Heartbleed Suspicion And NSA Denial Show Why NSA's Dual Offense/Defensive Role Must End

from the it's-a-problem dept

We've talked for a while how dangerous and ridiculous it is that the NSA has a dual role as both handling "offensive" attacks and (supposedly) stopping incoming attacks in a "defensive" role. While technically, the NSA is supposed to be handling the "defensive" side while the US Cyber Command handles the offensive, there is no real separation between the two. The US Cyber Command is headquartered within the NSA and is run by the same person. Despite multiple recommendations to split the roles, the White House refuses to do so. Meanwhile, the NSA itself has been doing more and more offensive work anyway.

However, the claim late last week that the NSA knew about and exploited Heartbleed, followed by the quick denial by the NSA, really puts an exclamation point on how untenable this dual role is for the NSA. It's difficult to take the NSA seriously given the competing interests within it. Add to this, President Obama basically giving his broad approval for the NSA to exploit security flaws it finds, and you have a very dangerous setup for your average internet user. The NSA, despite its job, will have little interest in actually protecting internet users.

Julian Sanchez summarizes the issue nicely by pointing out that the two roles are simply incompatible:
But the denial itself serves as a reminder that NSA's two fundamental missions – one defensive, one offensive – are fundamentally incompatible, and that they can't both be handled credibly by the same government agency.
The NSA's history of being less than forthright in the past, as well as many of the Snowden revelations, combined with its dual role, simply means that most people won't believe the NSA's denial about Heartbleed, even if it was much more strongly worded than earlier denials. If the NSA's role, however, were made much clearer, such that it was only focused on protecting systems, without the offensive elements, then it would be both a lot more believable, and a lot more trustworthy. However, the very fact that the administration (and the NSA) appear to have little interest in moving in this direction says a lot about how much they really prioritize protecting our computer systems.

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 10:17am

    Obama: Nope.

    http://www.washingtonpost.com/world/national-security/white-house-to-preserve-controversial-pol icy-on-nsa-cyber-command-leadership/2013/12/13/4bb56a48-6403-11e3-a373-0f9f2d1c2b61_story.html

    But I agree. This would be the single greatest "reform" of NSA they could practically do right now. Merging US Cyber Command and NSA was a grave mistake, and a major source of corruption of NSA's mission to protect US infrastructure.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    wto605 (profile), Apr 14th, 2014 @ 10:19am

    they can't both be handled credibly by the same government agency.


    Honestly... I don't think they could credibly be handled by the government period. Even if the current administration were at all receptive to congressional oversight the ability of our representatives to understand these issues is so limited it would render such oversight useless.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 10:34am

    They're either lying or incompetent

    If the NSA knew about Heartbleed and didn't speak up: they're lying.

    If the NSA didn't know about Heartbleed, they're incompetent.

    (OpenSSL is one of the most widely used pieces of security-related software. Of course the NSA should have people who do nothing but scrutinize every change to it and target the modified code for attacks. Given their enormous financial, personnel and computing resources, they should have found this bug in a week.)

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 10:54am

    The "security" portion of NSA should be run by civilians, not army generals who only think of war (and mainly offensive capabilities). A civilian would be much more interested in the actual security of American infrastructure. It's actually what the NSA review panel proposed, too.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Kenpachi (profile), Apr 14th, 2014 @ 11:11am

    Re: They're either lying or incompetent

    I couldn't agree more.

    On the same token, when pondering about the National Spying Agency, it's almost impossible for me to see an either-or statement on those adjectives.

    U feel me bro? :}

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Ninja (profile), Apr 14th, 2014 @ 11:47am

    That time when conspiracy nuts don't seem so crazy after all.

    Are we there yet?

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Internet Zen Master (profile), Apr 14th, 2014 @ 11:53am

    Isn't Offense supposed to be the CIA's job?

    I mean, the NSA's self-declared mission is to monitor data in order to stop potential terrorist threats (more or less). That's a defensive role.

    The CIA is... well, the CIA. That whole "carrying out/overseeing covert ops" part of their job description kinda makes them seem the default offensive role [but only in international matters of course], which means Cyber Command should be part of the CIA instead.

    Although the thought of having the CIA control Cyber Command instead of the NSA is not very comforting...

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 12:21pm

    Re:

    We got there a long time ago...
    In a galaxy far far away

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 12:33pm

    National Insecurity Agency is dangerous and insecure.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 1:05pm

    Re:

    National Insecurity Agency is dangerous and insecure.

    Was going to call it National Anti-Security Administration but apparently the acronym is already in use.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 1:36pm

    Re:

    Network security research should be carried out by a private company, funded by those who (should) have a strong interest in the Internet being secure; Amazon, Google, Ebay etc.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 1:38pm

    Re: Re:

    I would suggest that agency could be useful in exiling the problem people, but they rely on private companies and the Russians these days for their transport.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 7:10pm

    One of the most brillant strategies of Hitler was to have multiple spy agencies compete. Worked pretty well for him. Hitler aside, perhaps strategy can work for us?

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Coyne Tibbets (profile), Apr 14th, 2014 @ 7:14pm

    I call winner

    "The NSA's history of being less than forthright in the past..."

    Trying to win the understatement of the century award, are we?

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Apr 14th, 2014 @ 9:11pm

    Re: They're either lying or incompetent

    Really the NSA have a through record of being both liars and incompetents.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Pragmatic, Apr 15th, 2014 @ 5:03am

    Re: Re:

    Uh, much of the "But terrorists!!11eleventy-one!" scare-mongering is being done by private contractors that have a strong interest in turning a healthy profit. Our representatives are bought and paid for by private contrators with a strong interest in protecting their business models, which means scare-mongering in Congress to get those sweet, sweet, $$$s.

    They create (or pretend there is) a problem, then promise to solve it for a small consideration. Haven't you noticed this?

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Pragmatic, Apr 15th, 2014 @ 5:14am

    Re:

    It worked pretty well to keep him in charge but he lost the war because he wasn't brilliant after all.

    FIFY

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.