from the the-best-defense-is-calls-for-encryption-bans,-apparently dept
We live in a world where a 16-year-old who goes by the handle of "penis" on Twitter can dive into the servers of two of America's most secure federal agencies and fish out their internal files.
This 16-year-old is allegedly part of the same crew that socially engineered their way into the inboxes of CIA director John Brennan, Director of National Intelligence James Clapper and the administration's senior advisor on science and technology, John Holdren.
We also -- somehow -- live in a world where these same agencies are arguing they should be entrusted with massive amounts of data -- not just on their own employees, but on thousands of US citizens.
The DHS, FBI and NSA all want more data to flow to them -- and through them. The cybersecurity bill that legislators snuck past the public by attaching it as a rider to a "must pass" appropriations bill contains language that would allow each of these affected agencies to partake in "data sharing" with private companies. This would be in addition to the data these agencies already gather on American citizens as part of their day-to-day work.
The DHS -- one of the more recent hacking victims -- is the only agency that expressed a reluctance to partake in the new data haul. This isn't because it wouldn't like to have access to the data, but because it would be the agency responsible for "scrubbing" the data before passing it on to other agencies. DHS officials likely took a look at this requirement and saw it for what it was: a scapegoat provision. Should any legal action or public outcry have resulted from the new "sharing" demands, the DHS would have been the agency offered up to appease the masses.
Fortunately for the DHS -- but less fortunately for anyone concerned about expanding domestic surveillance efforts -- this requirement has been altered. A bit. The Attorney General will now examine the DHS's "scrubbing" efforts and determine whether or not they're Constitutionally adequate. Of course, the Attorney General is more likely to side with whatever level of scrubbing provides the maximum flow of data to underling agencies like the FBI, so that's not all that reassuring. On the other hand, it puts the AG in the crosshairs should something backfire.
This is the government that feels it can protect the nation from hackers: the government that can't protect itself from hackers.
The IRS seems to suffer from attacks almost daily, thanks to its treasure trove of social security numbers, addresses and other personally identifiable information. The OPM -- which oversees federal hiring -- coughed up plenty of the same personal info when it was hacked.
The agencies involved in the cybersecurity efforts have shrugged at the government's inability to protect personal information, arguing that these hacks only highlight how essential the new cybersecurity legislation is. More power and more data is what's needed, apparently, not an internal effort to shore up security before foisting their demands on the private sector. The government can't protect itself against politically-motivated teenagers. What chance does it have against organized criminals or state-sponsored attacks?
It's insanity. It's like hearing Wal-Mart claim -- after a large data breach -- that the best way to ensure this doesn't happen in the future is to allow it to store customer data collected by its competitors as well. Why make criminals and hackers work harder? Why not house as much data as possible in fewer locations?
To make matters worse, agencies like the FBI and NSA are pushing for greater offensive capabilities, all the while claiming they're very interested in defending the nation against cyberattacks. The two efforts are at odds. One side needs security holes to exploit. The other side needs holes closed as quickly as possible. Even without access to black book budgets, one can easily assume the offensive side will be receiving the majority of funding and manpower. When a vulnerability is discovered, who decides how it's used: the fixers or the exploiters?
The NSA thinks there's no inherent friction in playing both sides. It has decided -- against the recommendations of the President's Review Group -- to merge its defensive and offensive cybersecurity wings. The NSA is the only entity that doesn't see this as a problem. Nicholas Weaver, writing for Lawfare, explains exactly why it shouldn't be doing this.
[T]he... job of protecting US interests generally is far harder. This mission requires that the Agency work with industry as an honest broker. It cannot be seen as intent on using information gathered to sabotage industry's customers or general system security. The trust necessary for this job went up in smoke following the Snowden revelations, which revealed both the vastness of the SIGINT mission and at least one explicit betrayal of the core IA mission. NSA has a long, long way to go in rebuilding this trust.Defense isn't something these agencies care about. It may occasionally occur as a result of offensive efforts but it's never the focus. There are no "good guy only" exploits just as certainly as there are no "good guy only" encryption backdoors. The government will never be able to secure its own backyard as long as it believes developing weapons is more important than hardening defenses.
The NSA should abandon the merger plans because—regardless of the technical merits—the offensive-defensive merger is viewed by the world as a substantially untrustworthy act. I recognize that offense is part of practicing good defense. But you don't see me writing botnets or high-speed worms. Or breaking into systems without permission. Or providing information to those who do. I manage to defend systems without offense as a core mission, and my defense is not likely to be improved by giving offense a leg up.
The FBI would rather break into servers halfway around the world and run child porn sites as honeypots than work with other entities to improve their defenses. After all, if someone is hacked, the FBI can always hunt down the perpetrator. As an investigative agency, this makes sense. But it doesn't make sense when the same agency claims it wants to be part of information sharing related to cyberdefense. It's only interested in offensive actions. It only wants evidence and leads.
The DHS, despite containing the words "Homeland Security," isn't truly interested in securing the homeland either -- at least not to the extent that it's interested in opening its own investigations. The NSA is much more in its element performing surveillance and exploiting compromised systems -- neither of which can be considered "defensive" efforts.
In fact, despite the bill's passage, there is no government body tasked solely with the defensive side of "cybersecurity" -- which would seem to be the key element. Defense is apparently meant to be folded in with the rest of their normal activities. Supporters of the legislation think the key is information sharing. It could be, but government agencies have proven over the years they're incapable (or unwilling) to share information with each other. How another layer of government non-sharing is supposed to result in better security is unexplained. Private entities are expected to believe the Cybersecurity Act will turn everyone involved into one big team, but the reality is that it will do little more than add to stores of personal information the government has already proven unable to defend.