Heartbleed Suspicion And NSA Denial Show Why NSA's Dual Offense/Defensive Role Must End
from the it's-a-problem dept
We've talked for a while how dangerous and ridiculous it is that the NSA has a dual role as both handling "offensive" attacks and (supposedly) stopping incoming attacks in a "defensive" role. While technically, the NSA is supposed to be handling the "defensive" side while the US Cyber Command handles the offensive, there is no real separation between the two. The US Cyber Command is headquartered within the NSA and is run by the same person. Despite multiple recommendations to split the roles, the White House refuses to do so. Meanwhile, the NSA itself has been doing more and more offensive work anyway.However, the claim late last week that the NSA knew about and exploited Heartbleed, followed by the quick denial by the NSA, really puts an exclamation point on how untenable this dual role is for the NSA. It's difficult to take the NSA seriously given the competing interests within it. Add to this, President Obama basically giving his broad approval for the NSA to exploit security flaws it finds, and you have a very dangerous setup for your average internet user. The NSA, despite its job, will have little interest in actually protecting internet users.
Julian Sanchez summarizes the issue nicely by pointing out that the two roles are simply incompatible:
But the denial itself serves as a reminder that NSA's two fundamental missions – one defensive, one offensive – are fundamentally incompatible, and that they can't both be handled credibly by the same government agency.The NSA's history of being less than forthright in the past, as well as many of the Snowden revelations, combined with its dual role, simply means that most people won't believe the NSA's denial about Heartbleed, even if it was much more strongly worded than earlier denials. If the NSA's role, however, were made much clearer, such that it was only focused on protecting systems, without the offensive elements, then it would be both a lot more believable, and a lot more trustworthy. However, the very fact that the administration (and the NSA) appear to have little interest in moving in this direction says a lot about how much they really prioritize protecting our computer systems.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, defensive, nsa, offensive, surveillance, us cyber command
Reader Comments
Subscribe: RSS
View by: Time | Thread
http://www.washingtonpost.com/world/national-security/white-house-to-preserve-controversial-pol icy-on-nsa-cyber-command-leadership/2013/12/13/4bb56a48-6403-11e3-a373-0f9f2d1c2b61_story.html
But I agree. This would be the single greatest "reform" of NSA they could practically do right now. Merging US Cyber Command and NSA was a grave mistake, and a major source of corruption of NSA's mission to protect US infrastructure.
[ link to this | view in chronology ]
Honestly... I don't think they could credibly be handled by the government period. Even if the current administration were at all receptive to congressional oversight the ability of our representatives to understand these issues is so limited it would render such oversight useless.
[ link to this | view in chronology ]
They're either lying or incompetent
If the NSA didn't know about Heartbleed, they're incompetent.
(OpenSSL is one of the most widely used pieces of security-related software. Of course the NSA should have people who do nothing but scrutinize every change to it and target the modified code for attacks. Given their enormous financial, personnel and computing resources, they should have found this bug in a week.)
[ link to this | view in chronology ]
Re: They're either lying or incompetent
On the same token, when pondering about the National Spying Agency, it's almost impossible for me to see an either-or statement on those adjectives.
U feel me bro? :}
[ link to this | view in chronology ]
Re: They're either lying or incompetent
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
They create (or pretend there is) a problem, then promise to solve it for a small consideration. Haven't you noticed this?
[ link to this | view in chronology ]
Are we there yet?
[ link to this | view in chronology ]
Re:
In a galaxy far far away
[ link to this | view in chronology ]
Isn't Offense supposed to be the CIA's job?
The CIA is... well, the CIA. That whole "carrying out/overseeing covert ops" part of their job description kinda makes them seem the default offensive role [but only in international matters of course], which means Cyber Command should be part of the CIA instead.
Although the thought of having the CIA control Cyber Command instead of the NSA is not very comforting...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Was going to call it National Anti-Security Administration but apparently the acronym is already in use.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
FIFY
[ link to this | view in chronology ]
I call winner
Trying to win the understatement of the century award, are we?
[ link to this | view in chronology ]