The Real Lesson From Recent Cyberattacks: Let’s Break Up The NSA

Author

David Hamilton

November 20, 2014

Over the weekend, the U.S. State Department shut down its unclassified email network after finding evidence that hackers might have been prowling around. It’s in good company: In the past several weeks, hackers have poked around in computers at the White House, the Postal Service and the National Weather Service—not to mention JPMorgan and nine other big banks.

If only there was a federal agency dedicated to protecting federal information systems and critical U.S. infrastructure from criminals and foreign attackers. Oh, wait—there is. It’s the National Security Agency. And to all appearances, it’s botched the job so badly you’d think it wasn’t really trying in the first place.

Maybe it wasn’t.

The Origin Of Dysfunction In The Breakdown Of The Bicameral NSA

The NSA has historically been a house divided against itself. On one side, it ostensibly works to “ensure appropriate security solutions are in place to protect and defend information systems, as well as our nation’s critical infrastructure.” This mission, the NSA says, aims to ensure “confidence in cyberspace.”

See also: 3 Security Tips For Every User From NSA Whistleblower Edward Snowden

Then there’s the other side of the NSA, which listens in on the communications of U.S. adversaries, conducts mass surveillance of Americans and foreigners and undertakes military-style cyber attacks against other nations and alleged terrorists. Oh, and that also deliberately tries to undermine security tools used to guard both civilian and and government systems against intrusion. 

For instance, the NSA’s secret 2013 budget request—provided by Edward Snowden and published by the New York Times, ProPublica and other outlets a year ago—revealed that the agency seeks to “introduce vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communication devices used by targets.” In other words, the NSA routinely undermines the security tools that government agencies, businesses and consumer services use to protect messages and data from attackers. It’s a little as if car makers were surreptitiously making it easier for repo men to unlock and drive away your vehicle—right in the midst of an auto-theft epidemic.

The NSA apparently does this in the misguided belief that its own spooks will be the only ones to notice and exploit these vulnerabilities. But criminals and foreign governments are smart, too, and just as eager to exploit security holes created by accident or design. In 2010, for instance, Chinese hackers were able to break into individual Gmail accounts by using “secret” backdoors that Google had installed specifically to comply with U.S. government search-warrant requests.

See also: Why Google Wants To Padlock The Web

“Confidence in cyberspace,” anyone? Let’s put it this way: It was bad enough if the NSA’s right brain didn’t know what it’s left brain was doing—and even worse if it did. In neither case could anyone trust the NSA’s assurances of helping to secure the Internet.

Static On The Line

In the aftermath of those disclosures, security experts immediately began expanding the scope of encryption in fundamental Internet architecture; companies like Google have likewise began pushing to shield more routine Internet traffic from eavesdropping in addition to incorporating surveillance-scrambling encryption in their own products and services. 

And cryptographers have begun systematically reviewing and rewriting security software in order to identify and eliminate as many vulnerabilities as possible—especially any that may have been inserted deliberately.

See also: Open Source Gets A New Security Attitude

These are all necessary steps toward limiting the NSA’s manipulation of general-use security software and tools. Even in that respect, though, they’re insufficient, as the NSA has never renounced its efforts to subvert encryption methods—despite the recommendation of a White House advisory panel that:

The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage. 

President Obama was pointedly silent on the NSA’s attempts to subvert encryption and other security technologies when he outlined his response to the panel’s recommendations on January 17.

Taking Apart The Puzzle Palace

Even had the president fully embraced the panel’s suggestions, it would have done little to restore “confidence in cyberspace,” at least so far as the NSA is concerned. This is an agency, after all, that reportedly uses its contacts with industry—ostensibly intended to help private companies improve network and computer security—to instead cajole or strongarm them into opening backdoors or compromising security products. From ProPublica:

The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products and services to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.

In short, it’s hard to see how NSA’s defensive mission can coexist with its surveillance work without becoming a punchline. So why not just break up the NSA’s different functions entirely?

This isn’t an unprecedented idea. Cryptographer and security expert Bruce Schneier has pushed for an NSA breakup since February, ever since it became clear that the Obama administration had slammed shut the window for any further surveillance reform:

The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission—protecting the security of U.S. communications and eavesdropping on the communications of our enemies—has become unbalanced in the post-Cold War, all-terrorism-all-the-time era.

Putting the U.S. Cyber Command, the military’s cyberwar wing, in the same location and under the same commander, expanded the NSA’s power. The result is an agency that prioritizes intelligence gathering over security, and that’s increasingly putting us all at risk. It’s time we thought about breaking up the National Security Agency.

There are lots of ways this could be accomplished. Schneier’s plan, for instance, would move military-style targeted surveillance—for instance, of the sort that infected computers in Iran’s nuclear program with the malware Stuxnet—out of the NSA entirely, putting it under the aegis of the U.S. Cyber Command in the Department of Defense. It would also transfer all surveillance of American citizens to the FBI. The rump NSA would then handle both signals intelligence—i.e., international telephonic and digital eavesdropping—and cybersecurity defense.

Even that limited mission presents a hypothetical rump NSA with a lot of cognitive dissonance—even if it’s required to prioritize security over SIGINT, or “signals intelligence,” as both Schneier and the White House panel recommend. Particularly in times of crisis, the needs of the spies always seem to trump those of the defenders; putting them together in one organization under unified management makes it far easier for safeguards and priorities to shift, often in invisible ways that are rarely supportive of civil liberties.

A better idea would be to break out the NSA’s defensive mission entirely—creating, as the national-security journalist Marcy Wheeler has suggested, “competing champions, one fighting to create holes, and one fighting to plug them.” Sure, that would entail some duplication of effort, but at least we’d have a cybersecurity agency we could actually trust.

Update, 8:45am November 19: Late Tuesday, the Senate filibuster-killed the USA Freedom Act, the last remaining hope for NSA reform. It was a flawed bill that wouldn’t have done anything to fix the NSA’s cybersecurity conflict of interest, but it would have put some curbs on its surveillance powers. The fact that the Democratic-controlled Senate couldn’t even bring it up for a vote tells you everything you need to know about the likelihood of further NSA reform for the foreseeable future.

Lead image of NSA headquarters by Trevor Paglen

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter