We’re Not Breaking Up Anything

A leading Senate critic of online surveillance wants the government to stop widespread spying on phone calls, texts and emails, saying the “digital dragnet” doesn’t make the country safer, and only hurts the U.S. economy.

What data is there to support such notions? That jobs have been lost in any significant numbers? That revenues for any of the associated enterprises are down dramatically based solely on recent revelations? Are there any metrics behind such claims besides the volume and length of press releases from privacy organizations/activists and NSA-haters?

I’m guessing the answer is “no.”

Tech executives and industry experts warned those revelations would hurt Silicon Valley companies by making consumers and business customers fearful that U.S. companies can’t protect sensitive data from government prying.

As executives from TJMaxx, Target, Home Depot, JP Morgan, Heartland Payment Systems, etc., etc. will testify, U.S. companies can’t protect sensitive data from anyone. I smell herring.

Some analysts estimated last year that U.S. tech companies could lose tens of billions of dollars in sales, particularly after European firms began marketing themselves as being more secure than U.S. competitors – or less vulnerable to legal demands from the U.S. government.

So “estimations” …from last year… not actual data…from today.

What’s the backup plan?

“The simplest outcome is that we’re going to end up breaking the Internet,” Schmidt said. “Because what’s going to happen is, governments will do bad laws of one kind or another, and they are eventually going to say, ‘We want our own Internet in our country because we want it to work our way, right? And we don’t want these NSA and other people in it.'”

The first rule of SIGINT Club is: going overseas is a help, not a hindrance, to collection.

The second rule of SIGINT Club is: if one man can build it, another man can break it.

Years ago, when asked by think tanks and futurists how I thought things were going to play out I thought Balkanization was the future too. But once I realized that people really didn’t care about security or privacy, I jumped from anger straight to acceptance. We’re not re-engineering the Internet to make it more secure or private. We’re not splitting it up. Ever heard of the steam roller called Internet of Things? Something you should all be aware of: it’s riding on the Internet. No one is disrupting this gravy train for the sake of security. I’m a security guy. Saying this is upsetting to me, but there is no meaningful indication that we’ve learned anything or are prepared to do anything different.

You Were Promised Neither Security Nor Privacy

If you remember hearing the song Istanbul (Not Constantinople) on the radio the first time around, then you remember all the predictions about what life in the 21st century was supposed to be like. Of particular note was the prediction that we would use flying cars and jet packs to get around, among other awesome technological advances.

Recently someone made the comment online (for the life of me I can’t find it now) that goes something like this: If you are the children of the people who were promised jet packs you should not be disappointed because you were not promised these things, you were promised life as depicted in Snow Crash or True Names.

Generation X for the win!

The amateur interpretation of leaked NSA documents has sparked this debate about how governments – the U.S. in particular – are undermining if not destroying the security and privacy of the ‘Net. We need no less than a “Magna Carta” to protect us, which would be a great idea if were actually being oppressed to such a degree that our liberties were being infringed upon by a despot and his arbitrary whims. For those not keeping track: the internet is not a person, nor is it run by DIRNSA.

I don’t claim to have been there at the beginning but in the early-mid 90s my first exposure to the internet was…stereotypical (I am no candidate for sainthood). I knew what it took to protect global computer networks because that was my day job for the government; accessing the ‘Net (or BBSes) at home was basically the wild west. There was no Sheriff or fire department if case things got dangerous or you got robbed. Everyone knew this, no one was complaining and no one expected anything more.

What would become the commercial internet went from warez and naughty ASCII images to house hunting, banking, news, and keeping up with your family and friends. Now it made sense to have some kind of security mechanisms in place because, just like in meat-space, there are some things you want people to know and other things you do not. But the police didn’t do that for you, you entrusted that to the people who were offering up the service in cyberspace, again, just like you do in the real world.

But did those companies really have an incentive to secure your information or maintain your privacy? Not in any meaningful way. For one, security is expensive and customers pay for functionality, not security. It actually makes more business sense to do the minimum necessary for security because on the off chance that there is a breach, you can make up any losses on the backs of your customers (discretely of course).

Secondly, your data couldn’t be too secure because there was value in knowing who you are, what you liked, what you did, and who you talked to. The money you paid for your software license was just one revenue stream; a company could make even more money using and/or selling your information and online habits. Such practices manifest themselves in things like spam email and targeted ads on web sites; the people who were promised jet packs know it by another name: junk mail.

Let’s be clear: the only people who have really cared about network security are the military; everyone else is in this to make a buck (flowery, feel-good, kumbaya language notwithstanding). Commercial concerns operating online care about your privacy until it impacts their money.

Is weakening the security of a privately owned software product a crime? No. It makes crypto  nerds really, really angry, but it’s not illegal. Imitating a popular social networking site to gain access to systems owned by terrorists is what an intelligence agency operating online should do (they don’t actually take over THE Facebook site, for everyone with a reading comprehension problem). Co-opting botnets? We ought to be applauding a move like that, not lambasting them.

There is something to the idea that introducing weaknesses into programs and algorithms puts more people than just terrorists and criminals at risk, but in order for that to be a realistic concern you would have to have some kind of evidence that the security mechanisms available in products today are an adequate defense against malicious attack, and they’re not. What passes for “security” in most code is laughable. Have none of the people raising this concern heard of Pwn2Own? Or that there is a global market for 0-day an the US government is only one of many, many customers?

People who are lamenting the actions of intelligence agencies talk like the internet is this free natural resource that belongs to all and come hold my hand and sing the Coca Cola song… I’m sure the Verizons of the world would be surprised to hear that. Free WiFi at the coffee shop? It’s only free to you because the store is paying for it (or not, because you didn’t notice the $.05 across the board price increase on coffee and muffins when the router was installed).

Talking about the ‘Net as a human right doesn’t make it so. Just like claiming to be a whistle blower doesn’t make you one, or claiming something is unconstitutional when the nine people specifically put in place to determine such things hasn’t ruled on the issue. You can still live your life without using TCP/IP or HTTP, you just don’t want to.

Ascribing nefarious intent to government action – in particular the NSA as depicted in Enemy of the State – displays a level of ignorance about how government – in particular intelligence agencies – actually work. The public health analog is useful in some regards, but it breaks down when you start talking about how government actions online are akin to putting civilians at risk in the real world. Our government’s number one responsibility is keeping you safe; that it has the capability to inflect harm on massive numbers of people does not mean they will use it and it most certainly does not mean they’ll use it on YOU. To think otherwise is simply movie-plot-thinking (he said, with a hint of irony).

Stop Pretending You Care (about the NSA)

You’ve read the stories, heard the interviews, and downloaded the docs and you’re shocked, SHOCKED to find that one of the world’s most powerful intelligence agencies has migrated from collecting digital tons of data from radio waves and telephone cables to the Internet. You’re OUTRAGED at the supposed violation of your privacy by these un-elected bureaucrats who get their jollies listening to your sweet nothings.

Except you’re not.

Not really.

Are you really concerned about your privacy? Let’s find out:

  1. Do you only ever pay for things with cash (and you don’t have a credit or debit card)?
  2. Do you have no fixed address?
  3. Do you get around town or strange places with a map and compass?
  4. Do you only make phone calls using burner phones (trashed after one use) or public phones (never the same one twice)?
  5. Do you always go outside wearing a hoodie (up) and either Groucho Marx glasses or a Guy Fawkes mask?
  6. Do you wrap all online communications in encryption, pass them through TOR, use an alias and only type with latex gloves on stranger’s computers when they leave the coffee table to use the bathroom?
  7. Do you have any kind of social media presence?
  8. Are you reading this over the shoulder of someone else?

The answer key, if you’re serious about not having “big brother” of any sort up in your biznaz is: Y, Y, Y, Y, Y, Y, N, Y. Obviously not a comprehensive list of things you should do to stay off anyone’s radar, but anything less and all your efforts are for naught.

People complain about their movements being tracked and their behaviors being examined; but then they post selfies to 1,000 “friends” and “check in” at bars and activate all sorts of GPS-enabled features while they shop using their store club card so they can save $.25 on albacore tuna. The NSA doesn’t care about your daily routine: the grocery store, electronics store, and companies that make consumer products all care very, very much. Remember this story? Of course you don’t because that’s just marketing, the NSA is “spying” on you.

Did you sign up for the “do not call” list? Did you breathe a sigh of relief and, as a reward to yourself, order a pizza? Guess what? You just put yourself back on data brokers and marketing companies “please call me” list. What? You didn’t read the fine print of the law (or the fine print on any of the EULAs of the services or software you use)? You thought you had an expectation of privacy?! Doom on you.

Let’s be honest about what the vast majority of people mean when they say they care about their privacy:

I don’t want people looking at me while I’m in the process of carrying out a bodily function, carnal antics, or enjoying a guilty pleasure.

Back in the day, privacy was easy: you shut the door and drew the blinds.

But today, even though you might shut the door, your phone can transmit sounds, the camera in your laptop can transmit pictures, your set-top-box is telling someone what you’re watching (and depending on what the content is can infer what you’re doing while you are watching). You think you’re being careful, if not downright discrete, but you’re not. Even trained professionals screw up and it only takes one mistake for everything you thought you kept under wraps to blow up.

If you really want privacy in the world we live in today you need to accept a great deal of inconvenience. If you’re not down with that, or simply can’t do it for whatever reason, then you need to accept that almost nothing in your life is a secret unless it’s done alone in your basement, with the lights off and all your electronics locked in a Faraday cage upstairs.

Don’t trust the googles or any US-based ISP for your email and data anymore? Planning to relocate your digital life overseas? Hey, you know where the NSA doesn’t need a warrant to do its business and they can assume you’re not a citizen? Overseas.

People are now talking about “re-engineering the Internet” to make it NSA-proof…sure, good luck getting everyone who would need to chop on that to give you a thumbs up. Oh, also, everyone who makes stuff that connects to the Internet. Oh, also, everyone who uses the Internet who now has to buy new stuff because their old stuff won’t work with the New Improved Internet(tm). Employ encryption and air-gap multiple systems? Great advice for hard-core nerds and the paranoid, but not so much for 99.99999% of the rest of the users of the ‘Net.

/* Note to crypto-nerds: We get it; you’re good at math. But if you really cared about security you’d make en/de-cryption as push-button simple to install and use as anything in an App store, otherwise you’re just ensuring the average person runs around online naked. */

Now, what you SHOULD be doing instead of railing against over-reaches (real or imagined…because the total number of commentators on the “NSA scandal” who actually know what they’re talking about can be counted on one hand with digits left over) is what every citizen has a right to do, but rarely does: vote.

The greatest power in this country is not financial, it’s political. Intelligence reforms only came about in the 70s because of the sunshine reflecting off of abuses/overreaches could not be ignored by those who are charged with overseeing intelligence activities. So if you assume the worst of what has been reported about the NSA in the press (again, no one leaking this material, and almost no one reporting of commenting on it actually did SIGINT for a living…credibility is important here) then why have you not called your Congressman or Senator? If you’re from CA, WV, OR, MD, CO, VA, NM, ME, GA, NC, ID, IN, FL, MI, TX, NY, NJ, MN, NV, KS, IL, RI, AZ, CT, AL or OK you’ve got a direct line to those who are supposed to ride herd on the abusers.

Planning on voting next year? Planning on voting for an incumbent? Then you’re not really doing the minimum you can to bring about change. No one cares about your sign-waving or online protest. Remember those Occupy people? Remember all the reforms to the financial system they brought about?


No one will listen to you? Do what Google, Facebook, AT&T, Verizon and everyone else you’re angry at does: form a lobby, raise money, and button hole those who can actually make something happen. You need to play the game to win.

I’m not defending bad behavior. I used to live and breath Ft. Meade, but I’ve come dangerously close to being “lost” thanks to the ham-handedness of how they’ve handled things. But let’s not pretend that we – all of us – are lifting a finger to do anything meaningful about it. You’re walking around your house naked with the drapes open and are surprised when people gather on the sidewalk – including the police who show up to see why a crowd is forming – to take in the view. Yes, that’s how you roll in your castle, but don’t pretend you care about keeping it personal.

What’s the Alternative?

The Director of the National Security Agency argues that the NSA should be in charge of computer security in this country. Long the home of some of subject matter experts in computer technology and cryptography, this would seem to make a lot of sense.

But the NSA is an intelligence agency, and free people in a democratic society don’t like the idea of an intelligence agency – built to listen in on the conversations of “others” overseas – turning its extremely powerful data collection apparatus on them. The same or at least a similar argument is made whenever the topic of a domestic intelligence agency is brought up and the FBI argues that they should do the job: People don’t like the idea of those who can arrest you also having the authority to snoop on you. Dig hard and long enough into anyone’s life and you’re bound to find them committing a “crime,” and when you’re rewarded by the number of arrests you make and convictions you win, well, the recipe for abuse becomes obvious.

The hyperbole surrounding computer security that has been bantered about over the past few years aside, it’s clear that the more pervasive computers (in all their forms) become in our lives, the more of a problem insecure systems pose. But if access to, and the use of, such technology is increasingly viewed as a “right,” then some mechanism for defending that right is in order. If that defending entity isn’t the NSA, what is the alternative?

The Department of Homeland Security is often touted as the place where domestic computer security (if that’s even a thing) should be addressed, but I know of no one who would entrust such a mission to an organization that is famous for its dysfunction, and there is enough of that in computer security already. Remember, this is the agency that changes out “cyber czars” more frequently than Liz Taylor changed husbands (am I dating myself?).

Before we completely discard the idea of NSA involvement it may be useful to point out that the NSA is actually two large organizations underneath the same umbrella: an intelligence collection and analysis organization, and an information security organization. The former is the part that listens in on people’s conversations; the latter is the part that is in charge of wrapping math around our own conversations. There is an obvious symbiosis there, but what if you spun the INFOSEC organization out of big-NSA and let if focus on cyber security for all of us? Removed from Ft. Meade, ideally out of the Washington DC area altogether, it could be the center of expertise both the government and private sector need and would trust because they’d be about “security” not “intelligence.”

There is also an argument to be made that there isn’t a compelling need to do anything new from a governmental perspective. Leaving industry to its own devices seems like a bad idea, but cases where poor computer security led to the outright downfall of a company are notable because they’re so rare. The fact of the matter is that companies that get hacked and lose intellectual property suffer no long-term financial penalty, and since that’s what Wall Street grades C-level executives on, where is the incentive to change? It’s worth noting that the loudest voices lamenting the cost of IP theft all have a vested interest in more security, not higher profits.

This begs the question: is “economic prosperity” truly a national security issue? If that were the case the Chinese would have started chopping off French heads once they learned d’Entrecolles had stolen the method for making ‘china;’ the British would have hunted down and shot Slater and his ilk. Protecting IP and R&D that supports defense is a stronger argument, but traditionally our government isn’t in the business of making sure private enterprises can turn a profit (let’s not get side-tracked talking about farm subsidies). This is not the case in other countries, but since when is the US, France? If we became France (in this regard) at some point while we weren’t looking, then it’s time to make that policy known so that we can all act accordingly.

At this point, if forced to do something, I’d say we shift our resources as noted above. I’d rather have a solution that wasn’t a big-government one, but I can’t come up with one at this point. Anyone have any other, original ideas that don’t involve more spooks in the wire?

No New Cyber Security Legislation is Better Than Any New Legislation

The head of the U.S. Cyber Command, the former head of the NSA, and various national security wonks recently told Congress that we must pass new cyber security legislation now or risk worse legislation later. The serious cyber security problems we are dealing with today, left unchecked, could lead to a catastrophic attack tomorrow. In the aftermath of such an attack there would be calls for immediate action, but no time to think clearly about the unintended consequences of a snap decision.

It is hard to reconcile the sound and the fury coming from Capitol Hill about the need for new cyber security legislation with the reality cyber security practitioners are facing on a daily basis. If cyber security is such a problem, why hasn’t funding for the Comprehensive National Cybersecurity Initiative been extended? How come we have such a spotty law enforcement response? If cyber security is so important to the homeland, how come DHS – the organization the Congress would have setting security standards for industry – can’t keep a cyber czar on the job?

We have laws on the books that address cyber crime now: the Computer Fraud and Abuse Act  and the Electronic Communications Privacy Act, both of 1986, come immediately to mind. They’re good laws in that they address the vast majority of behaviors that are associated with cyber crime, they’re just effectively un-enforceable. That does not stop just because we pass new law. The Cyber Security Enhancement Act is proof of that.

The idea that we would later come back to adjust bad legislation, as offered by former NSA Director Hayden, is an equally laughable proposition. There are a lot of things wrong with the PATRIOT Act – legislation passed in a panicked rush because something had to be done – but when we had the opportunity to amend or even repeal what is essentially a wartime law, we did nothing despite the crippling of the threat it was created to combat.

It’s only natural that Washington’s solution to every problem is new law, but new law doesn’t address the root cause of the problem; it simply allows more bureaucracy to grow up around it (imagine the TSA sticking a gloved hand in your laptop). The problems we’ve been facing are a product of both behavior and technology. You can’t legislate behavior, and technology will change three or four times in the span of a Congressman’s term, which means any proposed legislation is outdated before it ever comes to a vote.

The government has known about the security problems associated with the spread of information technology for decades, but despite countless recommendations and warnings we are no better off today than we were 20 years ago. It has taken years for the agencies that would protect us from digital evil to stop receiving “F” grades on their own cybersecurity report cards, but now industry is supposed to consider their advice “expert.”

Bills like the Cybersecurity Enhancement Act in the House want to fund the educations of those who study cyber security, but cyber security education is a band-aid for a kludge. It does not address what is essential for a more secure online environment: better programmers and engineers who are able to build functional but at the same time less vulnerable systems.

The Cybersecurity Act in the Senate emphasizes the need for “sharing,” but Information Sharing and Analysis Centers have been in existence for years. There are no statistics that show sharing has led to a more secure industry. Holding security contests to develop the security workforce is another tired idea. Security contests are always “capture the flag” affairs, which simply train tomorrow’s digital janitors to clean up yesterday’s engineering messes. There is no shortage of technical talent in this country, it’s simply that not everyone wants or is able to work for the government.

There are a number of things the government can do that would have a more meaningful impact on cyber security without new law.

Start by professionalizing and making cyber security a career field in which you can advance to the highest ranks in both law enforcement, defense and intelligence. When an agent, analyst or operator can have a career, not just a rotation, combating cyber crime we can help ensure people on the front lines have the most current skills and can begin to build up institutional knowledge (something sorely lacking in most cyber security organizations today).

Stop relying on shortcuts like certification to determine who gets to join in the fight. You cannot express dismay that our networks are indefensible if you’d rather have a poor performer with a credential instead of someone with who lacks a credential but has demonstrated expertise. The same goes for security requirements. Not everything dealing with government cyber security is classified. The idea that cyber security is some kind of gentleman’s game didn’t make sense 80 years ago and it makes even less sense now when the capability to become a cyber power is within any-one persons grasp.

Encourage more creative approaches to combating cyber crime and cyber criminals. The government cannot and should not do it all. Instead of trying to force the reluctant in industry to share, why not supply administrative and legal support they need to act in their own defense?

The Seat-Belt Light is On

You can’t beat Siobhan Gorman for NSA stories:

An expensive National Security Agency initiative to search the world’s
communication networks for security threats is hitting early but
significant snags, prompting intelligence officials and lawmakers to
raise questions about its funding and its future.

Read it all and weep.

I’m not going to belabor the points I have made in past posts about the broke-d!ck state of IT up that way. It has been that way for ages and as you can see there seems to be no hope of reform. I would go so far as to say that no objective observer would slap the label of “successful” on any major IT project there for the past twenty years. In this case “success” being defined as within 10% of budget, within one year of IOC and within 80% of capability. Someone prove me wrong.

The congressional response is probably the saddest part of all. Both Rockefeller and Hoekstra hit their respective nails on the head, but Ruppersberger – who represents the area – punts. You want to exercise oversight? Shut off funding for everything but power and water until they cough up hard numbers and performance stats. Worried about the passage of time and the possibility of missing something? Like the performance to date is anything to brag about?

I know how this game is played: nominal success justifies pouring money down a black hole. We cannot afford this sort of business as usual.

Last one out of the SCIF, turn out the light

The cynic in me wants to laugh, but
is just sad

The National Security Agency is facing
significant budget shortfalls as the spy agency scrambles to respond
to a mounting electricity crisis, modernize its technology, maintain
current operations and add workspace, congressional and
intelligence officials say.

As a result, they say, the NSA has
slowed hiring, pared back upgrades in information technology, delayed
equipment purchases and shut offices.

Worth a full read.

I’ve said it before and I’ll say it
again: planning beyond lunch is a skill that escapes most IC
“managers.” NSA is highlighted in this article, but you could
find similar stories from every agency. When they’re fighting for
their fiefdoms they forget about things like the laws of physics and
the reality of the world outside the SCIF. Massive hiring surge
without a corresponding increase in office space. Can you say “hot
desk?” I mean, they’re lowering the thermostat. I’m waiting for the
report about how they’re asking employees to bring in their own
coffee beans and condiments because they have to scale back the food
service contract. An IT heavy agency can’t afford to pay for
top-notch tech support and they’re running out of power and this
is a surprise?!

That they can’t keep audit-able books
is a major part of the problem. Forget internal manager panels
evaluating budget proposals; it is time clean house and get
legit. Not doing so will only ensure that these same issues will
continue to raise their heads again and again. You’re going to trust  a new budget system developed by the same people who have an
interest in keeping it screwed up?

Also time to dump old portfolios and
lesser includeds. Scrub programs for duplication – of which there is a disturbing amount – and watch the savings add up. Hard decisions? One of the many “top priority”
projects has to fall away. Can’t risk missing something? You’re
missing plenty NOW. You have that CSS for a reason, let them carry a
heavier load.

Finally, as the article mentions, pack
up what you can and send it away. Take a lesson from Google and park
yourself next to a hydroelectric dam. Hawaii, Germany, UK,
Washington, Texas, etc. would all welcome a boost in Congressional
funding and a larger tax base. You’re not just mitigating current
problems, you’re boosting long term survivability and resilience.