'Trust Us With More Data,' Say Government Agencies Hacked By A 16-Year-Old

from the the-best-defense-is-calls-for-encryption-bans,-apparently dept

We live in a world where a 16-year-old who goes by the handle of “penis” on Twitter can dive into the servers of two of America’s most secure federal agencies and fish out their internal files.

This 16-year-old is allegedly part of the same crew that socially engineered their way into the inboxes of CIA director John Brennan, Director of National Intelligence James Clapper and the administration’s senior advisor on science and technology, John Holdren.

We also — somehow — live in a world where these same agencies are arguing they should be entrusted with massive amounts of data — not just on their own employees, but on thousands of US citizens.

The DHS, FBI and NSA all want more data to flow to them — and through them. The cybersecurity bill that legislators snuck past the public by attaching it as a rider to a “must pass” appropriations bill contains language that would allow each of these affected agencies to partake in “data sharing” with private companies. This would be in addition to the data these agencies already gather on American citizens as part of their day-to-day work.

The DHS — one of the more recent hacking victims — is the only agency that expressed a reluctance to partake in the new data haul. This isn’t because it wouldn’t like to have access to the data, but because it would be the agency responsible for “scrubbing” the data before passing it on to other agencies. DHS officials likely took a look at this requirement and saw it for what it was: a scapegoat provision. Should any legal action or public outcry have resulted from the new “sharing” demands, the DHS would have been the agency offered up to appease the masses.

Fortunately for the DHS — but less fortunately for anyone concerned about expanding domestic surveillance efforts — this requirement has been altered. A bit. The Attorney General will now examine the DHS’s “scrubbing” efforts and determine whether or not they’re Constitutionally adequate. Of course, the Attorney General is more likely to side with whatever level of scrubbing provides the maximum flow of data to underling agencies like the FBI, so that’s not all that reassuring. On the other hand, it puts the AG in the crosshairs should something backfire.

This is the government that feels it can protect the nation from hackers: the government that can’t protect itself from hackers.

The IRS seems to suffer from attacks almost daily, thanks to its treasure trove of social security numbers, addresses and other personally identifiable information. The OPM — which oversees federal hiring — coughed up plenty of the same personal info when it was hacked.

The agencies involved in the cybersecurity efforts have shrugged at the government’s inability to protect personal information, arguing that these hacks only highlight how essential the new cybersecurity legislation is. More power and more data is what’s needed, apparently, not an internal effort to shore up security before foisting their demands on the private sector. The government can’t protect itself against politically-motivated teenagers. What chance does it have against organized criminals or state-sponsored attacks?

It’s insanity. It’s like hearing Wal-Mart claim — after a large data breach — that the best way to ensure this doesn’t happen in the future is to allow it to store customer data collected by its competitors as well. Why make criminals and hackers work harder? Why not house as much data as possible in fewer locations?

To make matters worse, agencies like the FBI and NSA are pushing for greater offensive capabilities, all the while claiming they’re very interested in defending the nation against cyberattacks. The two efforts are at odds. One side needs security holes to exploit. The other side needs holes closed as quickly as possible. Even without access to black book budgets, one can easily assume the offensive side will be receiving the majority of funding and manpower. When a vulnerability is discovered, who decides how it’s used: the fixers or the exploiters?

The NSA thinks there’s no inherent friction in playing both sides. It has decided — against the recommendations of the President’s Review Group — to merge its defensive and offensive cybersecurity wings. The NSA is the only entity that doesn’t see this as a problem. Nicholas Weaver, writing for Lawfare, explains exactly why it shouldn’t be doing this.

[T]he… job of protecting US interests generally is far harder. This mission requires that the Agency work with industry as an honest broker. It cannot be seen as intent on using information gathered to sabotage industry’s customers or general system security. The trust necessary for this job went up in smoke following the Snowden revelations, which revealed both the vastness of the SIGINT mission and at least one explicit betrayal of the core IA mission. NSA has a long, long way to go in rebuilding this trust.

[…]

The NSA should abandon the merger plans because—regardless of the technical merits—the offensive-defensive merger is viewed by the world as a substantially untrustworthy act. I recognize that offense is part of practicing good defense. But you don’t see me writing botnets or high-speed worms. Or breaking into systems without permission. Or providing information to those who do. I manage to defend systems without offense as a core mission, and my defense is not likely to be improved by giving offense a leg up.

Defense isn’t something these agencies care about. It may occasionally occur as a result of offensive efforts but it’s never the focus. There are no “good guy only” exploits just as certainly as there are no “good guy only” encryption backdoors. The government will never be able to secure its own backyard as long as it believes developing weapons is more important than hardening defenses.

The FBI would rather break into servers halfway around the world and run child porn sites as honeypots than work with other entities to improve their defenses. After all, if someone is hacked, the FBI can always hunt down the perpetrator. As an investigative agency, this makes sense. But it doesn’t make sense when the same agency claims it wants to be part of information sharing related to cyberdefense. It’s only interested in offensive actions. It only wants evidence and leads.

The DHS, despite containing the words “Homeland Security,” isn’t truly interested in securing the homeland either — at least not to the extent that it’s interested in opening its own investigations. The NSA is much more in its element performing surveillance and exploiting compromised systems — neither of which can be considered “defensive” efforts.

In fact, despite the bill’s passage, there is no government body tasked solely with the defensive side of “cybersecurity” — which would seem to be the key element. Defense is apparently meant to be folded in with the rest of their normal activities. Supporters of the legislation think the key is information sharing. It could be, but government agencies have proven over the years they’re incapable (or unwilling) to share information with each other. How another layer of government non-sharing is supposed to result in better security is unexplained. Private entities are expected to believe the Cybersecurity Act will turn everyone involved into one big team, but the reality is that it will do little more than add to stores of personal information the government has already proven unable to defend.

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “'Trust Us With More Data,' Say Government Agencies Hacked By A 16-Year-Old”

Subscribe: RSS Leave a comment
28 Comments
Coyne Tibbets (profile) says:

Re: Re:

No kidding. Even this quote from the article:

Fortunately for the DHS — but less fortunately for anyone concerned about expanding domestic surveillance efforts — this requirement has been altered. A bit. The Attorney General will now examine the DHS’s “scrubbing” efforts and determine whether or not they’re Constitutionally adequate. Of course, the Attorney General is more likely to side with whatever level of scrubbing provides the maximum flow of data to underling agencies like the FBI, so that’s not all that reassuring. On the other hand, it puts the AG in the crosshairs should something backfire.

That’s not a recipe for responsibility, it’s a recipe for finger pointing. DHS will say, “The Attorney General reviewed this and was satisfied with it.” The Attorney General will say, “I was mislead.” When we ask for information to settle the dispute, both will yell in unison, “National Security!” Presto! No one in the cross-hairs.

Anonymous Coward says:

When 1 16 year old is smart enough to hack into the government’s networks, then the government simply cannot be trusted with our information.

I find it odd that the government keeps arguing for weak encryption on smartphones and yet their own networks are so insecure that a 16 year old teenager can crack their own networks?

The government needs to find this 16 year old teenager and hire him to secure their networks.

Whatever (profile) says:

Re: Re:

“I find it odd that the government keeps arguing for weak encryption on smartphones and yet their own networks are so insecure that a 16 year old teenager can crack their own networks?”

If you pay attention, the hack was “social engineering” and not some major network failure. It’s about convincing or tricking someone with high enough access to give up their user name and password because they think they should or have to.

The only way you avoid that hack is to get rid of the wetware.

That One Guy (profile) says:

Re: Re: Re:

Avoiding it completely isn’t likely to happen, but given the sensitive nature of the databases in question they could make it a lot harder by requiring anyone who loses their login credentials to either show up in person, and/or provide information that only they could be expected to know, such as a separate password the loss of which would lead to the loss of a job, with no exceptions granted no matter who claimed to be asking.

Why this will never happen? Because it would make things more difficult for higher-ups who screw up and need to recover their password, who would throw fits over having to travel anywhere or remember something else.

mcinsand (profile) says:

and this outfit wants a backdoor to all of our security

As if we needed any more reason to fight against software backdoors, this is one more. The less of our personal information they have to protect, the better our national security. That information could be very useful in the wrong hands, especially if those hands are any good at data mining to figure out how the information could work against us. If the NSA cared one whit about security, they would be pushing for legislation to punish those that do not use encrypted, backdoor-free communications.

Anonymous Coward says:

They Don't Care...

They don’t care that they are hacked, except when it goes public…
They don’t care about your liberty or rights, no exception…
They don’t care about the nation, except when forced to care…

They do care to have information on you so that YOU can be put down like a dog when they have decided you no longer need to be a citizen.

There is not a single president standing that will benefit this nation, each on carries either a police state mentality or a national suicide plan.

Rich Kulawiec (profile) says:

They're building the wrong thing

and in doing so, they’re making a mistake that we see quite often. They think they’re building a weapon that will be useful in the “war” on terror or against crime. But in reality, they’re building a target — an enormous, valuable motherlode of data that all kinds of adversaries will attack.

Why?

Because there are two ways to acquire vast amounts of useful intelligence: the first is tediously acquire, catalog, and store it. The second, which is often vastly easier and cheaper, is to let someone else do the hard work — and then steal it from them.

Anonymous Coward says:

So they want to drown in a sea of data

Hey guy’s, I’ve got a great, instead of simply looking for a needle in a haystack. Why why don’t go big and look for a needle in a haystack made of needles that’s inside a barn house brimming full with hundreds of needle stacks.

Those three letter agencies should be careful what they wish for, they just might get what ask for.

I’d love to see the look on the director’s of those’s groups faces when he or she realizes they’ve effectively become little more than an always on camera.

If such a mandate ever came to pass, those three letter acronyms would have to sift through every iota of every us citizen ad infinitum, all in the name of national security.

Anonymous Coward says:

The problem is that this 16 year old teenager has made the government look extremely incompetent, even though the government doesn’t need anyone’s help to look THAT incompetent.

This doesn’t look good for a government who argues that technology companies should make their devices more insecure at a time when the government can’t even secure their own networks.

Until the government starts doing a better job at securing their networks, they shouldn’t be arguing anything before the courts, or for that matter, the public.

ECA (profile) says:

dATA/INFORMATION CONTROLS

REALLY?

you want to SORT all data..
You dont want ANYONE to have encryption..

This is old..They have tried to monitor things for along time, but Compression and encryption make things abit HARD..
After getting TONS AND TONS of day, decrypting it takes MORE time..
They need everyone to NOT encrypt things..so they can Sort it out easier..

Anyone here, understand the AMOUNTS of data, per day, sent on the internet? JUST in the USA..
Want to Cut this back to just Cellphone calls, and CHAT channels? it would STILL fill a 20×20 room 4-6 feet HIGH in PAPER..
Does not include Game channels to chat..

I dont care how you sort it, or HOW big a computer you have…IF you are monitoring the WORLD, the amopunt of data compared to JUST the USA…would require the resources of Every person in the USA to monitor, sort, and pass on the data to SOME ONE WHO CARES..

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...