NSA Chief Says NSA Doesn't Need Access To Your Info... As Whistleblowers Say They're Already Getting It

from the cyber-security? dept

Wed, Jul 11th 2012 9:25am — Mike Masnick

The American Enterprise Institute (AEI) recently held an event about cybersecurity and cybersecurity legislation. The keynote speech was from NSA boss General Keith Alexander. He of course talked about why he supports cybersecurity legislation, such as CISPA and other proposals that will make it easier for the NSA access private content from service providers -- much of which, reports claim, they're already capturing and storing. Alexander has claimed that the NSA doesn't have "the ability" to spy on American emails and such, and reiterates that claim during the Q&A in this session, insisting that the Utah data center doesn't hold data on Americans' emails (and makes a joke about just how many emails that would be to read). That's nice for him to say, but so many people with knowledge of the situation claim the opposite.

In fact, in a story that has received almost no attention, the EFF was able to get three whistleblowers to speak out on the NSA's massive spying infrastructure:

In a motion filed today, the three former intelligence analysts confirm that the NSA has, or is in the process of obtaining, the capability to seize and store most electronic communications passing through its U.S. intercept centers, such as the "secret room" at the AT&T facility in San Francisco first disclosed by retired AT&T technician Mark Klein in early 2006.

So it's interesting to pay attention to what Alexander has to say in pushing for cybersecurity legislation. You can watch the full video below, if you'd like:

Much of what he talks about online involves basic malware and hack attacks. These are definitely issues -- but are they issues that we need the military (which the NSA is a part of) to step in on? His "quote" line is that these attacks represent the "greatest transfer of wealth in history." That is a pretty broad statement, and there's almost no evidence to support it. He points to studies from Symantec and McAfee on the "costs" of dealing with security issues -- but remember, those are two of the biggest sellers of security software, and have every incentive in the world to inflate the so-called "costs." Also, seriously? The "greatest transfer of wealth in history"? Has he paid absolutely no attention to what's happened on Wall Street and the financial world over the past decade? Does anyone honestly believe that the amount of money "transferred" due to hack attacks is greater than the amount of money transferred due to dodgy financial deals and the mortgage/CDO mess? That doesn't pass the laugh test.

He does insist that worse attacks are coming, but provides no basis for that (or, again, why the NSA needs your info). In fact, according to a much more believable study, the real risks are not outside threats and hackers, but internal security screwups and disgruntled inside employees. None of that requires NSA help. At all.

But it sure makes for a convenient bogeyman to get new laws that take away privacy rights.

Alexander, recognizing the civil liberties audience he was talking to, admits that the NSA neither needs nor wants most personal info, such as emails, and repeatedly states that they need to protect civil liberties (though, in the section quoted below, you can also interpret his words to actually mean they don't care about civil liberties -- but that's almost certainly a misstatement on his part):

One of the things that we have to have then [in cybersecurity legislation], is if the critical infrastructure community is being attacked by something, we need them to tell us... at network speed. It doesn't require the government to read their mail -- or your mail -- to do that. It requires them -- the internet service provider or that company -- to tell us that that type of event is going on at this time. And it has to be at network speed if you're going to stop it.

It's like a missile, coming in to the United States.... there are two things you can do. We can take the "snail mail" approach and say "I saw a missile going overhead, looks like it's headed your way" and put a letter in the mail and say, "how'd that turn out?" Now, cyber is at the speed of light. I'm just saying that perhaps we ought to go a little faster. We probably don't want to use snail mail. Maybe we could do this in real time. And come up with a construct that you and the American people know that we're not looking at civil liberties and privacy, but we're actually trying to figure out when the nation is under attack and what we need to do about it.

Nice thing about cyber is that everything you do in cyber, you can audit. With 100% reliability. Seems to be there's a great approach there.

Now all that's interesting, because if that's true, then why is he supporting legislation that would override any privacy rules that protect such info? If he really only needs limited information sharing, then why isn't he in favor of more limited legislation that includes specific privacy protections for that kind of information? He goes back to insisting they don't care about this info later on in the talk, but never explains why he doesn't support legislation that continues to protect the privacy of such things:

The key thing in information sharing that gets, I think, misunderstood, is that when we talk about information sharing, we're not talking about taking our personal emails and giving those to the government.

So make that explicit. Rather than supporting cybersecurity legislation that wipes out all privacy protections why not highlight what kind of information sharing is blocked right now and why it's blocked? Is it because of ECPA regulations? Something else? What's the specific problem? Talking about bogeymen hackers and malicious actors makes for a good Hollywood script, but there's little evidence to support the idea that it's a real threat here -- and in response, Alexander is asking us all to basically wipe out all such privacy protections... because he insists that the NSA doesn't want that kind of info. And, oh yeah, this comes at the same time that three separate whistleblowers -- former NSA employees -- claim that the NSA is getting exactly that info already.

So, this speech is difficult to square up with that reality. If he really believes what he's saying, then why not (1) clearly identify the current regulatory hurdles to information sharing, (2) support legislation that merely amends those regulations and is limited to just those regulations and (3) support much broader privacy protections for the personal info that he insists isn't needed? It seems like a pretty straightforward question... though one I doubt we'll get an answer to. Ever. At least not before cybersecurity legislation gets passed.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, hackers, malware, nsa, spying, whistleblower
Companies: american enterprise institute, at&t, mcafee, symantec

36 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Loki, 11 Jul 2012 @ 9:34am

His "quote" line is that these attacks represent the "greatest transfer of wealth in history."

Hmm, Enron? Saving and loan scandals? Freddie Mac? Fannie Mae? Bear Sterns? The truth is the dude just hates the internet because it easily and quickly allows the dissemination of details about the real criminal enterprises that defraud millions of people a year of massive amounts of money.
[ link to this | view in chronology ]
- :Lobo Santo (profile), 11 Jul 2012 @ 9:50am
  
  Re: The Greatest Scam ever Told!
  Yep, them poor government schmucks can't hardly get away with nothin! What with them "liberty" types spreading truth all over the internet... there outghta be a law!
  [ link to this | view in chronology ]
- Al Bert (profile), 11 Jul 2012 @ 11:36am
  
  Re:
  I think what he meant to say was "These attacks represent an opportunity to institute the greatest transfer of wealth in history"
  
  ... though maybe wealth only as an intended consequence of power.
  [ link to this | view in chronology ]
Anonymous Coward, 11 Jul 2012 @ 9:43am

can't wait for the movie...

like the Minority Report - but with NSA computers deciphering emails...and putting people in jail for it:

Boy: Yea, that party is going to be the bomb! I can't wait.

Woman: I was avoiding them like the plague.

child: my father always beats me. we play checkers every night.
[ link to this | view in chronology ]
rubberpants, 11 Jul 2012 @ 9:48am

Nice thing about cyber is that everything you do in cyber, you can audit.

Cyber is a noun now?
[ link to this | view in chronology ]
- Beta (profile), 11 Jul 2012 @ 10:09am
  
  Re:
  "The grammar of Newspeak has two outstanding peculiarities. The first of these was an almost complete interchangeability between different parts of speech. Any word in the language (in principle this applied even to very abstract words such as if or when) could be used either as verb, noun, adjective, or adverb."
  [ link to this | view in chronology ]
  - Colin, 11 Jul 2012 @ 12:22pm
    
    Re: Re:
    Holy. Shit.
    [ link to this | view in chronology ]
- John Fenderson (profile), 11 Jul 2012 @ 11:15am
  
  Re:
  Cyber is a noun now?
  
  Sure, why not?
  
  Since the use of the term "cyber" is a strong indication that the person using the term is ignorant in the first place, I don't mind what part of speech they want to use it as.
  [ link to this | view in chronology ]
- Al Bert (profile), 11 Jul 2012 @ 11:41am
  
  Re:
  Whenever I hear people pushing the "cyber" button, I always like to think they're kids on AOL in 1999. So i guess Alexander likes to audit his nightly masturbatory chat logs.
  [ link to this | view in chronology ]
- dwg (profile), 11 Jul 2012 @ 11:46am
  
  Re:
  See also "cyber is at the speed of light."
  
  The email is pretty amazing, too.
  [ link to this | view in chronology ]
  - Anonymous Coward, 11 Jul 2012 @ 4:49pm
    
    Re: Re:
    If you came at the speed of light, you came too fast.
    [ link to this | view in chronology ]
Beta (profile), 11 Jul 2012 @ 9:50am

pronoun trouble
"Nice thing about cyber is that everything you do in cyber, you can audit. With 100% reliability. Seems to be there's a great approach there."

He might more accurately have said "everything you do in cyber, we can audit."

(And I suppose I can dream of him saying "everything we do in cyber, you can audit.")
[ link to this | view in chronology ]
John Doe, 11 Jul 2012 @ 9:55am

Why not just monitor twitter?
If they want to know about a missile flying overhead, why don't they just monitor the #missile hash tag on Twitter. Twitter is already public so no invasion of privacy there.
[ link to this | view in chronology ]
lolzzzz, 11 Jul 2012 @ 10:00am

All i have to say to america is:
LIAR LIAR PANTS ON FIRE
[ link to this | view in chronology ]
Wally (profile), 11 Jul 2012 @ 10:17am

I will say it once.....
....I will say it again. There is so much information going through the computers at the NSA it doesn't matter. The info is almost never reviewed without warrant. I sort of hate it how people fail to grasp that concept.
[ link to this | view in chronology ]
- Beta (profile), 11 Jul 2012 @ 10:21am
  
  Re: I will say it once.....
  So why do they want more?
  [ link to this | view in chronology ]
- John Doe, 11 Jul 2012 @ 10:30am
  
  Re: I will say it once.....
  And you know this how? Also, how is it that this data can be collected w/o a warrant? Is the 4th amendment just a footnote now?
  [ link to this | view in chronology ]
- John Fenderson (profile), 11 Jul 2012 @ 11:19am
  
  Re: I will say it once.....
  Why do you think people aren't grasping that concept? Do you think that intercepting and storing the information is OK if they never look at it? I certainly don't.
  
  The info is almost never reviewed without warrant
  
  ...the presence of the almost in there indicates that you think people are sometimes looking at the information without a warrant anyway. So what's your point again?
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2012 @ 3:55pm
  
  Re: I will say it once.....
  Wow, way to miss the point.
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2012 @ 4:51pm
  
  Re: I will say it once.....
  I'll say it again. 9/11 was not stopped because of too much intelligence. They had the information but could not sort the urgent from the trivial none of their business stuff.
  
  Why do the NSA love successful terrorist attacks?
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2012 @ 5:48pm
  
  Re: I will say it once.....
  I've read that they put out a list of keywords everyday and those correspondences that contain the keywords are tagged for review. This is done without warrant. I may be wrong but what if?
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2012 @ 5:56pm
  
  Re: I will say it once.....
  You mean like "ALMOST never"?
  [ link to this | view in chronology ]
Jay (profile), 11 Jul 2012 @ 10:32am

What's amazing is that no one here sees the abuse that coulda be caused by this complete access. You can destroy enemies with false claims as well as profit greatly on selling all of the information. What's to stop the government from accusing someone from trafficking in child porn? Causing dissent? Becoming a menace? The fact is, the government is essentially continuing age old programs introduced during the cold war, which make no sense in the digital era. Someone should look up the Eisenhower Doctrine and how to sensationalize media. Or COINTELPRO and how the FBI took the law into it's own hands. Fact is, these fights are the same ones as the ones in the 60s and 70s our even earlier time frames if only people would learn from history.
[ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2012 @ 1:00pm
  
  Re:
  Hell, why dont we take it to the next level, and assume at some point it will be the norm for a company to "lobby" an "information analyst" in providing sensitive yet beneficial information on a particular deal they may have a vested interest in
  
  Shucks, in a world like that, only the despicable would survive, seing as their ethics would see nothing wrong with it.......it'll be, well, it'll be, just business, i guess
  
  A system built from the ground up to potentially fuck people over, and all it would take is someone who's willing
  
  They want to monitor us, but who will monitor the monitors, with vigilance, from its conception till its dismantle, and just for good measure, who will monitor the monitors who are monitoring the monitors *brain freeze*
  
  Nah, im just being overdramatic, it'll never happen, its not like were taking the first step, in that POTENTIAL future, first step***********SPYING****************second step*************STORING***********third step************"ANALYZING"**************
  
  Wheres me tinfoil
  [ link to this | view in chronology ]
Lord Binky, 11 Jul 2012 @ 11:44am

I'm really getting sick of this 'but i don't want to, make the government do it' attitude.
"One of the things that we have to have then [in cybersecurity legislation], is if the critical infrastructure community is being attacked by something, we need them to tell us... at network speed."
You don't need a law for that, you don't need special access, you need the equivalent of a fire alarm. Why is the NSA trying to provide the equivalent of a home security system to anything? It is the owners of the critical infrastructure to have such services in place. Make it a requirement just like they are required to have a fire alarm, but there's no reason the NSA needs to be cyber firefighters. In all his examples he states reactive responses to a security issue. That does not require additional information like they are asking for. What requires that additional information is predictive/premptive responses to a security issue that has yet to happen and that is where privacy > boogeymen. As nice as it to stop one bad thing from happening, it isn't worth opening yourself up more more bad things that are more common and frequent.
[ link to this | view in chronology ]
Lozine, 11 Jul 2012 @ 1:15pm

Whoaaaaa. If this all crashes down on us, we're screwed.
[ link to this | view in chronology ]
Androgynous Cowherd, 11 Jul 2012 @ 3:23pm

Hack attacks
Much of what he talks about online involves basic malware and hack attacks. These are definitely issues -- but are they issues that we need the military (which the NSA is a part of) to step in on?

Yes, because that worked out so well in Terminator 3.

Now, cyber is at the speed of light. I'm just saying that perhaps we ought to go a little faster.

According to Einstein, you might have a wee bit of trouble with that. And by all reports Einstein was a fairly smart guy.

Nice thing about cyber is that everything you do in cyber, you can audit. With 100% reliability.

hehe

hehehe

*guffaw*

Ah ...

Ahahahahaha!

HAHAHAHAHAHAHAHAHAHAHA!

*ROTFL*

Ahh, gee ...

Yeah.

Something involving computers that is 100% reliable.

That'll be the day!
[ link to this | view in chronology ]
Anonymous Coward, 11 Jul 2012 @ 3:37pm

"Cyber" is not a noun.
Is this the same guy that made the "series of tubes" speech? Because if he isn't, he's doing a great impersonation.
[ link to this | view in chronology ]
Anonymous Coward, 11 Jul 2012 @ 5:56pm

http://en.wikipedia.org/wiki/ECHELON

say no more
[ link to this | view in chronology ]
Anonymous Coward, 11 Jul 2012 @ 5:57pm

echelon
[ link to this | view in chronology ]
shutup, 11 Jul 2012 @ 6:06pm

....
The country that has enjoyed only 12 years without a war since its inception is talking about the catastrophic effects of war... joke...
[ link to this | view in chronology ]
Digitalistically Speaking (profile), 11 Jul 2012 @ 6:43pm

What theats?
Is He afraid that some hacker somewhere will gain access to our critical infrastructure and cause it to malfunction?

Electrical grid?...Don't connect to the internet!
Transportation?....Don't connect to the internet!
Waterways?......... Is there a switch somewhere that you can flip and change the course of the Mississippi to east/west?
Probably not.But if there is, don't connect it to the internet!
Drinking water? Don't order Bottled water on the internet!
Railroads?...Don't connect to the internet!
Oil and gas...That's already being controlled my malicious types...No cyber security necessary.
Military?...No amount of security is gonna help there.
Governments?...All the foreign countries already have all the secrets they want.

So what's left?

Whatever it is don't connect it to the internet!

Cyber Security problem solved.
[ link to this | view in chronology ]
- Ed C., 11 Jul 2012 @ 9:38pm
  
  Re: What theats?
  That's fine and all, until someone wants to check their email or facebook, or has to order hookers and crack for the boss. Just one blundering fool with more IE toolbars than screen space, and more malware than sense, is all it takes to for those dirty Chinese or Iranian hackers to take down our entire national infrastructure. You might think that all we need are proper firewalls and network segregation to prevent any such travesty, but no! The only way to stop these attacks is to create unregulated programs that require shoveling unaccounted billions to government contractors for equipment to spy on everyone. I mean, they obviously can't keep the children safe 24/7 if they aren't spying everyone and everything, right?
  [ link to this | view in chronology ]
Michael, 12 Jul 2012 @ 6:11am

The way these people talk, you'd think that there's a looming threat everywhere and at all times. And what's the magical do-all solution to all these (fabricated) boogeymen who are out to destroy us? Unfettered access to all private communications. The solution always comes at the expense of our civil liberties, our privacy, our Constitutional rights. Always, without exception.

I see a bigger concern involved in all this. Our security infrastructure (theatre) is basically one large net pointed inward to spy on and target Americans, not foreign enemies. Why do they need to monitor us like an ant farm? What exactly is the agenda here? I know this much: they wouldn't spend billions creating such a huge data-gathering agency if they had nothing to gain from it. But what?
[ link to this | view in chronology ]
George W., 14 Jul 2012 @ 12:41am

Bull Sh*t
This General is making false leading claims. 70%+ of all hacks come from the "inside". Some accidental. Some not. Scare mongering when the USA is the only one that is mostly likely doing all these attacks. Sad ..
[ link to this | view in chronology ]
Anonymous Coward, 3 Aug 2012 @ 3:22pm

well
"cybersecurity" HAS caused the greatest transfer of wealth in history...straight into the bank accounts of the board of directors of every major bank on earth.

if there were better external security systems, they wouldn't have creamed BILLIONS from their faked "collapses" into personal accounts.
[ link to this | view in chronology ]