US Getting Its Cyber-Ass Handed to It
David Sanger has early reporting on a report that will be sure to affect the NSA debate, though it has nothing to do with Edward Snowden. The National Commission for the Review of the Research and Development Programs of the United States Intelligence Community, which has been reviewing our cybercapabilities for two years, has found that we’re losing any edge we have.
- [In-Q-Tel founder Gilman] Louie also said the intelligence agencies were heavily focused on the development of offensive cyberweapons because “it is easier and more intellectually interesting to play offense than defense.” “Defense is where we are losing the ballgame,” he said.
- The leader of science and technology for [the Director of National Intelligence] office, commission members said Tuesday, was not aware of some of the most classified research and development programs. They also found that intelligence agencies were duplicating efforts by pursuing similar projects at the same time, but because operations were compartmentalized, few researchers were aware of their colleagues’ work.
- Shirley Ann Jackson, the president of Rensselaer Polytechnic Institute, found particular fault with the intelligence agencies’ approach, “which involves gathering more data than you need.”
Again, these panel members have come to this conclusion completely independent of the Snowden revelations, but they should well fuel the very questions his disclosures have been driving, because they, like Snowden, show that aggressive Big Data badly organized won’t keep our country safe.
In related news, there are reports that NSA will be reorganized with Keith Alexander’s departure, by splitting of CYBERCOM from NSA.
Senior military officials are leaning toward removing the National Security Agency director’s authority over U.S. Cyber Command, according to a former high-ranking administration official familiar with internal discussions.
No formal decision has been made yet, but the Pentagon has already drawn up a list of possible civilian candidates for the next NSA director, the former official told The Hill. A separate military officer would head up Cyber Command, a team of military hackers that trains for offensive cyberattacks and protects U.S. computer systems.
I think this is the wrong solution (and the anonymous leaks here sound as much like Generals trying to make a bid for turf as it does a real decision).
One of several big problems with our cyber stature is that there is no champion for defending (rather than policing) the US. That means we’ve committed to the same kind of approach we use with terrorists, trying to inflame terrorists we’ve found hints of so we can demobilize them, rather than just trying to harden our vulnerabilities to make it very difficult or unrewarding to attack.
And in inflaming and spying, we’ve been relying on weakening security, so we can see them, which makes the cyberattackers’ job easier.
Moreover there are a lot more real cyberattackers than real terrorists out there, and they can do far more damage than any but the very lucky 9/11 team could pull off. Which means if you miss here, you miss big. Whereas if we spent money on defense, we might be better able to withstand these attacks.
So I still say we need a very well-funded cyberdefense entity (I said put it in DHS, not because DHS is functional, but because that agency should but doesn’t operate under a different paradigm) that will be held responsible for successful attacks.
Louie’s comments are hilarious; either he’s particularly adept at saying we’re fuckups in a politically correct fashion, or he’s ignorant about the risk of blowback due to our concentration on offensive cyberweapons.
Given his background, I suspect the former, and perhaps he’s gentle because some of the fault lies with folks with his capabilities, but any sting in his comments that might encourage constructive response is either highly sanitized or altogether missing.
Sanger’s entire article comes across like a rebuke of a poorly-run business rather than the compelling call to immediate action to prevent what I perceive to be a likely catastrophic assault due to our lack of systemic forethought in strategic and tactical cyber warfare.
That is interesting because the shift of many Cyber Command responsibilities to the IC was a major initiative of Gates when he was SOD. Indeed much of the cost savings he “found” in the DOD budget came from simply transferring operations to the DNI control and thus to their budget. At the time the NY Times I believe wrote a glowing report about it but otherwise it was largely ignored. I wonder how contentious it was internally.
There is also the issue, speaking of policing the US, of the FBI and DHS both having defensive cyber missions relative to defending the US, its corporations, and its citizens. And in all of these agencies, the push to see inside communications and to police them winds up creating the very vulnerabilities that can be exploited by others.
But there is a larger issue of defense that goes to minimizing the incentives of attack. And that is very much a matter of foreign and commercial policy. And of policies that have the effect of forcing large numbers of people into the informal economic sector exactly as those policies make the informal sector highly lucrative. Those who are thinking about cyber policy, like those who are thinking about counter-terrorism policy have institutional agendas that promote high-budget solutions and avoid critical thinking about the larger picture.
A culture devoted to the value of screwing over people should not be surprised that it is attacked. And every “reform” or “reorganization” seems to want to preserve the ability to continue to screw over people without retaliation. That is the way to very, very expensive solutions.
How disappointing to see intelligent commentators still buying the “Arab terrorist” explanation of 9/11! The same “lucky” folks – from the Mossad to the Cheney-Rumsfeld COG junta to the Wall Street fascisti – who orchestrated the 9/11 attacks are the ones who have brought you the comfy prison cell of our contemporary national security state. Wake up!
“So I still say we need a very well-funded cyberdefense entity (I said put it in DHS, not because DHS is functional, but because that agency should but doesn’t operate under a different paradigm) that will be held responsible for successful attacks.”
I partly agree, but have another opinion on the matter: NSA’s IAD should be carved off and given to NIST. Then NIST IAD should be promulgating minimum hardware/software/networking security feature sets for future federal procurement a la the transition to IPv6, but focused on security features. An example is the memory management unit (MMU) which is now a basic feature of processors but used to be exotic and “unnecessary”.
One problem the federal government has from a security / hacking defense perspective is that it thinks it has to buy the IT that “industry” provides, as though they’re not everyone’s single largest customer… Let me tell you, if the federal government spoke with one voice about the security features it wants in future, industry will listen and provide them.
Also, federal and state regs should be changed to require that SCADA computer/network/software be developed under the responsible charge of a licensed professional engineer. This requires the development of software / security engineering as a PE discipline (one state, TX has PE licensure for software engineers).
Then we won’t have to listen to federal managers and officials claim they have to kill internet freedom because some dumbasses decided to put insecurable windows SCADA boxes on it or some other dumbasses put social security, medicare, or E-government services “in the cloud”. The reason being that securable systems are envisageable, but haven’t been a priority at any level of the IT food chain.