Stop Pretending You Care (about the NSA)

You’ve read the stories, heard the interviews, and downloaded the docs and you’re shocked, SHOCKED to find that one of the world’s most powerful intelligence agencies has migrated from collecting digital tons of data from radio waves and telephone cables to the Internet. You’re OUTRAGED at the supposed violation of your privacy by these un-elected bureaucrats who get their jollies listening to your sweet nothings.

Except you’re not.

Not really.

Are you really concerned about your privacy? Let’s find out:

  1. Do you only ever pay for things with cash (and you don’t have a credit or debit card)?
  2. Do you have no fixed address?
  3. Do you get around town or strange places with a map and compass?
  4. Do you only make phone calls using burner phones (trashed after one use) or public phones (never the same one twice)?
  5. Do you always go outside wearing a hoodie (up) and either Groucho Marx glasses or a Guy Fawkes mask?
  6. Do you wrap all online communications in encryption, pass them through TOR, use an alias and only type with latex gloves on stranger’s computers when they leave the coffee table to use the bathroom?
  7. Do you have any kind of social media presence?
  8. Are you reading this over the shoulder of someone else?

The answer key, if you’re serious about not having “big brother” of any sort up in your biznaz is: Y, Y, Y, Y, Y, Y, N, Y. Obviously not a comprehensive list of things you should do to stay off anyone’s radar, but anything less and all your efforts are for naught.

People complain about their movements being tracked and their behaviors being examined; but then they post selfies to 1,000 “friends” and “check in” at bars and activate all sorts of GPS-enabled features while they shop using their store club card so they can save $.25 on albacore tuna. The NSA doesn’t care about your daily routine: the grocery store, electronics store, and companies that make consumer products all care very, very much. Remember this story? Of course you don’t because that’s just marketing, the NSA is “spying” on you.

Did you sign up for the “do not call” list? Did you breathe a sigh of relief and, as a reward to yourself, order a pizza? Guess what? You just put yourself back on data brokers and marketing companies “please call me” list. What? You didn’t read the fine print of the law (or the fine print on any of the EULAs of the services or software you use)? You thought you had an expectation of privacy?! Doom on you.

Let’s be honest about what the vast majority of people mean when they say they care about their privacy:

I don’t want people looking at me while I’m in the process of carrying out a bodily function, carnal antics, or enjoying a guilty pleasure.

Back in the day, privacy was easy: you shut the door and drew the blinds.

But today, even though you might shut the door, your phone can transmit sounds, the camera in your laptop can transmit pictures, your set-top-box is telling someone what you’re watching (and depending on what the content is can infer what you’re doing while you are watching). You think you’re being careful, if not downright discrete, but you’re not. Even trained professionals screw up and it only takes one mistake for everything you thought you kept under wraps to blow up.

If you really want privacy in the world we live in today you need to accept a great deal of inconvenience. If you’re not down with that, or simply can’t do it for whatever reason, then you need to accept that almost nothing in your life is a secret unless it’s done alone in your basement, with the lights off and all your electronics locked in a Faraday cage upstairs.

Don’t trust the googles or any US-based ISP for your email and data anymore? Planning to relocate your digital life overseas? Hey, you know where the NSA doesn’t need a warrant to do its business and they can assume you’re not a citizen? Overseas.

People are now talking about “re-engineering the Internet” to make it NSA-proof…sure, good luck getting everyone who would need to chop on that to give you a thumbs up. Oh, also, everyone who makes stuff that connects to the Internet. Oh, also, everyone who uses the Internet who now has to buy new stuff because their old stuff won’t work with the New Improved Internet(tm). Employ encryption and air-gap multiple systems? Great advice for hard-core nerds and the paranoid, but not so much for 99.99999% of the rest of the users of the ‘Net.

/* Note to crypto-nerds: We get it; you’re good at math. But if you really cared about security you’d make en/de-cryption as push-button simple to install and use as anything in an App store, otherwise you’re just ensuring the average person runs around online naked. */

Now, what you SHOULD be doing instead of railing against over-reaches (real or imagined…because the total number of commentators on the “NSA scandal” who actually know what they’re talking about can be counted on one hand with digits left over) is what every citizen has a right to do, but rarely does: vote.

The greatest power in this country is not financial, it’s political. Intelligence reforms only came about in the 70s because of the sunshine reflecting off of abuses/overreaches could not be ignored by those who are charged with overseeing intelligence activities. So if you assume the worst of what has been reported about the NSA in the press (again, no one leaking this material, and almost no one reporting of commenting on it actually did SIGINT for a living…credibility is important here) then why have you not called your Congressman or Senator? If you’re from CA, WV, OR, MD, CO, VA, NM, ME, GA, NC, ID, IN, FL, MI, TX, NY, NJ, MN, NV, KS, IL, RI, AZ, CT, AL or OK you’ve got a direct line to those who are supposed to ride herd on the abusers.

Planning on voting next year? Planning on voting for an incumbent? Then you’re not really doing the minimum you can to bring about change. No one cares about your sign-waving or online protest. Remember those Occupy people? Remember all the reforms to the financial system they brought about?


No one will listen to you? Do what Google, Facebook, AT&T, Verizon and everyone else you’re angry at does: form a lobby, raise money, and button hole those who can actually make something happen. You need to play the game to win.

I’m not defending bad behavior. I used to live and breath Ft. Meade, but I’ve come dangerously close to being “lost” thanks to the ham-handedness of how they’ve handled things. But let’s not pretend that we – all of us – are lifting a finger to do anything meaningful about it. You’re walking around your house naked with the drapes open and are surprised when people gather on the sidewalk – including the police who show up to see why a crowd is forming – to take in the view. Yes, that’s how you roll in your castle, but don’t pretend you care about keeping it personal.

Prepare for the Pendulum Swing

I’m not going to belabor the tale of woe those trying to deal with Edward Snowden’s theft are dealing with right now. For a moment I want to opine on some of the secondary and tangential issues that I predict is going to make life in the IC more difficult because of his actions:

  1. Polygraphs. If it is true that he only took the job with BAH to gain access to specific data in order to reveal it, IC polygraph units are going to have to cancel leave through 2025. Moving from one agency to another? Get ready to get hooked up to the box (again). In a sys admin job? Pucker up. That old timer you used to get who realized that people were people and they had lives? He’s going to be replaced by a legion of whippersnappers who will all be gunning to catch the next leaker. Good people will be deep-sixed and those who survive will wonder if it’s worth the ***-pain.
  2. Investigations. When you can’t pick up on obvious problem-children, and when the bottom-line is more important than doing a good job, the bureaucracy will retrench and do what it does best: drop into low gear and distrust outsiders. There are only so many government investigators, and it’s not like there are fewer missions. Coverage will slip, tasks won’t get done, the risk of surprise (you know, what we’re supposed to try and avoid) goes up.
  3. Visits. Even in the information age some things are best discussed in person. Remember how your “community” badge would kinda-sorta get you into wherever you needed to go? Good luck with that for the foreseeable future. That three hour block of time you used to allocate to go to a meeting across town? You might as well write off the whole day.
  4. Two-Man Rule. Great theory; it will suck in practice. Remember when you used to be able to call the help desk and your boy Chuck would reset your password over the phone? Yeah, not any more. Something that took minutes will take hours; something that used to take hours will take days; things that took days will take weeks. In the information age, ostensibly the information enterprise, will work about as quickly and efficiently as a pre-assembly-line car factory.
  5. Sharing. Yes, the mechanisms will still exist, but no one actually will (officially). No one will say so out loud, but in a series of staff calls of decreasing seniority the word will get out: don’t post or share anything good or the least bit sensitive online. Stovepipes will be reinforced and what good was done over the past decade+ to break down barriers will get washed away. Sharing will go underground, which will simply make detecting leaks harder.

This story is far from over, but if you’ve been in this business for any length of time you know how wildly the pendulum swings when something bad happens. Nothing actually improves, everything just gets more difficult. This was less of a big deal during the industrial age, but that age has past.



We Are Our Own Worst Enemy

My latest op-ed in SC Magazine:

It is tough being in cybersecurity. Defense is a cost center, and it’s hard to find meaningful metrics to demonstrate success. Interest in security is also cyclical: Major breaches stir action, but as time passes, interest and resources wane, though the threat is still there. Yet the biggest problem with cybersecurity is ourselves. Before we can succeed, all of us must agree to change.

Read the whole thing.

Better Government Cyber Security: don’t hold your breath

It is one thing to plan, something else entirely to turn it into reality:

The DHS plans to collocate private-sector employees from the
communications and IT industries with government workers at the U.S.
Computer Emergency Readiness Team (US-CERT) facility here, said Gregory
Garcia, assistant secretary of cybersecurity and telecommunications at
the DHS. The teams will work jointly on improving US-CERT’s information
hub for cybersecurity, Garcia said. The agency didn’t specify a
starting date for the program but said it will begin soon.

Every corporation willing to give up a top-notch employee to a rotation to the government (out of the goodness of your heart, because you’ll have to eat their salary) raise your hand.

Every highly-skilled private sector employee willing to support two households for a year on your current salary and who is prepared to subject yourself to the grinding bureaucracy of DHS, line up over here.

That’s what I thought.

Mr. Assistant Secretary, you can’t do this on the cheap because you are going to get what you pay for. The money Uncle Sam paid your predecessor could comp industry for 3-4 great folks. A little COLA adjustment wouldn’t hurt either, but that’s icing. I’m assuming that since you came from a private-sector lobbying gig you understand how the economics works, so I’m also assuming that you are wed to this course of action because of circumstances that are out of your control. When this effort comes up short, you might want to begin a lobbying effort to change those circumstances.


Clearance Woe

I got a short boost of joy reading about (yet another) move by the government to reduce the waiting time for security clearances. The demand for clearances has gone well past the roof but the approach to granting them is still stuck in the mud. The bulk of the wait comes from the long background interview process in which not only are the people you put down as references interviewed about your character, etc., but a much larger network of interviewees is built (and subjected to the same process) by asking your references to supply references (ad nauseum). The idea is that you’re probably only going to put down as references people who will say very nice things about you. By expanding the network the investigators improve the chances that they will find someone who might say things that are not so nice, until someone gives up that – oh yeah, you spent that one summer between Jr. and Sr. year in Pakistan “visiting historical landmarks.”

The process has many flaws, but none as severe as the one pointed out in the story of an Iraqi (?) immigrant who held a TS clearance while working as a translator in Iraq. How bad is it? The government isn’t even sure of the guy’s name.

Security and counterintelligence folks will go apoplectic if you start talking about improving the clearance process, and they will point to stories like the one just mentioned as evidence. There is a flip side to that coin: if the process is so great HTF did Mr. X get through? I mean, read the statements of the FBI and ICE agents in the translator story ask yourself how they can utter those words with a straight face?

If security is just a matter of checking off boxes on a form then this is one of the few problems that can actually be “solved” by our Uncle’s favorite approach: throwing bodies at it. That is in essence the government’s solution today, with every under-employed liberal arts grad and retired FBI/IRS/SS agent working as a contract background investigator by the various firms employed by DSS and OPM to conduct interviews and perform records checks. The young woman who interviewed me for my last five-year update had only voted in one Presidential election and unlike her I could recite the interview questions from memory; the retired Bureau man who did the previous check-up didn’t need a cheat-sheet but he did forget his ‘Creds at my house. Impressed?

Jabs aside, the current system needs an overhaul that goes beyond a more-of-the-same methodology.

For starters we need to dig deep and figure out just what ought to be classified and at what level. The problem of over-classification is well known, and if corrected would reduce both the volume of material that needed protection and the need for highly cleared people.

That’s step two: cutting back on clearance holders. If you get a job at an intelligence agency processing payroll you will be given a clearance. Same goes for a lot of administrative and support jobs. Having the badge makes life a lot more convenient, but it doesn’t improve security. Back-office stuff that doesn’t involve classified? Outsource it or detach it from the HQ and send your newly uncleared workforce to a telework center.

Step three is injecting automation into the process. Much of your clearance file is an actual physical file; what is this, the 50s? Some automation is already in the works, but as usual a lot of money has been wizzed away. VCF redux? God, I hope not.

Automating the process speeds up the back-end but you also need to look at automating as much of the investigation as you can. Your full name and SSN run through the credit bureaus and other major data brokers should produce plenty of material from which to launch a really focused background investigation. Where you get and how you spend your money, where you have traveled to and when, etc., etc. Stop wasting time asking broad-spectrum questions of people who might remember this or that and focus on facts. Kick the in-person interviews off after you’ve gathered all your ducks in a row.

Plenty of other ideas but it is time to pay the mortgage. Bottom line: this is a problem that is eminently fixable but it requires breaking china. In the words of Miracle Max, “Have fun storming the castle.”