Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Cocaine Smuggled in Giant Squid |
| Little People Hiding in Luggage »
February 4, 2008
NSA Monitoring U.S. Government Internet Traffic
I have mixed feeling about this, but in general think it is a good idea:
President Bush signed a directive this month that expands the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems.
The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies -- including ones they have not previously monitored.
The classified joint directive, signed Jan. 8 and called the National Security Presidential Directive 54/Homeland Security Presidential Directive 23, has not been previously disclosed. Plans to expand the NSA's role in cyber-security were reported in the Baltimore Sun in September.
According to congressional aides and former White House officials with knowledge of the program, the directive outlines measures collectively referred to as the "cyber initiative," aimed at securing the government's computer systems against attacks by foreign adversaries and other intruders. It will cost billions of dollars, which the White House is expected to request in its fiscal 2009 budget.
Under the initiative, the NSA, CIA and the FBI's Cyber Division will investigate intrusions by monitoring Internet activity and, in some cases, capturing data for analysis, sources said.
The Pentagon can plan attacks on adversaries' networks if, for example, the NSA determines that a particular server in a foreign country needs to be taken down to disrupt an attack on an information system critical to the U.S. government. That could include responding to an attack against a private-sector network, such as the telecom industry's, sources said.
Also, as part of its attempt to defend government computer systems, the Department of Homeland Security will collect and monitor data on intrusions, deploy technologies for preventing attacks and encrypt data. It will also oversee the effort to reduce Internet portals across government to 50 from 2,000, to make it easier to detect attacks.
My concern is that the NSA is doing the monitoring. I simply don't like them monitoring domestic traffic, even domestic government traffic.
EDITED TO ADD: Commentary.
Posted on February 4, 2008 at 6:30 AM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Well, if they really really want to spend money to watch me browsing the National Park Services excellent websites, ... have fun guys. Maybe you learn something about biodiversity, endangered species or my prefered touristic destinations.
Securing government networks was part of the NSAs mission, and has been, as long as there has been an NSA. Monitoring those networks for attacks a requirement towards keeping them secure. The only surprise here is that the NSA hasn't been doing this all along.
I am a bit more concerned on the idea that the DoD could launch "attacks" against servers without us being in a declared state of war | conflict. What if the FBI decides that some online poker room in the Caribbean presents a "clear and present danger" to our national security - does that mean we start launching pre-emptive strikes?
kinda surprising to me that NSA is in charge of doing this...
"My concern is that the NSA is doing the monitoring. I simply don't like them monitoring domestic traffic, even domestic government traffic."
Ok, lets see the alternatives, we can use
Home Land Security
Congressional Budget office
Verisign, Network Associates or other thieving "network protectors"
Come on .. this is the most insane thing you have said so far .. and you have said plenty, and that too early in the week, can't wait for a fat squid to end the madness.
"the DoD could launch "attacks" against servers without us being in a declared state of war | conflict. "
Fortunately, DoD has the authority to defend the U.S. and can respond to a foreign attack without waiting for Congress to hold hearings and a vote. Our Constitution gives that responsibility to the President.
Unfortunately, our government schools have done a really poor job of teaching Americans about our Constitution.
"- does that mean we start launching pre-emptive strikes?" ---I'd rather Packets then Warheads.
"The only surprise here is that the NSA hasn't been doing this all along." ---What makes anyone think that they haven't. BUT when done secretly they are very limited in what they can act on. Making it public just lets them act on what they are finding. If they are listening in on the Telco's trunk lines in hopes of picking up what they openly now call "chatter" why does anyone think that they aren't doing this to data?
This is specifically within the NSA mandate, and really is the institution responsible.
What people forget is that the NSA is a two-role institution: intercept the communications of everyone else, and SECURE the communications of the US government.
Which other institution in the government has the mandate of securing US government communications?
Presumably, the ability for them to do this hinges on being able to reduce the number of Internet connections to government sites to a manageable number. There is an aggressive schedule to push this, but no apparent funding, and the costs would be astronomical and the logistics intractable. Note that the article glosses over this with the statement "It will also oversee the effort to reduce Internet portals across government to 50 from 2,000, to make it easier to detect attacks," but no apparent cognizance of the difficulty to accomplish this. Imagine all those park service sites, weather forecast office sites, agriculture extension sites, FBI field office sites, etc. all having to somehow magically connect to the Internet at only 50 places, and imagine the absurd routing policies that will have to exist to support that. There are many good reasons why there are so many connections--the government operates a lot of service organizations, after all.
If the government wishes to seriously reduce the attack surface of their systems, they should stop standardizing on Microsoft. But since the idiots who write these policies can't figure out how to use any program other than Microsoft Office, real security is dead in the water where it starts: on the desks of the DHS and OMB fools who have the power to effect change.
"Quis custodiet ipsos custodes?"
- Juvenal, Satire VI.
Nicholas Weaver> Which other institution in the government has the mandate of securing US government communications?
Off the top of my head--NIST (FIPS) and US-CERT. Beyond those, there are many CSIRT and IT security offices throughout the Federal government. As with most things, at a certain scale, it becomes cheaper and more effective to use many smaller devices than one great honking device, if you can even build such a thing.
I think you're confusing "securing" U.S. Federal government communications with "monitoring" them. Ironically, if Federal government communications employ the security NSA has provided in the past (i.e. crypto), NSA shouldn't be able to monitor them, at least not in real time.
This new activity is only very remotely within NSA's brief. NSA "safeguards US networks" only in the sense of ensuring cryptographic security of government communications. NSA has _never_ had a brief to ensure the security of government-wide computer networks -- if it did, there would of course be no need for the NSPD.
To be sure, they would like to encourage the confusion of the two activities --- comms security and computer network security --- because this is the royal path to expansion of their brief, to say nothing of their budget. Judging from some of the comments here already, it appears that the disinformation is working.
Folks, the classic name for what this new activity that is being assigned to the NSA is "Counterintelligence". When counterintelligence deals with efforts to compromise US assets on US territory, that is traditionally the purview of the FBI, and nobody else's. There exist statutory limitations and controls and oversight mechanisms that are designed around the FBI, and nobody else. Admittedly, the commissars who run our government have done their level best to sabotage those controls, but at least they exist, and could be revived when and if sanity is restored.
There are no controls over the NSA's computer monitoring. There is nothing to prevent them from doing anything they like with information harvested from activity on government networks. Please don't be distracted by scary references to Chinese Government Hackers --- the Yellow Peril is a standard securocratic misdirection ploy. The NSA has been intent on breaking loose of the legal fetters that kept it out of US comms traffic, and has had some considerable success already in that enterprise. This is just the next move.
If it wasn't coming via an executive order from a man who has a reputation for ignoring federal law and the Constitution, as well as appointing an Attorney General who found the need for FISA warrants 'inconvenient,' and does not believe the Constitution contains an implicit grant of habeas corpus ... I might be a little less skeptical of the motives here.
Only last week, we heard how the FBI thinks they've found the people responsible for the Storm worm, but can't get past Russia's bureacracy. So how will this be different if China is hacking our government websites?
Great... so the NSA will officially snoop on me every time I access some .gov web server now? Wonderful.
The (overly simplified for the sake of brevity) right way to do this is have each government agency monitor its own network, but have a single agency in charge of auditing all the other agencies.
Simple check and balance system
I'm not sure I can conclude anything from this article. It's pretty standard boilerplate:
"President Bush signed directive XYZ today, but, for your safety, the actual wording of the document is classified"
"However, some random on the street said the directive calls for the NSA to monitor all federal agencies' computer networks"
As usual, it could turn into anything...an internal witchhunt? A sprawling database of government sites visited?
The small amount of non-cynic in me says that the gov't probably faces some of the most sophisticated network threats out there, and since private companies that face similar threats don't share the data on them, I'd say the government has an information advantage and is in a unique position to develop countermeasures that non-governmental private firms cannot. Likely? Nope.
Problem is, this administration has already shown their disregard for procedure - that's the whole 'secondary e-mail system' issue that led to the 'deleted e-mails'.
Even if someone used a laptop to access the 'secondary' system, there'd be a risk - they're likely to be using a router in the building (wi-fi, ethernet, whatever). I *doubt* they'd be paying their telecom buddies for a separate account. (Not to mention that a laptop used for such purposes would have to remain separate from government systems and/or be routinely audited.)
It seems to me that there is a big difference between this and NSA's "monitoring" traffic and "preventing disclosure" legacy missions. The NSA can now "do something about it" if someone is messing with computers the government likes. That seems like FBI (domestic) and CIA (international) turf.
Sure, hackers target the US government. So do protesters of all sorts. Of course, we should have protections and defensive security such as the NSA's encryption systems. The offense side in the past has always been sending letters and asking the appropriate government to conduct law enforcement. This adds a sort of "wild west justice" to the mixture. Like Bruce, I find that a little insensitive. Given past abuses, putting more folks in the "disrupt them over there so we're not inconvenienced at home" business needs the highest level of scrutiny.
Pat, a genuine "checks and balances" system would route through Congressional oversight, not through the intelligence bureaucracy.
The point is, this program will, inevitably, collect intelligence on U.S. citizens in the U.S.. As a matter of principle, there ought to be some outside clamps on it, because otherwise it is certain to expand in scope to the maximum practicable extent.
Not that Congressional intelligence oversight works that well, but there is nothing else, unless we're really willing to let the intelligence collectors police themselves. In which case, we would have no grounds for complaint when the inevitable abuses arise.
I'm very skeptical about this.
This just sounds like a more cleverly disguised attempt to initiate that whole "blanket authority" to monitor all US internet traffic thing.
Today, government operated intranets.
Tomorrow... the world.
Nope, the difference is that the NSA can send a memo to the FBI about Alice and Bob without having to admit any pre-existing interest in Alice or in Bob. Previously they'd have to justify their attention to A & B's activities in terms of their mandate- this makes paying attention part of their mandate and so information about the presence or absence of a fisa warrant, for instance, becomes omissable.
I honestly don't know whether to be more worried that the government will do a good job or that it won't.
But to those who are up in arms that all this power is falling to the NSA, reread the article more carefully this time. The WPost reports that the NSA is only one of the agencies involved in the monitoring. CIA and FBI's Cyber Division are also specifically named. DHS will work to protect the systems (ghu help us all) and the Pentagon will create strategies for counter attacks. This hardly sounds like all the power concentrated in one set of hands.
Running the defense like a criminal case rather than a counter intelligence one would address some of the concerns.
And it would really help if the State Department stopped buying its computers en masse from the Chinese. Walking into a random big box store for an "IBM" computer is one thing. Buying hundreds or thousands at once via the GSA schedule is another thing entirely.
DHS has already been monitoring traffic in/out of government agencies under the Einstein Program. Their stated goal is to collect and correlate data about attacks across government agencies, as well as to look for suspect "backdoor" traffic. Some background info: http://www.fcw.com/print/13_16/news/102730-1.html
I was formerly under contract at a government agency running IDS and was asked to assist DHS with the installation of their device at the agency's Internet border. Funny thing is: the night we installed the device, there we were, four contractors, and not a government employee in sight.
So, who is minding NSA then?
So, if InnocentCitizen navigates from page to page at a government agency website, trying to find or make sense of information, could he be suspected of casing the joint?
A visitor can use anonymizing tools when visiting a government site, but it may be prudent to think that approach through in advance if any personal data is to be submitted, or if the visitor might be doing much term searching at the site and might later use the site unanonymized (there could, in the perception of analysts, appear to be an identifying interest pattern coupled to an earlier effort not to reveal one's identifying data).
How will NSA treat encrypted (https://) connections to certain government agency web pages? Will traffic to those sites and that traffic's contents after decryption draw particular surveillance/personal data collection interest? I don't know.
This may be a stupid question as I'm not dreadfully familiar with the US terminology; does this mandate include the other branches of Government, such as the senate and the courts?
"Fortunately, DoD has the authority to defend the U.S. and can respond to a foreign attack without waiting for Congress to hold hearings and a vote. Our Constitution gives that responsibility to the President."
Article I of the U.S. Constitution states that Congress, not the President, has the authority "To provide for calling forth the Militia to execute the Laws of the Union, suppress Insurrections and repel Invasions". I can't find anything in Article II or anywhere else in the Constitution granting the President the power or "responsibility" that you claim. Keep in mind also that an "attack" on a computer network could as easily be a criminal as a military action. Criminal activities generally fall under the Department of Justice. Of course, the U.S. Constitution says nothing about either the DoD or DoJ. Perhaps you could point me to the clause in the Constitution that gives the President such "responsibility"? Or did someone do a poor job of teaching you about the Consitution? (Hint: Emergency Presidential powers are generally granted by Congress through standing law, not by the Constitution.)
And on a different point, there's a difference between securing computer networks and monitoring them. The details of this directive are classified. Given this administration's passion for spying on its own citizens and given that the NSA already had responsibility for keeping internal government communications secure this probably has a lot more to do with keeping track of people who apply for disability services or purchase guns than with keeping government computer networks secure. The NSA's mandate quite simply does NOT include monitoring communications between the government and its citizens, nor should it. The NSA is charged explicitly with monitoring FOREIGN communications. There was a reason for that, back in the days when people actually respected the Bill of Rights. Bruce is right to be troubled. Having the NSA or any other military (DoD) agency monitoring communications between the government and the citizens is just another step towards the end of democracy. If the FBI can't handle the necessary technological counterintelligence activities then we need a new, civilian (that is, outside of the DoD) organization, one that is, just like the FBI, constrained by the Bill of Rights, in particular, the Fourth Amendment.
"If the FBI can't handle the necessary technological counterintelligence activities then we need a new, civilian (that is, outside of the DoD) organization, one that is, just like the FBI, constrained by the Bill of Rights, in particular, the Fourth Amendment."
I couldn't agree more. The reason that there have been different agencies with different scopes of authority, has been to ensure that those who need to get permission to tap (FBI, law enforcement) vs those that don't (NSA, foreign traffic) do not intermingle and create a state where the intent to protect nation collides with the rights of our citizens.
The ongoing thought process that if we could just identify and collect enough data about enough people then we could know who the bad guys are is false, inoperable at scale, and so dangerously prone to corruption that it was designed out of process since the constitution and shouldn't be undone now.
Spying is a fact of international co-existence (IMO) but massive data gathering on citizens by its country should not be in a free and open society. If we are so fearful that terrorists are in country, or are being recruited internally, then we have already lost. The gathering of this data will only serve to worsen, not improve, that situation.
You wouldn't expect it to cover Congress (House and Senate) or the Courts, if it hadn't been issued and classified by President Bush. On the other hand, when the Washington Post article says "including [agencies] they have not previously monitored", there are a number of agencies that likely wouldn't have been monitored before. Congress and the Courts aren't "agencies". I was under the impression, probably mistakenly, that the NSA confined itself to securing diplomatic and military communications - the Department of State and the Department of Defense. There are 13 other departments and many independent agencies. See http://www.usa.gov/Agencies/Federal/...
Are they moving all the US offices to a private internet? Or consolidating all the government offices to one per state? Otherwise I fail to see how they can reach their goal of having only " Internet portals across government". I doubt that "real intruders" are going to limit themselves to centralized web servers, when attacking the open 802.11b router in the small town office of the US EPA would be much more effective. Monitoring web sites is more likely to catch teenage web vandals than a foreign secret service.
1) how does anyone know that the rulesets for datamining will be built to target Americans? that the analysts have nothin better to do with their time than plumb terabytes of dta for the activities of joe dokes in LA in mouths Constituional platitudes....but never actually mans the rail to fight for it? ooops...digressing into my own cliches...:-).....the rather simplistic notion in this thread is that there will be little logic applied to the search.
2) how does anyone know that records haven't already been mined? that these searches might not have already revealed useful info about terrorists? all the while leaving joe doaks alone in his blissful search for something new to whine about?
3) and everyone knows...one assumes...that the CNA mission was assigned to NSA several years ago.
BOOO! sorry...didn't mean to scare anyone!
@stratcom: "sorry...didn't mean to scare anyone!"
One is rarely scared by gibberish, unless it is coming from the mouth of one's surgeon or airline pilot.
Would you care to restate that in some kind of language, please?
hmmmm...I'm reminded of Bertrand Russell's gem "Of him does the saying bear witness that he is absent when present"
what don't you get about poking fun at people who see bogeymen at every corner?
I don't get any of it. For example, that you're poking fun at people who see bogeymen at every corner is news to me; it isn't evident from your previous post, because that post is incoherent, thus my suggestion that you restate, though you may wish to defer until the meth wears off.
look...I can't account for your intellectual limitations.
one pinhead out of 10,000 who can't grasp a concept is immaterial.
do some calculations philosopher king:
- how much information do you believe will have to be monitored?
- do you think that efficiency dictates following every thread or those that are expected to corrrelate to greater probabilities of traceback, detection, etc.? in short...a behavioral model of some sort
- do you think, just maybe, that the monitored information will be correlated with non-network sourced intelligence to further refine the search?
in short...all hysterics aside...do you think the whole process/behavoiral model empoyed will be structured in a way that will lead to excessive, invasive, liberty sapping probes into the behaviours of...I don't know...Americans like you?
NSA under statutory controls and oversight is the least of my concerns.
Perhaps what the non-NSA folks in government are willing to do....without oversight...is where the real spotlight ought to shine.
heck....we see every Internet day what our fellow citizens are willing to do.....
The problem isn't other people's lack of conceptual capabilities. It's your lack of writing skills. Learn to write.
Wasn't Bertrand Russell the guy who said infinitesimals were "unnecessary, erroneous, and self-contradictory". Boy, was he wrong!
no it is not. that I fat fingered a couple words is one thing. the ideas are there and meet the none too elevated standards of blogs. you don't care for the implied message or the tone. that's your problem.
that you elected to pursue an ad hominem approach from the very outset reflects on you. I responded in kind.
you're going to have to do better if you really want to provoke me.
otherwise.....perhaps you might endeavor to weigh in on the actual thrust of the thread....circumspect as you are about ideas and relevance.
@stratcom: "you don't care for the implied message or the tone. that's your problem."
I have very little opinion about your message, or at least so much of it as I can glean so far. If you think other posters are being paranoid, that's of no consequence to me--I don't have a dog in that hunt. If you think that the NSA's approach will be to use some form of behavioural model as you describe, that assumes sufficient computational capacity to perform intelligent correlation on perhaps 100Gb/s or many times more of raw traffic distributed over at least 50 separate Internet connections, and I strongly doubt that even NSA has that capability ready to go into production.
But what you truly think remains unclear on account of your vague, interrogative phrasing. My opinion--which I've expressed quite clearly--is that, if you have something to say, you should put words together in an order that says it. Then we can think about whatever it is, and perhaps even react and respond to its message or its tone. Won't that be a stroll in the park?
"The Pentagon can plan attacks on adversaries' networks if, for example, the NSA determines that a particular server in a foreign country needs to be taken down to disrupt an attack on an information system critical to the U.S. government."
The NSA makes the determination based on ... what?
Let's suppose a web site somewhere posts evidence that an agency of the US Govt is bribing officials in some other country, or selling weapons to undesirable regime A to fund anti-government terrorists in country B. The NSA can determine that particular website "needs to be taken down". Does it satisfy the stated criterion? Well, no. But who's checking? Nobody.
the nsa has been doing this to the USA's allies for ages (echelon????), our governments seem fine with it so why not your own?
as for pre-emptive attacks, nefarious motives and lies...well, that'll be business as usual for the current administration, no?
have a nice day :)
NSA should snoop all .gov traffic. Who honestly believes that the Chinese or any other adversary are going to attack from their own networks? Certainly anyone worth monitoring will find hops in the US from which to launch attacks. Its black-hat 101.
Andy> NSA should snoop all .gov traffic... Certainly anyone worth monitoring will find hops in the US from which to launch attacks.
FISMA-mandated NIST 800-53 controls already require intrusion detection be deployed to monitor Federal government systems. It's accepted that we use IDS on Federal networks. Why does this mean NSA has to do it?
I'll bet the federal judges are hopping mad about this. They hate to be reminded anyone might spy on them.
Niche hardware acceleration companies supporting Einstein are already installed and are capturing, analysing 100% of packets at 40gb/s line rates across the select agencies involved in the initial volunetary trial/pilot. 100gb/s should be available later this year.
Read what the SANS Institute has to say about this project (Einstein), "some of the best tech work currently being done by the US Govt", and so it needs to be.
We have to do all we can to safeguard our networks, they're are as important shipping lanes and highways - they (and what happens on them) MUST be policed/regulated and secured...the threat/risk of abuse of power by Govts has always been there - that's why we have the vote. Too little regulation and oversight can be a very destructive things as those at Lehman Bros discovered...and the wider US public, are about to discover.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.