Slashdot Mirror
It's Time To Split Up NSA Between Spooks and Geeks
Hugh Pickens writes "Noah Shachtman writes in Wired that most of us know the National Security Agency as the supersecret spook shop that allegedly slurped up our email and phone calls after the September 11 attacks, but not so many know that the NSA is actually home to two different agencies under one roof: the signals-intelligence directorate, who can tap into any electronic communication, and the information-assurance directorate, the cybersecurity nerds who make sure our government's computers and telecommunications systems are hacker- and eavesdropper-free. 'The problem is, their goals are often in opposition,' writes Shachtman. 'One team wants to exploit software holes; the other wants to repair them.' Users want to know that Google is safeguarding their data and privacy. The trouble is that when Google calls the NSA, everyone watching sees it as a package deal. Google wants geeks, but it runs the risk of getting spies, too."
Hats of all colors welcome!
You can't have white hats without black hats
I don't see how it will solve anything. The same equities will still be in place, it's a matter of self-interest, not necessarily a matter of who does what. Separating them into two agencies might just make the problem worse.
Aren't they smart enough and rich enough to hire their own geeks? SIGINT is the main job of NSA, period. If you want to hire the wolf to guard the hen house, you take the consequences.
How about a moderation of -1 pedantic.
How can one side do their job if the other doesn't point out the exploit?
I feel the same about AV software. If the big AV companies don't have at least a few virus/worm writers on the payroll, how else do they know if their defense software is any good?*
*Less assume for a moment that AV software is somewhat decent.
"There is no real right or wrong, just what the majority accepts at the time."
That's racist, Slashdot.
They're African Americans.
National Security Only Agency No Spies Agency which will be tasked with splitting the security aspect from the spying aspect. To insure this split the NSOANSA should be composed exclusively of spies because only spies will have the necessary intelligence needed to tell the spooks from the geeks. They will also require real-time access to all communications and have full retention of all electronic communication so they can insure that no spies are doing security work.
Okay, so TFA is arguing that creating a new agency 'that didn’t include the spooks would' avoid conflict and bring about 'acceptance across the government and the private sector'.
But right in the beginning, it says '[Google] wants geeks, but it runs the risk of getting spies' when it contacts the NSA.
If there is no guarantee that Google doesn't end up getting spooks from the NSA, who can say this new agency won't have spooks in there from the NSA?
Am I missing something here, or is there some magical reason why this new agency won't have spooks embedded there, and it should be trusted any more than the NSA?
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
Isn't that tension - between those who want to exploit holes and those who want to fix them - a good thing? Tension normally results in balance.
How exactly will splitting the NSA fix this? It's a government agency. If the government wants to give you spies, you get spies. Doesn't matter which 3-letter acronym organization they get their paychecks from.
Who do you think comes up with the technology to crack encryption of intercept signals?
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
We do not need yet another federal agency. Splitting them in two will only result in two bigger agencies with an ever ravenous appetite for more tax funds.
One of the worst things Bush did post 9/11 was creating the spate of new federal agencies. Can anyone say that their flying experience is actually better after TSA was created? Anyone?
How much good did creating yet another layer of intelligence bureaucracy do us? Did intelligence get any better after we made the Director of Central Intelligence obsolete by creating a Director of National Intelligence? Not one damn whit. It just grew the federal payroll some more, and added more bloat and bureaucracy.
Vital intelligence work needs to be done, but we need to be trimming down these agencies, not creating new ones.
Life is hard, and the world is cruel
Absolutely. The two sides have a synergy that likely wont work separately. Just look at the Red Team, they use all of the spy tools to penetrate networks for the sake of security. Breaking them up for the sake of PR is foolish, they're worth too much technically together to even consider this.
Keeping our systems secure, and breaking into the other guys' systems, are damn near the same job. It is a good thing to have the people responsible for both working together, and maybe trading jobs occasionally. There is no American computer security and Russian computer security and Chinese computer security: there is only computer security, and systems which are more or less secure. The NSA has historically been about the only government agency that really seems to get this, and it would be a real mistake to break it up.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
the NSA, well Forte Meade actually is home of a lot more agencies then just two. quite a few actually. DEFSMAC is the only one i can recall off the top of my head, as its been a while since i've read body of secrets.
Schneier on Security - Who Should be in Charge of U.S. Cybersecurity?
http://www.schneier.com/blog/archives/2009/04/who_should_be_i.html ... ...
the NSA's dual mission of providing security and conducting surveillance
means it has an inherent conflict of interest in cybersecurity.
We need to DISBAND the NSA. A democracy should be run by it's citizenry, not the other way around. The entire idea behind the NSA, that the American people need to be spied on, is repugnant, and helps stagnate our liberty in obvious and tyrannical fashion. This kind of agency is the whole reason we don't have real elections with real candidates that talk about real issues. This kind of agency is only required in a media run fascism where the populace does not know who killed JFK, or why, or who then succeeded him and to what purpose.
We should disband the NSA immediately. It is the most loathsome, disgusting, and horrible institution yet created by man, and it serves no purpose other than to subvert the very principle of democracy.
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
This is old info, but NSA used to have a big internal division - the important stuff was at Fort Meade, and the less important stuff was at "FANX", the "Friendship Annex" (out near Friendship Airport, now called Baltimore Washington International). Support functions like personnel were at FANX, and still are.
Computer security was at FANX. Which was a problem. Being banished to FANX was bad for your career. The top NSA people didn't go to the computer security side of the house. So computer security languished for years.
All this was back when the USSR was the enemy, and NSA has changed a lot since then. But they still have Fort Meade and FANX, and less important stuff is still at FANX.
For a while, in the 1980s and 1990s, NSA did do serious computer security evaluations. Industry hated it, because products could fail. The original policy was that a company could submit products for evaluation by NSA. In the first round of evaluation, the NSA people told the company what was wrong, and gave them a chance to fix it. The second round was pass/fail; if NSA could break into it, it failed. There was no third round. Some highly secure systems did pass the tests, but they were not mainstream systems.
The process is now more "industry friendly". Evaluations are made by outside labs, paid by the companies being evaluated. Companies can keep trying over and over until they pass. Failures are not publicized. There are versions of Windows that have passed some level of Common Criteria testing.
The "geeks and spies" division in the article is bogus. NSA is all geeks. (Mostly the middle-aged federal employee version thereof.) It's buildings full of people working at desks. There are no "NSA agents". The spies and the guys with guns are at CIA, FBI, DIA, and in the intelligence units of the armed services.
Splitting the two seems like an unfortunate way to let otherwise socially responsible geeks do morally questionable things. Keep the two groups together. Let them be totally aware that they are spies and there is a heavy price for deception and living a lie.
"Eve of Destruction", it's not just for old hippies anymore...
I'm not sure having a PhD in math grants expertise in computer and network security.
It doesn't but you're going to find a pretty heavy correlation between the two. Someone good in math is far more likely than average to have or be able to develop expertise in any given use of computers. The skill sets are different but the skills do overlap to a non-trivial degree. I'm sure a PhD is not required to work in computer security at the NSA but I also suspect they have more PhDs in that role than most employers. Just a guess I'll admit but it seems likely.
My guess is their expertise is used largely in encryption efforts.
I think you are probably correct.
I really see no evidence that the NSA has scooped up the smartest math PhDs.
Certainly they have no monopoly on smarts. Academia, private industry, finance, NASA and others employers unquestionably have a big share. The only safe thing to say is that the NSA apparently has a goodly number of very bright individuals working there. What portion of the talent pool they have is something that I'm sure is heavily classified if anyone even knows.
And how about SIGHUP?
It all depends on what level of Common Criteria evaluation you are talking about. At the higher levels, there is a lab authorized to conduct a product inspection and, once you pass that test, you get a medium level NIAP certificate. If you wish a higher level of CC approval in the US, after this original process NSA itself takes control and does its tests. So the process is still a two step process with NSA involvement...or was about 4 years ago when I was involved in taking an "Orange Book" product through CC evaluation.
Didn't DARPA create CERT to deal with vulnerabilities? Also, looks like the Chinese may not have just been blowing smoke when they accused Google of working closely with the United States intelligence community.
Um, sorry to point this out to you, but you run the risk of getting spies by contracting with just a "geek-only" NSA or contracting overseas with other countries.
As the wars in Iraq & Afghanistan are winding down the government "especially the republican party" sees the need for a new war. What better way to grease up lucrative contracts between the U.S gov & it's most successful companies than a "cyber" war. The Google breach is clearly an intel/political issue. The technical aspects are minimal & we all knew that great firewall compromised any chance of IT security there yet the story is portrayed as a technical one. Oh my! google was hacked by the chinese. They must need technical government support. Rarely is the story portrayed simply as an international policy issue. It's war I tell you & the economy loves a good fight.
This is only part of cover story on Chinese vs. Google fiasco.
Obviously, Chinese used earlier Google "teaming up" with NSA as part of action pretext, and now someone is wrapping up things. That was not so, it is this, and so on. A bit oblique, but it must be...
Too bad Chinese won't buy it.
One possibility is - they already "did". And stories like these are to cover tracks when both Google and Chinese pull their moves back.
http://opencm3.net, http://www.nongnu.org/gm2/
How can you have one side without the other.
The signals-intelligence directorate to hack every trackable device and the information-assurance directorate to make sure the voice print is correct before the drone is released?
You can get it killing Dzokhar Dudayev,
You can get it tracking Abdullah Ocalan,
you can get it hacking wikileaks - -
- matter of fact; I've got it now.
A big predatory ideology in denial needs a big cold agency and the best cold agency is the NSA! No such agency.
Domestic spying is now "Benign Information Gathering"
doesn't mean they won't cooperate (e.g. State Department/CIA).
"from" the United States: foreign
"to" the United States: foreign
"through" the United States: foreign
(the missing possibility is "within")
Wouldn't it just be easier to abolish the NSA?
Don't blame me, I didn't vote for either of them!
Observing this interplay between the two separate groups is the only way to reliably oversee and glean reliable data that either or both are not compromised, or "rooted." It's a brilliant solution. Be glad they implemented it. The next obvious question is, how do they have the oversight mechanisms kept secret and in redundancy? They'd have to be pretty much 100% passive.
The NSA has no business existing. Shut down the agency. Secret government agencies have no place operating in an open, free democracy.
Software is engineering. Cryptography is research.
This is my sig.
We don't know all of what the NSA does, what it spends, how often it succeeds/fails (or even what that means). Nobody is measuring the NSA for cost/effectiveness. One of the few things we _do_ know about the NSA is that some of the shit they pull violates U.S. citizens' constitutional rights.
What we should do is shitcan the current NSA and start over again. But this time build something that is monitored to ensure that, whatever it does, it does that effectively.
Of course the same could be said about the CIA, FBI and hundreds of other government agencies. But we spend so much more on the NSA. It is a true budgetary black hole.
I don't like Noah Shachtman or his work. I last thought about him when he wrote something about Los Alamos, NM, which I know well. His article was misleading and had a misplaced sense of excitement and drama. At the time, I checked out some of his other work and found that it was similar.
I put him in with Dvorak. I ignore what he says.
"An independent CSA would be trusted more widely than Fort Meade..."
The CSA - I like it - there's already a cool flag which can be seen on many pickup trucks in certain parts of the country.
How are they in opposition? Isn't the aim to exploit the ones in their systems, and plug the holes in ours.
At the bottom of the
Actually, Congress has oversight of NSA. Select committees are briefed on what they do and how the money is being budgeted. What you are complaining about is that you are out of the loop. If Congress wanted you to be in the loop, you'd be in the loop. The same can be said for the CIA, FBI, but I doubt there are hundreds of these other government agencies you apparently believe to exist. But then people believe in UFOs too.
Shitcanning the NSA and starting over would create....the NSA. Of course, you'd lose all the employees and institutional memory, they'd be starting from scratch which would be a huge waste of money. You still wouldn't get NSA memos because broadcasting what the NSA knows about foreign terrorists can be used by foreign terrorists. Only part of Congress would be kept in the loop because it is too large and political to expect it could keep secrets. So your congress-critter would most likely not get the memos. There would be few committees that would provide oversight and we'd have what we have now.
The NSA isn't cost-effective and it's a wasteful duplication of effort by other agencies: we don't need to spend trillions on electronic monitoring. We need feet on the ground in enemy territory. That isn't the NSA's domain.
It looks like the Americans want to split up The NSA to make the Google-NSA relationship look less evil.
Security Nerd.