Surveillance Protests: Get Serious or Go Home

In the US of A, if you don’t like the fact that your government may have collected data about your phone calls and emails you can do something about it without fear of being thrown in a Gulag. Unfortunately, the actions being proposed by those who take offense at this kind of things isn’t the kind of “something” that is going to make a difference.

Just as a reminder:  The Executive Branch (where the NSA sits) carries out national policy; the Legislative Branch funds the Executive Branch agencies that carry out national policy; the Judicial Branch makes sure the other two branches aren’t breaking the law.

None of the aforementioned organizations care about your petition, or your march, or your online protest.

If you want to bring about political change you need to get out the vote. If you want to get out the vote you need to spend money. A lot of it. As I’ve stated before: your average citizen cares more about just about anything than they do things-cyber. With apologies to Benjamin Franklin, the only thing that is sure to get people’s attention is sex and taxes…”cyber” is an also-ran politically.

Don’t like the NSA maybe capturing your meta-data? Gather up enough friends, pool your money, and hire a lobbyist. Just so you know: A couple dozen mega defense contractors that make billions of dollars a year supporting the NSA and its sister organizations are your competition.

I’m not saying it is right, I’m not saying it is fair, I’m just saying that’s the way it is. If you want to win the game you have to play; anything less is a waste of time.



Stop Pretending You Care (about the NSA)

You’ve read the stories, heard the interviews, and downloaded the docs and you’re shocked, SHOCKED to find that one of the world’s most powerful intelligence agencies has migrated from collecting digital tons of data from radio waves and telephone cables to the Internet. You’re OUTRAGED at the supposed violation of your privacy by these un-elected bureaucrats who get their jollies listening to your sweet nothings.

Except you’re not.

Not really.

Are you really concerned about your privacy? Let’s find out:

  1. Do you only ever pay for things with cash (and you don’t have a credit or debit card)?
  2. Do you have no fixed address?
  3. Do you get around town or strange places with a map and compass?
  4. Do you only make phone calls using burner phones (trashed after one use) or public phones (never the same one twice)?
  5. Do you always go outside wearing a hoodie (up) and either Groucho Marx glasses or a Guy Fawkes mask?
  6. Do you wrap all online communications in encryption, pass them through TOR, use an alias and only type with latex gloves on stranger’s computers when they leave the coffee table to use the bathroom?
  7. Do you have any kind of social media presence?
  8. Are you reading this over the shoulder of someone else?

The answer key, if you’re serious about not having “big brother” of any sort up in your biznaz is: Y, Y, Y, Y, Y, Y, N, Y. Obviously not a comprehensive list of things you should do to stay off anyone’s radar, but anything less and all your efforts are for naught.

People complain about their movements being tracked and their behaviors being examined; but then they post selfies to 1,000 “friends” and “check in” at bars and activate all sorts of GPS-enabled features while they shop using their store club card so they can save $.25 on albacore tuna. The NSA doesn’t care about your daily routine: the grocery store, electronics store, and companies that make consumer products all care very, very much. Remember this story? Of course you don’t because that’s just marketing, the NSA is “spying” on you.

Did you sign up for the “do not call” list? Did you breathe a sigh of relief and, as a reward to yourself, order a pizza? Guess what? You just put yourself back on data brokers and marketing companies “please call me” list. What? You didn’t read the fine print of the law (or the fine print on any of the EULAs of the services or software you use)? You thought you had an expectation of privacy?! Doom on you.

Let’s be honest about what the vast majority of people mean when they say they care about their privacy:

I don’t want people looking at me while I’m in the process of carrying out a bodily function, carnal antics, or enjoying a guilty pleasure.

Back in the day, privacy was easy: you shut the door and drew the blinds.

But today, even though you might shut the door, your phone can transmit sounds, the camera in your laptop can transmit pictures, your set-top-box is telling someone what you’re watching (and depending on what the content is can infer what you’re doing while you are watching). You think you’re being careful, if not downright discrete, but you’re not. Even trained professionals screw up and it only takes one mistake for everything you thought you kept under wraps to blow up.

If you really want privacy in the world we live in today you need to accept a great deal of inconvenience. If you’re not down with that, or simply can’t do it for whatever reason, then you need to accept that almost nothing in your life is a secret unless it’s done alone in your basement, with the lights off and all your electronics locked in a Faraday cage upstairs.

Don’t trust the googles or any US-based ISP for your email and data anymore? Planning to relocate your digital life overseas? Hey, you know where the NSA doesn’t need a warrant to do its business and they can assume you’re not a citizen? Overseas.

People are now talking about “re-engineering the Internet” to make it NSA-proof…sure, good luck getting everyone who would need to chop on that to give you a thumbs up. Oh, also, everyone who makes stuff that connects to the Internet. Oh, also, everyone who uses the Internet who now has to buy new stuff because their old stuff won’t work with the New Improved Internet(tm). Employ encryption and air-gap multiple systems? Great advice for hard-core nerds and the paranoid, but not so much for 99.99999% of the rest of the users of the ‘Net.

/* Note to crypto-nerds: We get it; you’re good at math. But if you really cared about security you’d make en/de-cryption as push-button simple to install and use as anything in an App store, otherwise you’re just ensuring the average person runs around online naked. */

Now, what you SHOULD be doing instead of railing against over-reaches (real or imagined…because the total number of commentators on the “NSA scandal” who actually know what they’re talking about can be counted on one hand with digits left over) is what every citizen has a right to do, but rarely does: vote.

The greatest power in this country is not financial, it’s political. Intelligence reforms only came about in the 70s because of the sunshine reflecting off of abuses/overreaches could not be ignored by those who are charged with overseeing intelligence activities. So if you assume the worst of what has been reported about the NSA in the press (again, no one leaking this material, and almost no one reporting of commenting on it actually did SIGINT for a living…credibility is important here) then why have you not called your Congressman or Senator? If you’re from CA, WV, OR, MD, CO, VA, NM, ME, GA, NC, ID, IN, FL, MI, TX, NY, NJ, MN, NV, KS, IL, RI, AZ, CT, AL or OK you’ve got a direct line to those who are supposed to ride herd on the abusers.

Planning on voting next year? Planning on voting for an incumbent? Then you’re not really doing the minimum you can to bring about change. No one cares about your sign-waving or online protest. Remember those Occupy people? Remember all the reforms to the financial system they brought about?


No one will listen to you? Do what Google, Facebook, AT&T, Verizon and everyone else you’re angry at does: form a lobby, raise money, and button hole those who can actually make something happen. You need to play the game to win.

I’m not defending bad behavior. I used to live and breath Ft. Meade, but I’ve come dangerously close to being “lost” thanks to the ham-handedness of how they’ve handled things. But let’s not pretend that we – all of us – are lifting a finger to do anything meaningful about it. You’re walking around your house naked with the drapes open and are surprised when people gather on the sidewalk – including the police who show up to see why a crowd is forming – to take in the view. Yes, that’s how you roll in your castle, but don’t pretend you care about keeping it personal.

Cyber Village People

It takes all kinds to make the world go ’round…or a village to raise a firewall, or something like that. Yet when it comes to the training, equiping and deploying a government workforce for things-cyber, why, why can’t we stop stepping on our tricks?

There is almost certainly room for efficiency with regards to staffing IT positions in general. Every discrete entity will claim some form of “special-ness” but TCP/IP doesn’t discriminate based on Service or mission. The amount of customization and specialization needed in any given org doesn’t justify effectively replicating the same IT org over and over again.

Is every IT generalist going to ease into a CNO position just like that? Of course not. Training is in order, but if you want both a trained AND cleared workforce, this is really your only answer. The latter item is the true value of this proposal, because there is no shortage of people with CNO skills; there is simply a shortage of people who are either clear-able or willing to be cleared.

A more subtle factor in play, though I doubt it will be carried out effectively to any scale, is the injection of defensive thinking into the offensive world. The problem with the CND-CNE/A divide is that everyone specializes in their “thing” and thinks they know what the other side is all about, often forgetting that advances in both sides march ever onward. Everyone thinks the other guy has it easier than they do. Putting both sides in a room to battle over a specific security problem is like deciding who bats first; one hand over the other till someone clearly comes out on top. ‘If you did X, I would do Y. Well if you did Y then I would do Z.’ The end result – assuming everyone involved is a true expert – is that defenders realize they can’t stop a given attack and/or attackers realize they can’t get past a given defense.  I’ve seen it work, but only when everyone checks their attitude and parochialism at the door.

Good luck with that in the government bureaucracy.

Finally, I’m tired of hearing about few “world class” people we have on the roster, or that there is a number we can pin to “world class” talent period. Really? Who defines “world class?” The CIA? GCHQ? Guinness? Was there a census taken? Did we test everyone who claimed ‘1337 $killz?  What exactly would an order of magnitude increase in very-high-end talent provide us? If you put three engineers into a room and ask them to solve a problem did you know you’ll get five answers? Shouldn’t we be focusing _less_ on human resources and more on how we can make computers (which, oddly enough are really good at high-volume, high-speed, complex tasks) do more of the heavy lifting for us?



How about a real intelligence reform bill then?

The nation’s intelligence agencies, mired in
bureaucratic messes, have failed to deliver to Congress the
high-quality information it needs about trouble spots such as North
Korea and Iran, Michigan’s Rep. Pete Hoekstra said today.

still don’t have the intelligence community (needed) to give us as
policy-makers the information we need to make good decisions on North
Korea and Iran and other places,” Hoekstra, R-Holland, said during an
appearance on “Fox News Sunday

Hoekstra is the top Republican
on the House Intelligence Committee, and a top ally of the White House
on national security issues. But he criticized former top Bush
administration officials for hampering the flow of quality
intelligence. He said turf wars between the Pentagon and intelligence
agencies and a slow start-up to a reformed intelligence bureaucracy
that was part of post-9/11 changes are to blame.

I really like Rep. Hoekstra and the level of effort he puts against intelligence issues, but pointing to an alleged mil-civ divide as the reason for a lack of progress in intelligence reform is a non-starter.

The blame for a lack of enthusiasm for change is not exclusively a military one. The DOD is the largest producer and consumer of intelligence information. You don’t think they’d welcome changes that would put more/better/faster intel into the hands of those that could use it?

Get analytic elements out of collection agencies, eliminate duplication of effort, and stop operating as if it is still 1955 and you’ll start to realize some meaningful change.

Want real intelligence reform? How about a real intelligence reform bill?