NSA’s Security Appears to Be Mediocre


The contractor who allegedly took home data from NSA systems, apparently collected over 50 terabytes. But that’s not the kicker…

… the kicker is that he’d been doing it for 20 years.

NSA operations center (source: Ars Technica)

NSA operations center (source: Ars Technica)  That floor-covering, if you look close, it’s – money.

NSA has a huge infrastructure of security – background checks, guards, gates, and they just can’t hide the fact that they’re much better at offense than they are defense. Because they keep getting owned, and owned humiliatingly, and (apparently) all that infrastructure doesn’t help much at all. Computer security is a defensive game – the initiative is on the side of the attacker, and the defender’s got to have everything protected because one failure is catastrophic. In warfare, that’s why castles are so notable: they can hold out a tremendously long time as long as their defenses are consistent. But fixed defenses are a fixed target, and they serve to denote: “there is something important here” i.e.: “come get me if you can.” The NSA has been working on offense and has been coasting on its laurels, defensively, enjoying its position of privilege in “the world’s sole superpower.”

Sleeping at the switch, indeed, if a contractor could walk out with 50tb over that long a time.

John Walker gets a ride with the FBI

John Walker gets a ride with the FBI

Back when John Walker stole US Navy communication codes from NSA, in the 80s (also a 20 year-long effort) the amounts of data that could be moved were smaller, and the NSA was stuck to an older model of security based on military intelligence: need to know, restricted and logged access, counter-signatures and cross-checks. The new digital NSA, which Edward Snowden and Harold Martin reamed out, is the NSA that has put all of its secrets online into big internal server-farms – one big basket. And it hasn’t done a very good job of watching that basket.

Reading between the lines about the breach, it sounds like the NSA still has the same problem it had with Snowden* – no idea what was taken, except that it was able to do some decent damage assessment by examining what he had collected at his house. As I pointed out elsewhere, a competent secret-keeping organization would take advantage of technology and automation to be able to tell where its secrets were going and how they were being used. NSA appears to have short-shrifted basic audit and access controls. Maybe they were too busy rooting everyone else’s systems to worry about who was rooting theirs. They got utterly pwned by smash-and-grab attacks from a couple of amateurs.

How well do you think they’re doing against peer professionals?

Round up the usual suspects

Round up the usual suspects

The US’ excuse for a counter-intelligence arm, the FBI, seems to spend a lot of time bleating about “Chinese cyberspies” and appears to be stuck at the “well you look Chinese!” stage of coming to grips with the problem. Investigating people because of their looks is so incredibly naive and amateurish; if you don’t believe me ask MI-6 about Kim Philby or the CIA about Aldrich Ames. “Philby? No way, he’s Oxfordian. A proper gentleman.” Meanwhile, the bleeding comes from white, middle-class solid American boys with last names you might find in the Clearfield, Pennsylvania phonebook.

Great military disasters (that’s what these are) come from poor, incompetent, hubristic leadership, like the offensively-oriented, intellectually shallow, arrogant, lapdog political appointees that have been over-running the intelligence community since 9/11. That co-occurred with the global war on terror and an overreaction on the part of the executive branch which swallowed, hook, line, and sinker the idea that “information sharing” (and offence, shhhhh shhhh) was the key to overcoming information “stovepipes” between FBI, CIA, NSA, NRO**  Very few had the clear hindsight to point out that that problem was not “information sharing” it was bureaucratic shoe-pissing. In my remarkably unsuccessful book “The Myth of Homeland Security”*** I offered the view that creating a position of “Director of National Intelligence” was going to foster more bureaucracy, not less,**** and the only thing that had a chance of success was radical surgery on the entrenched senior and middle-management of those agencies. If I knew then what I know now I would have recommended decimation followed by plowing the fields at Quantico, Langley, Fort Huachuca, and Fort Meade with salt.

Instead, the NSA went for the bureaucratic gold ring by enlarging its offensive programs hugely, competing with CIA for the role of the US’ “department of dirty tricks.”

NSA and CIA now share a common problem: they attract squirrel-people. The kind of person who wants to work at NSA is exactly the kind of person who enjoys violating other people’s lives and peering into private places, then squirrelling away data. CIA has to find, well, horrible authoritarian assassin types and sociopathic James Bond wannabees, and NSA’s recruited a complement of squirrel-people. Like Kim Philby at MI-6, the ones you’ve got to look out for are the ones that fit your organizational profile, if your organizational profile is “sneaky data thieves”:

The Justice Department said that a search of his home and his automobile uncovered “thousands of pages of documents and dozens of computers and other storage devices and media containing, conservatively, fifty terabytes of information.”

50 Terabytes; that’s a hell of a cache of nuts.

divider

In 1993 or thereabouts, I had a meeting at NSA, OPS2 (the big building you usually see in pictures of NSA HQ) and I was moderately impressed by the security. I later found out that it was about as good as security at NASA, Department of State, The White House, or US Treasury: not bad, but only as long as you didn’t fit the threat model du jour. Since I was going in with Steve Walker, who was somewhat of a big shot, and Steve Crocker, I guess I didn’t merit much attention. Afterward, we were standing in the parking lot and someone asked a question that required me to look at my calendar, so I reached into my briefcase and pulled out my Palm Pilot. Everyone stared at me, “did you have that in the building?” Walker asked. “Yeah, why?”  Apparently NSA HQ is a place you supposedly don’t carry data media into and out of.

You can see how well that policy worked and has continued to work.

divider2

If you want an idea of the kind of shoe-pissing that’s going on in the intelligence community, I recommend Reibling’s “Wedge” which documents the life-long battle between the FBI and CIA. There is a similar battle between the CIA and NSA but that book hasn’t been written yet and probably never will be.

(* Which is to say: they aggregated all the data but didn’t keep good enough system logs to tell what an administrator had taken)

(** NRO was actually created as a separate agency specifically because the president knew the DIA, CIA and NSA wouldn’t be able to play nice with satellite intelligence, and threw the dice hoping bureaucratic inertia would result in a cooperative arrangement. Eisenhower was naive, he should have asked Hoover what would happen. Remember, Eisenhower was the president who warned about the military/industrial complex he helped create.

FYI – the intelligence community today is something like 27 agencies that we know of, all of which compete in the endless bureaucratic tango of turf war.)

(*** Please don’t buy it. I said some embarrassing things in it.)

(**** Bamford’s “Puzzle Palace” describes some remarkably “boys club” naive behavior in the old days at NSA: VIP visitors being played tapes of cell phone intercepts between Osama Bin Laden and his mother-in-law, stuff that needed to be managed at a higher level)

Comments

  1. intransitive says

    The reality of espionage is that the only people who can be trusted to do the job right are the people who can’t be trusted at all: the professionals who are in it for the money. Fanatics may put ideas above reality and be incompetent, and sociopaths think they’re smarter than everyone else and work only for themselves.

    I agree with the point about the old boys’ club that assumed it knew who were patriots (“flag wavers are true murricans, homosexuals are communists”). Robert Hanssen and Aldrich Ames were lapel pin wearing, stand-for-the-anthem types. Fanatics decided they were trustworthy, and the two professionals (who were also sociopaths) sold out their country for money.

    People who spy for ethical reasons (e.g. Daniel Ellsberg, Edward Snowden, Chelsea Manning, Mordechai Vanunu) don’t fit into any of those categories, and do it for a very short time. Clifford Stoll (author of “The Cuckoo’s Egg”) is a professional astronomer who became a spycatcher by accident. He didn’t like the fact that he ended up working with the Three Letter Agencies, but he felt he caught East German spies for the right reasons.

  2. says

    intransitive@#2:
    sociopaths think they’re smarter than everyone else and work only for themselves.

    I’m going to trampoline on your comment a bit. First off, I think you’re spot on the money.

    Secondly, more news is coming out about squirrel-boy:
    http://arstechnica.com/tech-policy/2016/10/feds-nsa-contractor-stole-at-least-50tb-worth-of-highly-classified-data/

    Among the documents seized, investigators found a letter sent in 2007 to Martin’s colleagues, in which he criticizes the government’s information security practices and refers to those same co-workers as “clowns.”

    Sounds like a Superior Squirrel.