate epidemiology, we can move defense from superstition to science. Instead, it appears the NSA doesn't want effective defense.
Eliminate CryptoLocker, Zeus, and all the other major networks of compromised Bots. If the NSA wished, they could easily, trivially track the C&C of the large criminal Bots. Then they could be dismantled using the ShadowServer's
infrastructure. Instead, it appears the NSA is maintaining the existence of the various criminal Bots for it own reasons.
Any of these positive actions might have provided an excuse for toleration of the NSA's faults.
#9 By: Phillip Hallam Baker, February 21st, 2014 20:18
BULLRUN might not have been quite what the writer of the powerpoint slides claimed. I rather suspect that part of what was going on was that every NSA activity was being presented as being building attack capability even when it was straight COMSEC.
The slides we have are from the military side of NSA boasting to each other and pumping their egos. The civilian side has a different agenda.
Not that it matters as far as the damage goes. When I met Hayden I told him that part of the cost of BULLRUN is that now I have to ask which of my IETF colleagues are NSA moles trying to destroy our efforts. Oh and convince them that I am not a mole.
#10 By: Indubitably, February 21st, 2014 20:34
Yo, NSA, get outta my face, man.
#11 By: Kimmoth, February 21st, 2014 20:41
The way out of this mess seems fairly well-lit by folks who actually have a clue.
Sadly, those in authority appear terminally clueless, to the point they couldn't identify actual progress if it came up to them and started repeatedly kicking them in the face with a steel-capped boot with bits of broken glass epoxied on the toe.
But I think progress needs to give it a shot anyway.
#12 By: Bard, February 21st, 2014 20:53
#13 By: Angus M, February 21st, 2014 20:54
Would anyone now trust the NSA to help them secure their networks? I used to run SELinux on one of my boxes. Aside from the fact that its Apple-esque determination to protect me from myself got in the way more often than it seemed to help, I never felt entirely comfortable knowing that I was running something that the NSA had had a hand in.
And yes, I realize that SELinux has had many eyes on it since then, and if the NSA had buried anything nasty in it, it should long ago have been removed. Still, just knowing that the damn thing was running filled me with superstitious fear. And that was before Snowden's revelations showed us all just how devious the NSA is.
It's like the old joke about the top three lies in the world, with number one being: "I'm from the government. I'm here to help you." Sure, they'll say it, but will anyone believe them?
#14 By: pdkl95, February 22nd, 2014 06:39
While I find the idea of the continuation of MAD to be a very interesting idea (and your analysis, dweller_below, is well said), I still think there's a far simpler explanation, as told by the other NSA wistleblowers.
The super-short version: we shouldn't assume these are "security experts" at the NSA. People with a clue were tossed aside long ago, and the whole feckless imbroglio is exactly what Eisenhower tried to warn us about. It's easy to hide a lot of cash being channeled to your "contractor" friends in a spy agency full of hidden projects with funny code-words.
In fact, once the money starts flowing, the military-industrial-complex, even sitting on important intelligence reports to protect profits - as those whistleblowers describe, including letting 9/11 happen - become more imortant than doing the job correctly or even national security.
#15 By: Phillip Hallam Baker, February 22nd, 2014 13:17
According to Hayden, the criteria is NOBUS - Nobody But US. He brought it up in a private off the record meeting, but he has since made the same statements in public and been published so I will repeat them.
They are not going to sabotage something if they think there is a chance that they are going to be caught. Which would mean that SELinux is probably safe as it is open source. Any backdoors are going to be very subtle ones.
The further claim is that now the NSA is going to consider being caught to be much more likely as they have to consider the insider threat. So if they sabotaged SELinux or the like they would have to expect the attack would become public.
But as Bruce points out, there is another option: Don't depend on the NSA at all for COMSEC. Which is what we are now talking about and what we will be discussing in London next week.
One proposal I plan to make is that we go outside the W3C/IETF orbit and start a new group whose function will be to develop security profiles for network applications. So there would be a set of defined criteria (robust against confidentiality attacks, metadata, yadda yadda) and profiles that are designed to provide assurance that certain of those criteria are met.
There are technical constraints that mean that it is not possible to meet every criteria in one profile. A profile for locking down email can't protect against traffic analysis but a network backbone profile can. A network backbone profile can't provide end-to-end confidentiality assurances.
I don't want the profiles to be developed and agreed in IETF though, that would just mean the IETF writing a profile that required use of its dogfood. I want to see groups like OWASP and the Linux Plumbers and such getting involved.
So for email there would be a profile that says the SMTP/SUBMIT/POP3/IMAP server MUST offer transport layer security in a mechanism that is not subject to downgrade attack, passwords MUST be secure against MITM disclosure without relying on transport layer security to do this, etc. Then there would be either be a standards based profile that met those criteria or a defect report explaining why they are not met. And then the IETF would have to fix any defects.
#16 By: kurt wismer, February 23rd, 2014 19:43
Far be it from me to question the great and venerable Bruce Schneier, but the Office of the Director of National Intelligence already oversees 15 other national intelligence agencies in addition to the NSA. I don't think breaking up the NSA is going to have the effect that he thinks it will have.
The intelligence industrial complex is a hydra - more heads is not better. It just makes it easier to hide what's going on because nobody will know where to look.
#17 By: Donovan Acree, February 24th, 2014 10:51
There is no way I could support the idea of the NSA helping to 'secure' the internet. They had their chance to do that and went the other way instead. Fool me once...
#18 By: Cory Doctorow, February 26th, 2014 14:05
This topic was automatically closed after 5 days. New replies are no longer allowed.