Dangerously Underpowered NSA Begging Legislators For Permission To Go To Cyberwar
from the poor,-neglected-NSA dept
Cyber-this and cyber-that. That’s all the government wants to talk about. The NSA, which has always yearned for a larger slice of the cybersecurity pie, is pushing legislators to grant it permission to go all-out on the offensive to protect
foreign-owned movie studios the USofA from hackers.
NSA director Mike Rogers testified in front of a Senate committee this week, lamenting that the poor ol’ NSA just doesn’t have the “cyber-offensive” capabilities (read: the ability to hack people) it needs to adequately defend the US. How cyber-attacking countries will help cyber-defense is anybody’s guess, but the idea that the NSA is somehow hamstrung is absurd.
Yes, we (or rather, our representatives) are expected to believe the NSA is just barely getting by when it comes to cyber-capabilities. Somehow, backdoors in phone SIM cards, backdoors in networking hardware, backdoors in hard drives, compromised encryption standards, collection points on internet backbones, the cooperation of national security agencies around the world, stealth deployment of malicious spyware, the phone records of pretty much every American, access to major tech company data centers, an arsenal of purchased software and hardware exploits, various odds and ends yet to be disclosed and the full support of the last two administrations just isn’t enough. Now, it wants the blessing of lawmakers to do even more than it already does. Which is quite a bit, actually.
The NSA runs sophisticated hacking operations all over the world. A Washington Post report showed that the NSA carried out 231 “offensive” operations in 2011 – and that number has surely grown since then. That report also revealed that the NSA runs a $652m project that has infected tens of thousands of computers with malware.
That was four years ago — a lifetime when it comes to an agency with the capabilities the NSA possesses. Anyone who believes the current numbers are lower is probably lobbying increased power. And they don’t believe it. They’d just act like they do.
Unfortunately, legislators may be in a receptive mood. CISA — CISPA rebranded — is back on the table. The recent Sony hack, which caused millions of dollars of embarrassment, has gotten more than a few of them fired up about the oft-deployed term “cybersecurity.” Most of those backing this legislation don’t seem to have the slightest idea (or just don’t care) how much collateral damage it will cause or the extent to which they’re looking to expand government power.
The NSA knows, and it wants this bill to sail through unburdened by anything more than its requests for permission to fire.
The bill will do little to stop cyberattacks, but it will do a lot to give the NSA even more power to collect Americans’ communications from tech companies without any legal process whatsoever. The bill’s text was finally released a couple days ago, and, as EFF points out, tucked in the bill were the powers to do the exact type of “offensive” attacks for which Rogers is pining.
In the meantime, Section 215 languishes slightly, as Trevor Timm points out. But that’s the least of the NSA’s worries. It has tech companies openly opposing its “collect everything” approach. Apple and Google are both being villainized by security and law enforcement agencies for their encryption-by-default plans. More and more broad requests for user data are being challenged, and (eventually) some of the administration’s minor surveillance tweaks will be implemented.
Section 215 may die. (Or it may keep on living even in death, thanks to some ambiguous language in the PATRIOT Act.) But I would imagine the bulk phone metadata is no longer a priority for the NSA. It has too many other programs that harvest more and face fewer challenges. The NSA wants to be a major cyberwar player, which is something that will only increase its questionable tactics and domestic surveillance efforts. If it gets its way via CISA, it will be able to make broader and deeper demands for information from tech companies. Under the guise of “information sharing,” the NSA will collect more and share less. And what it does share will be buried under redactions, gag orders and chants of “national security.” Its partnerships with tech companies will bear a greater resemblance to parasitic relationships than anything approaching equitable, especially when these companies will have this “sharing” foisted upon them by dangerously terrible legislation.
But until it reaches that point, the NSA will keep claiming it’s under-equipped to handle the modern world. And it will continue to make the very dubious claim that the best defense is an unrestrained offense.