RSS
Home
NSA ill-suited for domestic cybersecurity role
Print
Email
RSS
Subscribe
In one of those under-the-table announcements that Washington power players like to make on Friday afternoons, the Obama administration announced its sweeping new “Cyberspace Policy Review.” The idea of an overarching national IT policy has been around for decades, but it looks like the Big Idea President is going to make it happen, starting with the appointment of a ‘cyber czar’ who will oversee a new national IT security strategy.
Regardless of the shape of America’s new cyber policy, the National Security Agency could end up playing an expanded role in America’s private sector cybersecurity. NSA has long been involved with the security of US telecoms infrastucture, through such esoteric entities as the National Security Telecommunications and Information Systems Security Committee (NSTISSC), which coordinates security for national-level telecommunications infrastructure.
But signs point to NSA’s creeping involvement in cyber defense. Rod Beckström, former senior Department of Homeland Security official in charge of cyber security complained in the resignation letter he tendered in March that NSA "currently dominates most national cyber efforts." Obama’s Director of National Intelligence, Admiral Dennis Blair, told Congress in February that NSA should be at the forefront of national cyber defense. A few weeks later, however, NSA chief Keith Alexander told an industry gathering that the spy agency didn’t want the role.
Nonetheless, giving more responsibility for domestic and private sector cybersecurity to NSA—a secretive, hidebound culture incapable of keeping up with innovation, or even working with industry—is a bad idea.
I know this from my time as a counterterrorism analyst at CIA ten or so years ago.
When NSA was actually able to intercept terrorism information for analysts and operations, it was reliable and high quality.
But the bigger problem we had in the Intelligence Community was "if" NSA codebreakers could intercept terrorism information.
Whenever I met with my NSA counterparts, it was clear that they were stymied by new-generation Western-engineered telephone networks and mobile technologies that were then spreading like wildfire in the developing world and former Soviet satellite countries. For example, CIA operators and analysts like me needed more and better intercepts of terrorist voice and data communications in key foreign cities--but what we got instead was more intercepts of foreign government communications.
None of this should be a surprise: NSA's mission for most of its sixty-year history had been cracking backwards telecom and crypto gear produced by Soviet and Chinese design bureaus. NSA efforts from the ‘clipper chip’ of the 90s through today’s Terrorist Surveillance Program of secretly installed backdoors in US telecoms infrastructure—are a conceit that the eavesdropping agency needs a “cheat” to stay ahead of telecoms and IT innovation.
When NSA finally recognized that it needed to get better at innovation and keeping up with real world communications and information technology, it did what any 21st century US government agency does: it turned to defense contractors. In the early 2000s, NSA launched an aggressive outsourcing campaign. NSA’s mega-projects, tagged with opaque names like ‘Trailblazer’ and ‘Groundbreaker,’ have been spectacular failures, costing US taxpayers billions.
But failure is in the eye of the beholder. Big intelligence contractors like Computer Sciences Corporation (CSC) and Science Applications International (SAIC)—as well as a vast ecosystem of mid-size and mom-and-pop subcontractors situated in the office parks surrounding NSA’s headquarters facility at Ft. Meade, Maryland—probably think these eavesdropping mega-projects have been successful. After all, Federal cost-plus contracts guarantee that contractors make profits, even when they fail to produce actual results.
Project mismanagement and waste aren’t the only things wrong with how NSA relies on contractors—NSA also has serious problems with the security of its contractors. In his book The Shadow Factory, investigative reporter James Bamford described how NSA turned to foreign contractors to develop its controversial domestic wiretap program. According to Bamford, Israeli firms Narus, Verint, and others (all linked to Israeli intelligence) worked with US telecoms giants such as Verizon and AT&T to establish eavesdropping capabilities in major US data centers.
If trusting the cybersecurity of America’s commerce, manufacturing, and vital infrastructure to a Federal agency with a history of business and security incompetence is a bad idea, it’s an even worse idea to entrust this mission to secretive agency with a history of disregard for privacy and civil liberties.
Most recently, the New York Times reported that NSA has been breaking rules set by the Obama administration to peer even more aggressively into American citizens’ phone traffic and email inboxes.
Meanwhile, the widely reported NSA (or was it FBI?) wiretapping of Representative Jane Harman (D-California) raises the specter of Nixon-era politically motivated misuse of intelligence resources.
Earlier whistleblower reports portray NSA domestic eavesdropping programs as unprofessional and poorly supervised, with intercept technicians ridiculing and mishandling recordings of citizens’ private “pillow talk” conversations.
Does the Federal government need to be involved in coordinating private sector cybersecurity? Perhaps, but only in a coordinating role. Private sector enterprises have been successfully confronting threats to their critical infrastructure, since, well, there’s been such a thing as privately-owned critical infrastructure. That’s why there’re ‘no trespassing’ signs on railroad tracks, for example, and why the electric companies keep their transformers behind lock and key and barbed wire fences.
But if the Federal government must play a role, then Congress and President Obama should turn to another agency without a record of creating mistrust —perhaps even a new entity. Meanwhile, NSA should focus on listening in on America’s enemies, instead of being an enemy of Americans and their enterprises.
Related Articles:
Comments
The last time I turned on a CIA computer, which was about ten years ago, it took a half hour or so for it to boot up, prompt me for a bunch of …
Former AP correspondent Jim Krane notes in his new book, City of Gold: Dubai and the Dream of Capitalism, that the US Consulate in Dubai has proven so …
