NSA Director Says More Domestic Surveillance Might Stop Foreign Hacking; Fails To Explain Why NSA Isn't Stopping Much Foreign Hacking
from the what-if-we-just-did-the-thing-we-already-do-but-not-through-the-back-door dept
Never let a good crisis go to waste. The federal government is always on the lookout for expansion opportunities and a bad actor known colloquially as "Current Events" keeps handing the government what it's looking for.
On January 6th, a bunch of Trump fans, who thought it was possible to overturn certified election results, raided the Capitol building. Five people, including a Capitol police officer, died during the attack. This horrific event was turned into a chance to increase domestic surveillance by the incoming president, who threatened Americans with the sort of good time they've been afflicted with since October 26, 2001.
Domestic terrorism legislation was an administration "priority," something that would free investigative and intelligence agencies to turn their surveillance programs inward and more directly target US citizens.
The blockbuster breach of widely-used SolarWinds network software affected dozens of federal agencies and millions of users around the world. In response to this travesty, the director of the NSA and its military counterpart CYBERCOM (Cyber Command) floated the idea of allowing the NSA (and others) to gaze inwardly at the country's moving (computer) parts. Here's Spencer Ackerman, writing for The Daily Beast:
“We truly need to look at the ability for us to see ourselves and right now it's difficult for us to see ourselves,” [General Paul] Nakasone testified on Thursday to the Senate Armed Services Committee. Adversaries like China and Russia “are operating with increased sophistication, scope [and] scale, including operations that can end “before a warrant can be issued,” he warned.
“If we have a problem where we only see our adversaries when they operate outside of their country and we don't see them when they operate inside our country it's very difficult for us to be able to—to, as I say, connect those dots,” Nakasone said. “That's something that—that the administration and obviously, others are addressing right now.”
The NSA thinks it doesn't have enough visibility. And it's true, information sharing has long been an intergovernmental problem. Information sharing between the government and private companies has also been less than ideal, largely due to the fact that the government demands more than it's willing to share -- and that includes known exploits and bugs it's currently using to engage in worldwide surveillance.
What Nakasone is suggesting sounds like domestic surveillance of private networks to potentially thwart attacks and root out persistent threats. That doesn't sound much like America though. And there's no reason to believe the NSA and DoD are better qualified to do this job than the private sector. The NSA and others have suffered their own security breaches and carelessly handled sensitive tools/information. Giving up privacy (and some security) for nominal gains in "visibility" would be a really bad idea.
For what it's worth, the NSA quickly walked back Nakasone's statement... at least as much as it could. It claimed its director was not "advocating" for "additional authorities." That may be true but dropping this hint in Congressional testimony is a handy way to submit a P.O. for a larger Overton Window for the NATSEC corner office.
But, more to the point, Nakasone's testimony did not contain anything that should give anyone confidence the NSA is up to the task of thwarting foreign cyberthreats.
Nakasone did not testify that NSA or CYBERCOM was able to detect malicious campaigns like SolarWinds or Microsoft Exchange abroad before they entered American digital infrastructure, making it questionable whether expanding such detection across the domestic internet would be effective.
Hindsight is 20/20. Foresight appears to be almost nonexistent, even with the tech tools the NSA has at its disposal. If it couldn't mitigate the damage before it turned federal agencies into unwitting honeypots for data exfiltration (and that includes the supposed securers of the Homeland, the Department of Homeland Security and its cybersecurity branch), it shouldn't be given all access passes to domestic networks under the theory that it might be able to do marginally better with greater "visibility."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybercom, hacking, insurrection, nsa, paul nakasone, solarwinds hack, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
When you can look at everything, you get distracted by all the false leads that exist, until a real event tells you where to look to figure out what happened. More data is not the answer, but rather much better targetting and reducing the amount of data to be analysed.
[ link to this | view in thread ]
When it turns out that companies and products have shitty security, as it inevitably does, there should be consequences which effectively motivate the relevant parties to do much, much better. They shouldn't be allowed to play victim-only. This is like leaving keys in a running car - it's your damn fault, both legally and ethically, as much as the fault of the earnest thief of teenage joyrider who steals it. The real victims are the one who live with the consequences of what happens next with that car.
[ link to this | view in thread ]
Re:
That's a tough argument to make. I'm neither legally nor ethically required to lock my car so it doesn't get stolen, much as I'm neither legally nor ethically required to put bars on my windows to prevent a break-in.
Victim blaming is a dangerous road to go down, with or without a stolen car.
[ link to this | view in thread ]
This smacks of when all you have is a hammer.
But the NSA traded its prior tool of collaborating with the public to create a robust culture of high-grade cybersecurity for a library of zero-day exploits, betraying that robust culture and exiling the public.
So they traded their socket spanner for a hammer, and now can't even imagine a socket spanner.
The right thing to do is put the NSA budget and resources in the hands of an EFF-like entity that doesn't capitulate to mission creep. We won't get that.
But maybe after a few more successful, embarrassing attacks from foreign and corporate interests, they'll recognize how useless their hammer is in this situation.
[ link to this | view in thread ]
Plus they just launder what they need from other NSA-like agencies around the world like GCHQ due to the various agreements they have with each other that way they can spy on their own citizens without saying they are.
This is just them proposing they take out the middle man.
[ link to this | view in thread ]
Re:
Even "average" Enterprise scale monitoring can generate so much noise that it is difficult to find the valid versus the false positive.
National/international can't even imagine. Though TD's frequent posts about content moderation failure at scale spring to mind.
[ link to this | view in thread ]
Re: Re:
If a break-in will give someone access to private data you're storing about others—for example, if you're a doctor storing medical records—you are required to take reasonable steps to prevent it. That means locking your car if some records are there. It might even mean bars on the office windows.
[ link to this | view in thread ]