Schneier on Security
A blog covering security and security technology.
« Security and Function Creep |
| Scaring the Senate Intelligence Committee »
February 5, 2010
World's Largest Data Collector Teams Up With Word's Largest Data Collector
Does anyone think this is a good idea?
Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack.
EPIC has filed a Freedom of Information Act Request, asking for records pertaining to the partnership. That would certainly help, because otherwise we have no idea what's actually going on.
I've already written about why the NSA should not be in charge of our nation's cyber security.
Posted on February 5, 2010 at 6:02 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Oh dear NSA & Google...
The real trouble is which bit of the NSA.
Some parts of the NSA are quite usefull and proactive and should be commended as such, other parts however make the worst conspiracy theories look like light hearted school pranks.
Me things they should be split up into smaller bits with each part clearly sectioned and mandated with no "cross working" without clear and open over site.
However that's not going to happen any time soon so the good start to be degraded by the rotten apples in the barrel.
I am very glad to see this brought up here, and I hate to say it, but people I know through my education have been predicting this move (and seeing others) for quite some time. I'd like to point to a particularly well done post on BoingBoing, which had an article on this subject. (see http://www.boingboing.net/2010/02/04/... )
Many people I know in the industry, including those directly involved at the agency, have stated that at this time, the primary focus of the agency is purely offensive, and there is almost no desire to see strengthening of the defensive systems available to the public, especially at the top levels.
P.S. Sorry to go off-topic, but someone should get this out, considering the recent fear-mongering. I was in a eyes-only discussion a while back, where a hypothetical cyber-attack was presented, one that shocked me. Suppose someone took advantage of the online money transfer facilities offered by banks, a large botnet of compromised machines, and a listing of compromised accounts. The attack would consist of having the bots randomly transfer money among the known accounts, purely for the purpose of creating havoc. Consensus of the meeting was that the failure point of the attack would be that at which the network congestion within the banking system brought it down, and after that point, it would be nearly impossible to sort out the confusion caused by this attack, to quote one very wise person there "I do not know how, or even if, you could push the 'reset' button after that." -- just thought it relevant with the recent news, and it may become moreso.
It's a GREAT idea. What better synergy is there than the NSA, which wants to know everything about everyone, and Google, which knows everything about everyone. Re-brand it National Search Agency, powered by Google.
Seriously tho, we have FAR more to worry about from the Chinese stealing everything and a bag of chips about our personal information, then the NSA trying to play big brother. Its funny how Bruce Schneier can say that connecting the intelligence dots is a massively hard problem, but then assume that any government agency would have more effectiveness suppressing local "dissent" for some reason.
Step one: Spy on Americans
Step Two: ????
Step Three: Safety
In a world with underwear bombers and Chinese hackers running rampant anyone who thinks that someone in a black helicopter cares about their letter to PETA is just deluded.
Besides, if the NSA and Google really were working together to be sneaky, they WOULDN'T ISSUE A PRESS RELEASE, they'd just do it.
@Mike B: they didn't issue a press release. The fact that they're teaming up was leaked. From the Washington Post article:
"Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity...."
Also, are you implying that the NSA's spying on Americans is making them safer? I'd like to point you to a few past essays from Bruce:
"Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other." - Security vs. Privacy http://www.schneier.com/blog/archives/2008/01/...
"Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance." - The Value of Privacy http://www.schneier.com/blog/archives/2006/05/...
"with no "cross working" without clear and open over site."
GREAT IDEA! This is just the type of collaboration and "information sharing" that makes national intelligence FAIL!
If anyone thinks NSA has anything but unfettered access to Google servers you wrong. I would bet NSA has access (knowingly to the data owner or otherwise) to Google/Facebook/MySpace/Twitter and anything else. Oh, and lets not forget their hand in developing BitLocker with Microsoft. Do you really think they can't unlocker the bit?
This is the perfect storm on privacy on the web.
We must all question our use of Google.
The CIA has had their pattyfingers all over Google from the beginning. NASA doesn't grant private access to Air Force base airstrips to just anyone, but apparently Google high level execs can use a strip at Vandenberg AFB for their corporate jets. Nor was it lost on me that Secretary of State Hillary Clinton was briefed by Google employees about the situation in China, which was merely a game of "spy vs spy" that the CIA apparently lost.
This only makes the progress toward an American fascist, totalitarian military/industrial complex police state all the more official.
re: National Search Agency. I seem to remember something along those lines with the CIA and the Library of Congress combining in "Snow Crash"
Is there a typo in the post's title? How could both of them be the world's largest data collector?
Yes, but I think the typo is perhaps that "WORD" should be "WORLD"
"GREAT IDEA! This is just the type of collaboration and "information sharing" that makes national intelligence FAIL!"
I'm not sure I understand your point within the context of what I was talking about.
Perhaps you might want to provide a little further info?
If you are relying on the government not caring enough about you to keep them from spying on you, then I think East Germany would like to have a word with you...
@vexorian at February 5, 2010 9:33 AM
Well, I think hard data is missing on both of them, but both are often said to be the largest data collectors, depending on who you ask and the context of the conversation.
Perhaps Bruce is also slyly implying that they have been one and the same for some time now, though I don't want to read that far into it without him explicitly saying that.
I'm sure the NSA and Google working together has absolutely nothing to do with Google un-censoring the results it gives to Chinese searchers. Nothing at all.
@vexorian: Consider "irony."
The New York Times says Google "asked" the NSA for help.
The more I think about it the more I am behind Google asking the NSA for help.
We can't know who is behind the Google attack but we can be sure Google was compromised and I would guess it is likely that is still, or will soon again be compromised.
The NSA seems to be the only other collection of people with expertise that are likely to significantly alter Google's chances at plugging the leak for good. I wholly agree they shouldn't be but that doesn't change the fact that they are. Furthermore, the NSA answers, albeit in whispers, to the American public.
Hypothetically, if Google were to discover the entire company had been unknowingly compromised for years by multiple groups then asking the NSA for help is the only hope they have of closing the hole and we get an easy choice: risk the NSA getting information multiple attackers already have had access to for years.
I don't think this hypothetical is very close to the truth but it illustrates the questions I think you have to ask before you can decide whether Google should be asking the NSA for help.
"We can't know who is behind the Google attack"
So theoretically, what is going on could be something along the lines of:
1) NSA hacks Google.
2) ??? (sorry, I had to ;))
3) Google asks NSA for help
4) NSA digs even deeper than before into Google.
I don't actually think this is what is going on, but it's probably worth considering when weighing different possibilities.
@jgreco: If that were the case, then do you really think that NSA would need Google's help since they've already effectively got a strong foothold given the previous attack?
I'm still amazed at how we dismiss the "terrorist" threats that are released as movie plot (see: 9/11) due to the complexity and necessary checks and balances that get passed.. But yet we are so easy to accuse the government of terroristic intentions of their own movie plot threats (see "Eagle Eye", "I, Robot") as viable.
As pointed out before, we understand and accept (to a degree) the inability to put together breadcrumbs of facts to identify threats, but think that it's easy for the government to take huge amounts of data and process it to use against us.
And I know the argument -- once the data is collected it lives for ever and can be abused at any time. Trying to piece together a threat has a hard and fast time frame which is significantly shorter.
My counter to that is: Government officials who can make changes are replaced every few years. And if you think that they will use data against you, then I have news for you: If they couldn't use data, they'd use something else.
No I don't think the government holding data is "right", but at the same time, I guess I'm just not that scared of it.
As an AppSec guy for my company I would never advocate them going to the NSA *or* any other government agency with infosec concerns (though for enforcement that is a different story - however the FBI is the ones to engage for that). Ignoring all other concerns, what the hell does a government organization know about securing commercial assets? For a commercial entity security is the minimization of lost revenue/profits and that can often mean simply accepting risk rather than addressing it. Government entities don't operate under the same model because their primary goal is not the generation of revenue. IF I felt outside consulting was necessary I would engage commercial security consultants because they understand what security for a commercial organization actually means.
Related to that, given the scorecard for network and application security for the government that routinely is much worse than many private sector institutions, why on earth would one assume the government, even the NSA for that matter, knows what they are doing from a defensive standpoint (I certainly suspect the NSA has their shit together from an offensive standpoint, but that actually puts them at odds with helping with defensive measures).
Honestly, in terms of information security the role of the government is best served forcing huge architectural changes that no private sector organization would choose to do individually, for example altering the system in which one gains access to an individual's credit so that it isn't so damn easy to steal, or changing payment systems so that they are architecturally secure, or pushing for a stateful protocal for web traffic so all of the fragile hacks to tack state onto HTTP can be euthinized. These are massive projects that really need to happen and the private sector is not going to make those changes by themselves. That's really where the government should be helping to improve security - not by teaming up with individual companies to help them out.
While our society remains partly free, the answer to Google's excessive accumulation of data about people is its competitor:
(No, I'm not an employee of Startpage, I don't own Startpage stock, etc).
I read the linked article, and having the NSA help with some expertise is ok. Clive is right, which part of NSA? A lot is outsourced and conflicts of interest rule badly. The defense business is like "shooting fish in a tub."
The fact is, the NSA and others are needed to deal with the emerging cyberwar. Given that consumer groups are the new ecosystem, and google is worth a lot to the economic interests of the USA, sure, NSA could benefit in the short term, but government partnerships could be very damaging to google and USA globalization efforts, in the long run.
Among the other bads...i worry about Google's rationalization. They wanted NSA not DHS BECAUSE they didn't want to be roped into any disclosures that a critical infrastructure designation may create.
With NSA (and CIA or other external to US focused orgs) they can cut deals like Bechtel did with CIA during the 70s.
This seems to me to be the French model for intel/industry "partnership"
If you are relying on the government not caring enough about you ... East Germany would like to have a word with you.
Or the UK.
A law vital to protect us from terrorism that gave the security services warrant-less access to all the data about you, your medical records, your emails and phone calls etc.
Ended up being used by local councils to check who put their trash out on the wrong day and who was writing anonymous letters complaining about planning decisions.
@peri: The NSA were brought in because their rivals in the CIA... messed up. Got busted doing naughty things in China. Got reverse hacked, badly. Whatever it was, we will never know the whole truth, but it must have been bad because it made Google have to announce that they are taking their ball and going home.
It remains to be seen whether this will be an improvement, but the way things are trending, I'd say no. I will grant whatever powers-that-be this much, though - they knew better than to let the Department of Hopeless Insecurity anywhere near it.
"I was in a eyes-only discussion a while back..."
[/end poster credibility]
Seems like this is appropriate for the NSA helping Google against the Chinese. I don't have a problem with them doing that. The point was made as to which part of the NSA, I think there are some smart folks over there who do a lot for our country.
In terms of our civil liberties here? Who needs my dental visits? The daily errands? A contractor prolonging a false positive? What's that contractor doing with the info? Does the NSA even know? Who collects the data? Who writes the reports?
What I worry about is govt contractors, and contractor abuse. Defense, intel, whoever. What the contractors do with data is scary. Contractors on citizen observations, using data collected for federal agencies on us. How they use/abuse it?
The problem is how can FBI, NSA or anyone police contractors with data? They can't, they don't have time or money to do it. Who can prevent contractor fraud? Nobody right now. Contractors are loyal to the bottom line. Sure they can get the best folks as they pay better, but at some point we need our government watching the watchers, watching the contractors.
It'll be ok. They aren't evil.
(The evil gets outsourced)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.