Why NSA isn't to blame
a guest Jan 22nd, 2016 200 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- NSA isn't to blame. It's really that simple.
- I think the situation has turned into such an NSA-bashing party that everyone's forgotten why the situation exists, who the majority of stakeholders are, and what can/can't be done against a surveillence state actor. Not to mention pushing all kinds of figurative comparisons making it seem like the NSA is massively robbing, injuring and/or murdering American citizens. I mean, come on... I'll address the people that replied to me in the next post after I set the foundation in this one.
- The Why: NSA's Mission
- I'm not going to totally blame the NSA here like everyone else is doing, nor make analogies that paint an unrealistic, deadly picture of the results. Before anyone talks legal or ethics, they need to look at what the NSA was *required* to do. Here is the their legal mission over time:
- 1. Gather every piece of vital information they can on foreign targets of interest.
- (Ridiculously huge number, from crooks to business to government, across many mediums in many countries with a variety of security approaches.)
- 2. Do the same if their communications cross into US territory.
- (Previously, there were very strict rules about exactly how to do this.)
- [So far, we just have two requirements, a massive amount of technicians, little oversight and a huge budget. I said that was a bad idea but I was a minority. Moving on. Even back then, they were working toward intercepting everything with filters and automated analyses to make sense of it all. Echelon being a prime example that leaked. Yet, even with massive spying and alleged abuses in the 90's, neither American people nor Congress pushed hard to reign in their power or establish strong oversight of expanding SIGINT activities. And federal courts did about nothing. Strike 1. ]
- 3. Acquire intelligence on anything that might lead to another 9/11 happening on US soil, even if it means spying on Americans.
- [This was post 9/11. This let them turn their technology on Americans more often, although they had certain legal issues. Congress begins passing laws that remove legal obstacles and create plenty secrecy. American public majority supports the activity as in our interests for our safety, as they like trading off liberty to sleep better. Strike 2.]
- 4. Expanding on 3, more pushes for cyberwar readiness, streamlined intelligence sharing, greater visibility, rapid response that requires fewer filters and long-term analysis capabilities similar to commercial sector's business intelligence apps.
- [The Business Intelligence type apps and proposals go way back with software demos from CIA's In-Q-Tel on specifics of a few apps for government use. That was public. Even if it's a Special Access Program, a significant number of people in Congress would know they were tapping into phone, carrier and/or encrypted networks. Some of this leaks publicly many years ago. American public fails to use common sense test of "is more secrecy, money, spying, lying and lack of due process a good thing for citizens now or later?" Congress continues authorizing and funding the operations. Strike 3.]
- I say that's already all you need for a situation to occur much like recent revelations. This situation was the logical conclusion of a continuous series of events going back 10-20 years. Maybe more depending on who you asked. Every step of the way, the NSA's modern activities got the blessing of Congress, the public, the important courts, Federal LEO's, state LEO's that could use the data, and the media. Sounds legal and endorsed enough to me. So, certain claims people are making don't hold any water despite how often they're repeated.
- NSA didn't do this alone: most other parties either implicitly authorized it with the expectations and requirements they set or by just letting it happen with no accountability every time something leaked. NSA is just a tool. The failure was how democracy was using it.
- The How: Accomplishing the Mission
- People have also been saying they hate all these methods NSA uses. I'm not going into them right now. You've probably heard of them. Yet, I've just illustrated their mission requirements. And they could be pretty sure if they missed another 9/11 the public wouldn't say, "Well, Fox said they were using SSL and you people are *only* the NSA so it's all good. Shit happens. Don't worry about it." Please... They were under enormous pressure over the decades to solve equally enormous problems associated with targets using crypto, domestically or foreign. 9/11 just turbocharged it. And they tried several options.
- 1. They tried to get backdoors into systems. That was strongly opposed by the public. Public still expected results, though.
- 2. They tried banning export of strong crypto and keeping useful systems from being published while allowing US use of ciphers that would stop *most* attackers. DES cracking got cheaper and the cypherpunks beat them at moving crypto out of the states. Public still expected results.
- 3. They tried to allow stronger crypto, but with built-in escrow to provide them access. Cryptographers were also working on secure escrow back in the day. That was all shot down. Public still expected results.
- 4. They tried subverting crypto software by both big software companies and some crypto companies. Each subversion was for tech with widespread use by governments and companies. These delivered results. A few became public but those companies remain in business. I'm talking pre-Snowden, too, with post-Snowden mostly being same pattern of effectiveness and low liability.
- So, the NSA had a tough job mandated by the public and Congress. The job kept getting harder. EVERY proposal they made to deal with their problems through legal or technical means was shot down. The only solution was subversion, the one I've written here about for years. Matter of fact, NSA knew that the widespread use of low assurance software implementations and business processes meant subversion was easy for their organization. Consumers and businesses even rejected attempts at high-security to fix that in the past, including NSA's (!). So, it worked in the past, it kept working, those in Congress cleared for it apparently kept OKing it, Americans did implicitly by asking for what necessitated it, and they saw opportunity to expand on the same strategy.
- (Note: They also realized if they did it carefully they could embed subversions into otherwise effective security tech. So, public would get good ciphers, online banking, secure purchasing, safer email, network encryption, trusted boot, etc. It would stop most attackers. And NSA could still get in. In a dual-mission spy & stop spies organization, this would be seen as a Win-Win approach to subversion. And subversion was their only effective approach. And so 2+2 =...)
- The Result
- And so they tried to subvert... everything. They even pulled it off with "open" standards, too. If anything, they were only doing the exact job they were asked to do. I have enough sportmanship to even admit they did a very impressive job. I figured over the years they had done plenty of this stuff. Yet, after the leaks, even I was a bit impressed at how pervasive and dominant they were online. They certainly had the budget for it but their management was terrible prior to Hayden per public information. They did a real 180: fixed big organizational issues first, then expanded capabilities, and then accomplished Mission Impossible.
- I didn't think they'd pull it off. I give them props and respect as a hacker. But... what if "they" come after "us"?
- The "Risk" To Individuals + Who Are The Stakeholders?
- Practically nonexistent in over 99% of cases. (Yes, that stat was as made up as most risks people put forth.) The majority of Americans are the kind of people secret state wasn't built to worry about. The secret state even benefited their companies and activities at times from prior research. The secret state, as occasional investigators find out, will use their capabilities in self-defence if government power is threatened by a minority player w/out public support. NSA personnel also know majority public pays their checks. That public is mostly OK with what groups NSA targeted so far. Many even demanded it at one point.
- No, the public isn't that worried about NSA. People comparing their backdoors to things like faulty brake pads are misguided: things like that actually kill members of the public. Matter of fact, THAT is something Joe Public might have experienced personally or heard via friends' horror stories. Hearing about deliberately weakening of brakes might lead to a class action and lots of individual action. NSA surveillance? Overall, NSA is one of the public majority's... lesser concerns.
- The Real Risk: A Fake Democracy
- Many claim it's been a fake democracy. Let's ignore that angle for this debate. ;) The biggest risk was (and is) that secret state and surveillance tools one party builds are used for evil reasons that have a huge negative impact on the safety of Americans, the economy, the voting process, etc. This might be by the current party *or a future party* that is quite opposite in politics. Like nukes, capabilities like this are better to never be invented and a country will never "unbuild" them after they're working. Further, they will get expanded continuously both technically and legally.
- The very second Americans asked for NSA/LEO's to develop near God-like omniscience in their intelligence capabilities, they brought all of this on themselves willingly. The long history of government power grabs, corruption and abuses of power should have clued them in. They weren't cautious enough. Congress knew a bit better with all the dirt people could find on them. Those morons asked for an exemption for themselves, as if unaccountable watchers keep their promises over time. Now, secret state and surveillance tools are a risk to our democracy itself because they can be used against us in many ways that would take huge, clever effort by Congress to limit. A Congress that is apparently on their side.
- Conclusion: NSA isn't guilty or going overboard. They're doing exactly what they've been required to do. They've done it too well. They succeeded to the point that NSA's legal, technical and HUMINT capabilities will make impractical for US citizens most INFOSEC defenses people are proposing right now. Congress and The Courts, who possess checks and balances, are partly responsible for this mess. The other part goes to the American people. If the three *really* want to, a combination of private and public action can change the status quo. Otherwise, NSA will just keep doing what they've been paid to do for decades. Change the mission to reflect the needs of a democracy. Only then will their activities change.
- Nick P
- Security engineer/researcher
- (Focused on high assurance, anti-subversion, and countering nation-states)
RAW Paste Data