It won’t take very long looking at the news from the last few days to realize there is something up in the media. Greenwald at the Guardian has been trickling out a series of stories on the NSA via the source Snowden. Before any discussion on the NSA and these stories there are a few caveats that need to be considered and then some discussion about credibility.
First, I admit up front that the NSA and DHS gave me a fellowship that paid for my doctorate. I was the recipient of quite a large chunk of money and as Greenwald has said that makes everything I say about the topic suspect. Second, I have no specific knowledge about sources and methods mentioned in the media reports other than those that have been leaked previously (e.g. Hemisphere). Fourth, I admit that I appreciate and support the NSA efforts but even as a friend I can criticize. With those caveats I invite the reader to judge as they might anything I say. Fifth, I claim no special knowledge of signals intelligence or government activities such as intelligence collection. Finally, you will find no links to outside articles out of respect for those who might find themselves on the wrong end of investigation for reading this blog at their work location. Full credit is given at this point to Greenwald, Markhoff, and a host of other writers and publications for breaking this story.
Other authors have covered the interesting intersections between Wikileaks, Snowden, and foreign governments. The timeline of Snowden moving through contractor circles and into the NSA is interesting. The timing of the first revelations when cyber was being discussed at the nation-state level is very interesting. The political and ideological alignments of Snowden, Glenn Greenwald, and other actors are also interesting. I stop short of the Russians or Chinese having compromised these actors.
There has been an interesting discussion about how the Delisle spy case in Canada got very little discussion in the United States, and the Russian Illegals (you know Anna Chapman) along with the disclosure that NSA, CIA and FBI likely still had moles in them (from the informant who gave up the Russian Illegals) has gotten even less discussion. Whether the Snowden disclosures via Glenn Greenawald are Russian in origin or just manipulated by ideological agreement assumption of facts is not a good idea. Everything in these stories since it involves spies is considered with a grain of salt and shot of Tequila.
The allegations as they stand today are pretty specific but poorly defined:
1) NSA collects everything (XKeyscore)
2) The NSA is working the SOD and providing intelligence to domestic entities, not be confused with DEA (HEMISPHERE)
3) The NSA is spying on foreign governments (this is n the Duh! category)
4) The NSA is corrupting the standards and protocols process by injecting vulnerabilities through their experts
5) The NSA is forcing corporations to put backdoors into their systems (PRISM)
6) The NSA is injecting backdoors into already deployed systems
7) The NSA is keeping a database of crypto keys and using the law to force disclosure
8) The NSA is working toward corrupting or circumventing crypto tools on the Internet
9) The NSA has had issues with controlling access including employees spying on their ex-spouses
10)Though the numbers get bandied about there is a pattern of abuse and only the level of the abuse is in debate according to the NSA inspector general.
There is a consensus from the national security media that this is business as usual. There is a lot of Casablanca movie references slung about at the inherent surprise that an intelligence organization the size of NSA would be snooping on everything it could get it’s hands on. Further, there is a significant body of enabling legislation for spying in the last decade to legitimize spying on domestic and foreign targets. Insiders often have a hard time understanding that those who have never sat in a collections program do not understand what might be going on, and even worse they make supercilious cases about the publics actual expectations of privacy.
Those who feel the NSA revelations are minor structure their arguments around some key points:
1) You share selfie pictures with large amounts of meta-data already
2) You check in with four-square and share that on twitter
3) You use technology that already violates your privacy with cameras and microphones
4) You don’t discriminate on data sharing when coupons or shopper cards are involved
5) Corporations already gather much of this information
6) Facebook, LinkedIn, Instagram
7) Surveillance cameras follow your every movement in most urban areas
8) The law is in place to allow this so tell it to your legislator
There is an issue with this direction of argument. If conflates choice of consumer action with government interdiction and cooption. The average citizen did not choose to have the government swallow up all their data. Consumers make a risk based choice (or absent choice decision) to interact or live with certain forms of surveillance. It is not a stretch to see the government use the power of compulsion and punishment on large data sets which is much more worrisome than getting coupons in the mail. We have evidence recently of this in the IRS scandal and abuses of executive power investigating political parties. There is also an inherent argument that government is for the people and will never turn that vast power on the people. Attempting to link consumerism with government surveillance is disingenuous at best.
Those who have worked in national security are inherently minded federalists. They assume that everybody else understands the limitations of power and that people are merely doing good work to secure American society. Even with evidence of gross abuses of the FISA court system, or the IRS administration rules these same people support government. This position is a status-quo statement and suggests that government can never change or get better. That the aggregation of power is an absolute and the removal of that power is never possible. Most who have a federalist bend have never reflected on where that kind of thinking actually leads.
In this set of issues and counter arguments one piece is missing. There is a trust of government action and protection. People are afraid that a terrorist or bad guy will get into the country and cause a mass casualty event. Some in the national security community have sallied forth with essays similar to, “Well we’ll just stop protecting you all and see what happens then. So there!” Not exactly a heartwarming response or credibility bridging argument for the average citizen. With similar arguments of “all you silly people just shut up and go back to the mall” the national security community is undermining a position with arrogance and hubris. Two attributes we will see reflected often.
That is one of the primary issues that I see in the Snowden and Manning events. The NSA has often positioned itself as the premier expert in cryptologic and information assurance practices. As such NSA experts are detailed to many government agencies as the premier experts, the “pro’s from Dover.” Yet this information assurance and security organization did not use basic practices of information control to protect itself. This organization that suggests crypto is an answer to security did not forcibly encrypt the “crown jewels” of secrecy. Basic access controls apparently were absent if somebody was merely a system administrator. There are reports that the NSA is unable to actually determine what Snowden might have taken. This is similar to the allegations made around the Manning case.
It is easy under a veil of secrecy to declare your successes and rise to prominence. Since you are not required to similarly declare your failures, you foster a sense of expertise. When something bad enough for most people to notice occurs you can blame it on not enough budget, lack of information sharing, authority to act is absent, or operational assets were simply to slow. A sense of invincibility can be created and a cloud of doubt fostered as shadow games are played out. The NSA and CIA have been doing this for decades.
The arrogance and hubris of an agency that has argued for decades the information assurance directorate gained by being under the intelligence umbrella is astounding. The exploitation and exfiltration of the spy agency is a real concern when it is supposedly the best at protecting information. The argument that the intel collection stream informed the security enterprise within these allegations is simply reversed. The information security enterprise may have been feeding vulnerabilities into the infrastructure through vendor relations. It is apparent that the cryptologic service and the information assurance directorate have been co-opted by the intelligence operation.
There has been a discussion for decades though not loud or vociferous about the construct NSA. How it was put together, the absent enabling legislation for much of its activities, and the various authorities granted it by executive order. With the addition of the dual hatted sub-unified command CyberCom that construct was even more egregiously violated. The result of the mechanism of construction is that the NSA has very little in the way of oversight, there is little in the way of restrictions, and few understand what they are doing or the long-term consequences.
Privacy is the right to not have others look. Security is the ability to keep others from looking. National security pundits are fond of saying you have no expectation of privacy. That is because the security mechanisms are barely understood by most people and the technologies are not built was privacy preserving. The conflation previously addressed is that of the absence of security versus the expectation of privacy. As a citizen I can work towards constraining my government from looking. Supreme Court Chief Justice Roberts in his confirmation testimony to congress said he still believed the penumbra (shadow) of privacy is found in the Amendments to the Constitution. The question is whether the national security objectives of the NSA override those rights.
The amateur talks about laws and punishment while the expert talks about authorities and budgets.
The NSA has very little in the way of enabling legislation. They are Title 50 (intelligence) hangers on so to speak. Created through presidential directive the NSA has long existed in a morass of directives and budget line items. Intelligence community insiders understand the issues of such a construct. The bureaucratic issues of fighting for budgets is part of the government experience.
The perception might be of an NSA as a monolithic organization that has everything together under one roof. The practice is much different than you might expect. A request for a product (information) is made by somebody. A broker or agent (analyst) is tasked with fulfilling that request. If the analyst does not have a current capability to answer the request a broader agency request can be made. If still unfilled, the request may generate a technical assistance request and somebody will attempt to fulfill the request through a new tool or process. Very few tasks make it to that level as most product requests would be mundane and easily fulfilled with known tools. The result is that you have numerous points of duplication and competitive analysis within the different working groups. In other words, even people working down the hall may have differing or even contradictory viewpoints about what is going on, and even senior leadership may not completely have a good situational awareness on the activities of the agency. They do not call it a puzzle palace for nothing.
As we analyze the outcomes of what is going on and the credibility of the various pundits is challenged, the reporters and leakers are challenged, and the various entities adjudicate the resulting evidence what can we expect? We can assume Snowden did something. You would not have the President of the United States standing up and demanding extradition of Mr. Snowden unless something had happened. What we see may not be what is occurring. When spies are involved the only thing you can do is defund their agency if you do not agree with their actions. It is not in the national interest to investigate to deeply though attempting to maintain the credibility of the classified information after disclosure violates most classification schemas. Control of information is part of the standard and not maintaining control means the classification markings are suspect. Second, you won’t see government admitting to very much. That is part of the rules. You do not acknowledge the divulged secrets. The various reporting entities have already stated they are making changes to the documents to protect certain facts. Now, we must trust what might be ideologically motivated actors, who are using information from a source that already violated the trust of others.
What are the likely results of divulged information so far:
1) Domestic trust of the government as legitimate protector is eroded
2) Foreign trust as the government partner is eroded
3) Information assurance and security is harmed by good ideas coming out of NSA being challenged as possibly corrupt
4) Domestic examination of privacy and security enables legislation harmful to the collection mechanism
5) The lack of enabling legislation for NSA results in a significantly reduced agency.
6) Corporations and shareholders are punished by the market as trust erodes in those who conspired with the NSA
7) The gross domestic product of the United States takes a hit as trade balances adjust for lack of trust.
I am of the opinion that most of this discussion will blow over. I say that because previously the announcement that the NSA was working with SOD, and then the disclosure of HEMISPHERE I thought these revelations would light a firestorm of protest. None of that stuck. The fact that the NSA has been working with vendors and breaking Internet cryptography allows for somebody to light a match, but the fuel is the ire of the American people. I do not see most people caring. There is a shift in business occurring based on this information but I do not see a share holder uprising occurring based on this topic at any of the major vendors. Most people simply do not care. I think most of the downside risk of NSA snooping is already priced into the stock market.
The legitimacy of the United States government is tested with every election. The primary reason for replacing an incumbent is old age or retirement. This suggests that most people are ambivalent to change and legitimacy of the government. They may whine and complain but in general, they are happy. The current debate over Syria is more suggestive of stakeholder uprising by the populace.
If I were a corporation or interest group I would have some pretty simple advice. I think that the principles of a secure Internet is possible. The fact that systems are insecure or under attack by any nation-state is of little importance to the larger scheme of information security. As professionals it is easy to focus on the negatives (and I’m known to be more than a little snarky in short message venues like Twitter), but the reality is that commerce must occur. The past noise about China attacking corporate interests is no different than United States pressures on the information technology infrastructure.
The national security pundits will point out that a secure Internet is impossible. On the face of it they are correct. However, the reality is often a longer discussion than mere admonishment of failure. The web of trust in the infrastructure of the Internet has always been suspect. The focus on systems security (hardware and operating systems) has absolved the end-point actors from securing their communications. Exploitation through brute force and even algorithmic attacks is possible when cryptographic tool use is minimal. Resources can be diverted to the few “hard” cases when they are limited in number. A focus on securing the information in transmission and storage is important. The use of tools vetted by the community is also important when government assistance and standards are suspect.
My specific advice to organizations is specific:
1) Entities and actors with inherent government interests are not incentivized to secure your information. Whether law enforcement or regulatory their interests are in making the investigation and surveillance process easier.
2) Security of information from secondary and tertiary use is important. Focus on meta-data and content misses the contextual requirements for analysis. Focus on protecting information in transmission and storage. Secure the information not the system.
3) The cyber forensic discipline is a good test bed for the security protocols. If forensic discovery is possible then the information is not secure. Assume physical access and intermediary control of infrastructure as part of the discovery process.
4) Assumption of evil in government by organizations is just as bad as assumption of ill intention by government of those who would protect their information.
5) Privacy is right under the penumbra of the Constitutional Amendments and specifically under the United Nations Human Rights Declaration which most countries (including the United States) are signatory too. Arguing over the fact only weakens the pro-forma case. If somebody argues against privacy they are suspect.
6) The real path to privacy is by insuring security.
7) A systems administration capability that is built in can be used to compel a corporate entity to acquiesce to a government requirement. Systems that never had that capability in the first place are absolved of that requirement.
In closing and specific to American politics is an often forgotten set of clauses. The 9th amendment specifically gives the people rights that are not in the articles of the Constitution specifically. You will not see a Supreme Court answered challenge to this right because if it applies in even a few cases it might be applied in many cases. One theory is that the 9th Amendment was specifically to insure that foreign rights/agreements of rights would apply. If the International norms moved forward might not the United States be drug forward? When lawyers argue cases of theoretical law they do so from formed positions. There is a lot of legal theory thrown around that by construct is biased. All of that theoretical construct gets thrown out when juries sit down and decide.
The NSA revelations should open a debate on the nature of legitimate government and the risks that government subjects the people to. Snowden is an example of the inability of government to maintain trust and security. In hacker speak Snowden is doxing the government. If the government is given unfettered access to citizens information it will not be long until government breaches result in doxing of people. This of course, has already happened, but it will soon be everything an intelligence agency can collect rather than an agencies specific data. The lack of government security now has an impact on everybody’s privacy.
This is not the end of the world. All Twitter snark aside what we have here is proof that the emperor has no clothes. I am still not sure how General Alexander has been able to maintain his position and not fired for cause. A general in Africom was fired for sexual misconduct, Patreaus resigned because he had an affair, and EUCOM commander Stavridis was investigated over travel irregularities. The leaks from Snowden and Manning under Alexander are likely going to cost billions of dollars in lost capabilities. Since the reports of gross negligence at the institutional level are associated with a certain level of hubris resulting in mission failure. I hold the command staff accountable. The entire Snowden debacle stops at General Alexander’s desk.
Until you see riots in the streets don’t expect much to change.