It's Time To Split Up NSA Between Spooks and Geeks

Hugh Pickens writes "Noah Shachtman writes in Wired that most of us know the National Security Agency as the supersecret spook shop that allegedly slurped up our email and phone calls after the September 11 attacks, but not so many know that the NSA is actually home to two different agencies under one roof: the signals-intelligence directorate, who can tap into any electronic communication, and the information-assurance directorate, the cybersecurity nerds who make sure our government's computers and telecommunications systems are hacker- and eavesdropper-free. 'The problem is, their goals are often in opposition,' writes Shachtman. 'One team wants to exploit software holes; the other wants to repair them.' Users want to know that Google is safeguarding their data and privacy. The trouble is that when Google calls the NSA, everyone watching sees it as a package deal. Google wants geeks, but it runs the risk of getting spies, too."

Why does Google need to 'partner' with the NSA?

[mschuyler]

Aren't they smart enough and rich enough to hire their own geeks? SIGINT is the main job of NSA, period. If you want to hire the wolf to guard the hen house, you take the consequences.

Re:Why does Google need to 'partner' with the NSA?

[aristotle-dude]

Google & NSA have been in bed together for ages. Heck, you know that thing called Google Earth? It used to be called Keyhole. NSA footed 10% of the bill on that.

Wrong agency. It was the CIA who funded Keyhole through INQTEL.

Re:Why does Google need to 'partner' with the NSA?

[jeff4747]

Because besides having the best "hackers" on the planet, the NSA also has the best sysadmins on the planet. Because the aforementioned 'hackers' practice against them.

This, btw, is why the author's idea is terrible. You want both offense and defense in the same agency so that they can share techniques.

Re:Why does Google need to 'partner' with the NSA?

[nacturation]

Amerika! Amerika ist wunderbar!

Amerikahu akbar!

Nonsensical ...

[krou]

Okay, so TFA is arguing that creating a new agency 'that didn’t include the spooks would' avoid conflict and bring about 'acceptance across the government and the private sector'.

But right in the beginning, it says '[Google] wants geeks, but it runs the risk of getting spies' when it contacts the NSA.

If there is no guarantee that Google doesn't end up getting spooks from the NSA, who can say this new agency won't have spooks in there from the NSA?

Am I missing something here, or is there some magical reason why this new agency won't have spooks embedded there, and it should be trusted any more than the NSA?

Re:Nonsensical ...

[jumpinp]

Oh, so you want a government/agency you can trust. Sorry, all out of that.

Hell No

[DesScorp]

We do not need yet another federal agency. Splitting them in two will only result in two bigger agencies with an ever ravenous appetite for more tax funds.

One of the worst things Bush did post 9/11 was creating the spate of new federal agencies. Can anyone say that their flying experience is actually better after TSA was created? Anyone?

How much good did creating yet another layer of intelligence bureaucracy do us? Did intelligence get any better after we made the Director of Central Intelligence obsolete by creating a Director of National Intelligence? Not one damn whit. It just grew the federal payroll some more, and added more bloat and bureaucracy.

Vital intelligence work needs to be done, but we need to be trimming down these agencies, not creating new ones.

Re:Hell No

[glwtta]

Can anyone say that their flying experience is actually better after TSA was created?

The TSA is supposed to make your flying experience better?

Re:Hell No

[countertrolling]

Not "better".. Safer..

Re:Hell No

[linzeal]

The TSA is supposed to herd air travelers in ever larger targets for terrorists in front of machines they use to find shampoo bottles in.

Seriously, how long is it going to take for some terrorist to walk into an airport with a suitcase bomb, sit in line for the TSA till he is in the middle of 100's or even 1000's of people during the holiday season and blow himself up ?

Two sides of the same coin

[Daniel+Dvorkin]

Keeping our systems secure, and breaking into the other guys' systems, are damn near the same job. It is a good thing to have the people responsible for both working together, and maybe trading jobs occasionally. There is no American computer security and Russian computer security and Chinese computer security: there is only computer security, and systems which are more or less secure. The NSA has historically been about the only government agency that really seems to get this, and it would be a real mistake to break it up.

Re:Two sides of the same coin

[budgenator]

I've read the article twice and it doesn't support it's own conclusion, if you except as a given that the NSA is bad, a loose cannon in regards to real American's rights it follows logically, if you don't think the NSA is inherently bad the article just panders to the tinfoil hat crowd. Google, an American Corp, and many other Corporations were attacked by an entity that appears was either the Chinese Government, a proxy of the Chinese Government or an entity specifically trying to make it look like the Chinese Government for their own nefarious purposes. Getting the "big guns" involved to help sort out the mess is the only reasonable response, it's what they are supposed to do and what they do.

Re:Two sides of the same coin

[el_tedward]

[sarcasm]
Yeah, if anything, the NSA has made things LESS secure! I mean, look at SELinux. It's a load of crap!!
[/sarcasm]

Re:Of course

[Anarki2004]

and you can't have Red Hat without a subscription (well support at least).

Re:And???

[General+Wesc]

The government is not a monolithic mind. Bureaucratic distance famously hindered information sharing between various agencies pre-9/11, and that was when it was largely in both agencies' interest to cooperate. That wasn't an isolated instance--it's how bureaucracy works. Someone with control over both agencies could force one agency to subjugate its goals to the others', but it's much more complicated, much more controversial, will receive much more resistance, and is over-all much less likely to be attempted than when it's an intra-agency conflict.

They already did, and it made things worse

[Animats]

This is old info, but NSA used to have a big internal division - the important stuff was at Fort Meade, and the less important stuff was at "FANX", the "Friendship Annex" (out near Friendship Airport, now called Baltimore Washington International). Support functions like personnel were at FANX, and still are.

Computer security was at FANX. Which was a problem. Being banished to FANX was bad for your career. The top NSA people didn't go to the computer security side of the house. So computer security languished for years.

All this was back when the USSR was the enemy, and NSA has changed a lot since then. But they still have Fort Meade and FANX, and less important stuff is still at FANX.

For a while, in the 1980s and 1990s, NSA did do serious computer security evaluations. Industry hated it, because products could fail. The original policy was that a company could submit products for evaluation by NSA. In the first round of evaluation, the NSA people told the company what was wrong, and gave them a chance to fix it. The second round was pass/fail; if NSA could break into it, it failed. There was no third round. Some highly secure systems did pass the tests, but they were not mainstream systems.

The process is now more "industry friendly". Evaluations are made by outside labs, paid by the companies being evaluated. Companies can keep trying over and over until they pass. Failures are not publicized. There are versions of Windows that have passed some level of Common Criteria testing.

The "geeks and spies" division in the article is bogus. NSA is all geeks. (Mostly the middle-aged federal employee version thereof.) It's buildings full of people working at desks. There are no "NSA agents". The spies and the guys with guns are at CIA, FBI, DIA, and in the intelligence units of the armed services.

Re:They already did, and it made things worse

The "geeks and spies" division in the article is bogus. NSA is all geeks. (Mostly the middle-aged federal employee version thereof.) It's buildings full of people working at desks. There are no "NSA agents". The spies and the guys with guns are at CIA, FBI, DIA, and in the intelligence units of the armed services.

This. I always get a laugh out of people saying "NSA agents"... the classic example was from Sneakers and the "NSA Agents" that were pursuing the decryption box. The only "Agents" that work for the NSA are internal types that manage polygraphs and security clearances. The rest of the people are geeks/nerds... well, actually managers and geeks/nerds. I remember an old joke floating around about the NSA: If the NSA ran a rowing crew it would have 7 people calling out "stroke" (managers) and 1 guy actually rowing (geek/nerd).

Re:They already did, and it made things worse

[Rorschach1]

I'd always assumed the idea of "NSA agents" was a myth, too. But if you visit the National Cryptologic Museum, there's a memorial there - apparently a duplicate of the one at Fort Meade - honoring fallen cryptologists. I seem to remember that a bunch of the names were actually just stars, because their identities were still secret. From the museum's website:

"The Memorial Wall was designed by an NSA employee and is 12 feet wide and eight feet high, centered with a triangle. The words "They Served in Silence," etched into the polished stone at the cap of the triangle, recognize that cryptologic service has always been a silent service - secretive by its very nature. Below these words, the NSA seal and the names of 153 military and civilian cryptologists who have given their lives in service to their country are engraved in the granite. The names are at the base of the triangle because these cryptologists and their ideals - dedication to mission, dedication to workmate, and dedication to country - form the foundation for cryptologic service."

I have to say that 153 sounds like an awfully high death toll if we're talking about desk workers.

Re:how will that solve anything?

[Hal_Porter]

You wouldn't actually do it, you'd just tell people you'd done it and hope some of them are gullible enough to fall for it.

Re:This is all wrong.

[zill]

Just ban them from listening in on Americans, as an official policy, and don't worry about it.

I'm sorry but that's purely wishful thinking on your part.

In 1976, the Church Committee reports found NSA obtained copies of millions of private telegrams sent from, to or through the United States in its SHAMROCK program.

On August 17, 2006, District Court Judge Anna Diggs Taylor ruled in ACLU v. NSA that NSA violated the First and Fourth amendment by warrantless tapping American citizens in the aftermath of 9/11.

In April 2009, intelligence officials admits that NSA had been engaged in “overcollection” of domestic communications of Americans. In one extreme case they even wiretapped a congressmen while he was overseas.

Please note that I am not wearing tinfoil hats and all my sources came from either from Congressional hearings or court rulings.

Moral Responsibility

[HotNeedleOfInquiry]

Splitting the two seems like an unfortunate way to let otherwise socially responsible geeks do morally questionable things. Keep the two groups together. Let them be totally aware that they are spies and there is a heavy price for deception and living a lie.

Smarts

[sjbe]

I'm not sure having a PhD in math grants expertise in computer and network security.

It doesn't but you're going to find a pretty heavy correlation between the two. Someone good in math is far more likely than average to have or be able to develop expertise in any given use of computers. The skill sets are different but the skills do overlap to a non-trivial degree. I'm sure a PhD is not required to work in computer security at the NSA but I also suspect they have more PhDs in that role than most employers. Just a guess I'll admit but it seems likely.

My guess is their expertise is used largely in encryption efforts.

I think you are probably correct.

I really see no evidence that the NSA has scooped up the smartest math PhDs.

Certainly they have no monopoly on smarts. Academia, private industry, finance, NASA and others employers unquestionably have a big share. The only safe thing to say is that the NSA apparently has a goodly number of very bright individuals working there. What portion of the talent pool they have is something that I'm sure is heavily classified if anyone even knows.

Re:Smarts

[dgatwood]

Someone good in math is far more likely than average to have or be able to develop expertise in any given use of computers.

Careful there. Being good at math---being capable of learning higher level math concepts---is not the same as having taken the time to do so. A lot of very people don't bother going beyond a certain point simply because their primary interests lie elsewhere. And to some degree, being too analytical can actually hurt your ability to write good software.

Writing software is not an entirely analytical process. It has some analytical components, particularly in understanding how the parts fit into the whole. However, creating the code itself is also an artistic process in many ways. You must consider all the different ways of doing something and choose the best one, based not just on the current needs, but also on a general feeling about what you might want to do with the code in the future without going overboard.

• Overly analytical people often over-plan and over-design, resulting in code that is too complex to maintain, is too slow, or takes too long to finish. Getting everything perfect the first time is too important, so nothing ever gets done.
• Overly artistic people tend to not plan enough, painting themselves into a corner. The result is that the entire project gets thrown out and redesigned every couple of years because they need to add a new feature and the design can't readily accommodate it.

Thus, good programming requires a very delicate balance between analytical abilities and creative/artistic abilities. Analytical skills are necessary, but not sufficient.

I would actually argue that programming skills tend to be more strongly correlated with musical ability than math education. Good musicians are generally good at analytical tasks, including math, but also have the artistic ability needed to take that critical step back and pay attention to the system design, the UI, etc.

I've always found it staggering how many of my coworkers are musicians. In my department alone, it's at least one in three, and many of the people who aren't musicians have kids who are. Whenever we have a department party, we usually get together a group of people and jam. And my previous employer was the same way.

Re:Smarts

[inKubus]

What Google is doing is business intelligence--learning stuff about people, relationships, web pages and then using that information to sell products, in the current case, Advertising. Walmart does the same thing but they collect data about products and people and sell merchandise. There are dozens of other examples. But what they are doing in parallel is forming huge databases of anonymous (hopefully) people data.

For an agency like the NSA, and what they are tasked to do, this is a huge goldmine of info. Information is everything, always has been. In any given market the person making the profit is the one with the best information on the conditions of the market so they can make the best choice. It's the hidden side of economics which has always assumed everyone makes the best possible decision. It turns out it's possible to make better decisions if you have a more perfect model.

Then, and taking it a step further, it's even easier to make a decision if you force the situation by doing something or faking information that the other side wrongly uses. This is done every day in the media to get the masses believing the wrong thing so they do what they will predictably do and the rich people profit on it. Not to say they aren't involved in their own games at the top, but that's the general gist that keeps wealth and power flowing up and out of the masses' hands.

If you're dealing with a hostile enemy (which still exists but probably won't for much longer as the elites move up beyond mere country borders), the same situation is true. The more information you have, the better your decisions will be. And even better to feed misinformation to the enemy so they make an even more wrong decision.

At the end of the day, this is the natural order of things, of civilization. The people at the NSA are people just like anyone else. I would assume that eventually people blow the whistle. And don't forget that there's other NSA agencies in other countries. China, Japan, Russia, England, France, Germany, India, Iran, Israel, Turkey; The thing that's most interesting about NOW is that something like Google, or Walmart, or other global conglomerations is that they trancend countries, borders, political systems. This is only the beginning, I don't think Google is really so much the end-all as the harbringer of things to come. I'd be really surprised if the people at the NSA aren't aware of this and want to hitch a ride up and out of "america" as it is and into what might be termed the "New World Order", in which there is a higher governmental power that goes beyond nations to those concerns that affect the world. Beyond the global warming and pollution stuff, you have very real and important problems around currencies, information exchange and security, etc. It does seem scary because it's so different, but it really is enevitable and for the best of humanity.

The UN is supposed to be that, somewhat, but I think it's not political enough. I think we should elect our UN representatives like we elect our presidents. The big corporations are really trying to get a leg up on traditional democracies by pushing global agendas and there's really no clear leadership helping the people's voice be heard. In fact, it seems our governments are doing their best to insulate us from the world affairs (at least it's felt like that in the U.S. for the past decade or two). But I think now more than ever a world democracy is possible, probable, and probably not that far away. But it may take wresting it away from the corporations, who would love more than anything to have a fascist world government. But that leads to corruption very quickly, as we've seen in history, and that will lead to conflict and hopefully resolution. Hopefully we won't have to go through it, but really we stand on the doorstep to opportunity to really build the future system of the world that will last until the sun burns out.

Re:Smarts

[Listen+Up]

While you make some good points, your arguments are inherently incorrect based upon your misunderstanding of creative problem solving. Here is a link http://en.wikipedia.org/wiki/Creative_problem_solving. Note the second sentence in the second paragraph. Problem solving as a whole is considered the most complex of all intellectual functions. Mathematical problem solving is considered one of the highest, if not the highest, forms of creative problem solving. Also consider for a moment that effectively the entire field of computer science was originally developed by Mathematicians.

I would argue that writing code is a purely analytical process. I would also argue that people who believe programming is purely an art form or is best suited for people who are not analytical, for example musicians, make terrible programmers. From my personal experiences, these kinds of people are at best "hacks" and tend to write average or below average code, which may or may not work. And that same code is almost always poorly designed, poorly architected, poorly implemented, poorly documented and poor performing. All of the people whom I've worked with who are Mathematicians, Engineers, Physicists, etc. who are also professional software engineers tend to write exceptionally good code. They also tend to have the appropriate analytical and creative problem solving skills necessary to provide appropriate solutions to extremely complex problems throughout all levels of development from architecture to implementation.

Getting back to the Wikipedia article, your misunderstanding is based upon the fact that while musicians may be creative, that does not mean they are creative problem solvers. Creative problem solvers though can be purely creative. Which correlates perfectly with my own personal experiences, since most highly analytical creative problem solvers I know also enjoy pursuing such subjects as art, design, music, etc. As a matter of fact, most of the people I work with enjoy photography outside of work, not music. And the opposite is true, people who are only musicians tend to be neither highly analytical nor decent problem solvers.

Re:Smarts

[dgatwood]

Odd, from what i've seen, most physicists write the worst code of all. Scientists and mathematicians gave us COBOL, BLAS, and LAPACK. They gave us functions with names like xerbla and sgemm. And so on. They tend to create code that is so brilliant that nobody can understand it except the person who wrote it, and after a few weeks, not even that person. That may not be your experience, but the experience is far from uncommon. :-)

And just to be clear, I didn't say that all musicians would be good programmers. I said that more of the good programmers that I've known are musicians than math majors by a large margin, at least among recent grads. If you look far enough back, everybody who learned programming did so in a math department, but that's just a historical artifact arising out of computers having been created originally to solve math problems. Among recent grads in computing, math is certainly a common minor, but it's not a very common major at all.

I also strongly disagree with the Wikipedia article's assertion that any significant amount of music doesn't involve problem solving. Well, maybe singing to a limited degree. Beyond that, though, that's a pretty absurd argument, IMHO.

Even basic performance involves a lot of creative problem solving, from realizing that a particular fingering doesn't lend itself to playing a given passage on piano or choosing an alternate fingering on flute for trills to listening to everyone else and choosing the right volume to blend or stand out as needed, staying with them in tempo, etc. Every single technical skill involves creative problem solving, and playing any musical instrument is necessarily a technical skill. More to the point, it's continuous creative problem solving for long periods of time in which a single mistake wrecks things.

And once you get into composition, that's doubly true. Whether you're coming up with good voice leading that avoids parallel fourth/fifth motion, ending up on the same note, or other awkwardness, dodging cross-relations between voices, creating countermelodies that obey good rules of counterpoint, or handling transpositions for different instruments (which admittedly most people just let software handle now), you're doing creative problem solving at a very high level. I actually think that composing good music is in many ways harder than writing software in terms of the amount of problem solving that you have to do (either intuitively or deliberately) at every step of the process. Try juggling 20+ independent voices in your head and you'll understand what I'm talking about.

So both composing music and performing it involve a not insignificant amount of problem solving and analysis. There's no such thing as purely artistic music, really. I have a hard time understanding how anyone who really knows music could even suggest such a concept.

If the NSA handles SIGINT, who handles SIGTERM?

[FoolishOwl]

And how about SIGHUP?

Re:If the NSA handles SIGINT, who handles SIGTERM?

[cryptoluddite]

SIGSTOP is handled by KAOS.
SIGCONT is handled by CONTROL.

SIGHUP? It's handl#`%${NO CARRIER

/wrists for making a no carrier joke

It all depends

[mikefocke]

It all depends on what level of Common Criteria evaluation you are talking about. At the higher levels, there is a lab authorized to conduct a product inspection and, once you pass that test, you get a medium level NIAP certificate. If you wish a higher level of CC approval in the US, after this original process NSA itself takes control and does its tests. So the process is still a two step process with NSA involvement...or was about 4 years ago when I was involved in taking an "Orange Book" product through CC evaluation.

Re:And???

[bit9]

Are you kidding me? First off, I never said the government was a monolithic mind. I said if the government wants to give you spies, you get spies. And by "government" I mean whoever the hell is in charge and responsible for things like getting the telecoms involved in wiretapping, etc, etc. These are not just isolated incidents, and it is pure folly to think that just because bureaucracy sometimes creates organizational barriers, that the government can be controlled and held accountable. The spooks will infiltrate wherever they please. The tail wags the dog.

Am I missing something?

[edittard]

'The problem is, their goals are often in opposition,' writes Shachtman. 'One team wants to exploit software holes; the other wants to repair them.

How are they in opposition? Isn't the aim to exploit the ones in their systems, and plug the holes in ours.