Schneier on Security
A blog covering security and security technology.
« DNS Dead Drop |
| Bypassing Airport Checkpoints »
December 18, 2008
James Bamford Interview on the NSA
Worth reading. One excerpt:
The problem is that NSA was never designed for what it's doing. It was designed after World War II to prevent another surprise attack from another nation-state, particularly the Soviet Union. And from 1945 or '46 until 1990 or '91, that's what its mission was. That's what every piece of equipment, that's what every person recruited to the agency, was supposed to do, practically — find out when and where and if the Russians were about to launch a nuclear attack. That's what it spent 50 years being built for. And then all of a sudden the Soviet Union is not around anymore, and NSA's got a new mission, and part of that is going after terrorists. And it's just not a good fit. They missed the first World Trade Center bombing, they missed the attack on the U.S.S. Cole, they missed the attack on the U.S. embassies in Africa, they missed 9/11. There's this string of failures because this agency was not really designed to do this. In the movies, they'd be catching terrorists all the time. But this isn't the movies, this is reality.
The big difference here is that when they were focused on the Soviet Union, the Soviets communicated over dedicated lines. The army communicated over army channels, the navy communicated over navy channels, the diplomats communicated over foreign-office channels. These were all particular channels, particular frequencies, you knew where they were; the main problem was breaking encrypted communications. [The NSA] had listening posts ringing the Soviet Union, they had Russian linguists that were being pumped out from all these schools around the U.S.
Then the Cold War ends and everything changes. Now instead of a huge country that communicated all the time, you have individuals who hop from Kuala Lampur to Nairobi or whatever, from continent to continent, from day to day. They don't communicate [electronically] all the time — they communicate by meetings. [The NSA was] tapping Bin Laden's phone for three years and never picked up on any of these terrorist incidents. And the [electronic] communications you do have are not on dedicated channels, they're mixed in with the world communication network. First you've got to find out how to extract that from it, then you've got to find people who can understand the language, and then you've got to figure out the word code. You can't use a Cray supercomputer to figure out if somebody's saying they're going to have a wedding next week whether it's really going to be a wedding or a bombing.
So that's the challenge facing the people there. So even though I'm critical about them for missing these things, I also try in the book to give an explanation as to why this is. It's certainly not because the people are incompetent. It's because the world has changed.
I think the problem is more serious than people realize. I talked to the people at Fort Gordon [in Georgia], which is the main listening post for the Middle East and North Africa. What was shocking to me was the people who were there were saying they didn't have anybody [at the time] who spoke Pashtun. We're at war in Afghanistan and the main language of the Taliban is Pashtun.
The answer here is to change our foreign policy so that we don't have to depend on agencies like NSA to try to protect the country. You try to protect the country by having reasonable policies so that we won't have to worry about terrorism so much. It's just getting harder and harder to find them.
Also worth reading is his new book.
Posted on December 18, 2008 at 6:42 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
NSA has a new target. It is not "terrorists" in the traditional sense but something...unexpected for many.
The author mentions the huge increase in contractors. This is consistent across the government and has been pretty much a linear progression for at least 20 years. Having worked for many contractors, I can say one of the reasons for this is, with civil service employees, once you have them, you are stuck with them until they retire. Even if you close the whole shop you have to keep them employed someplace. With contractors you can come in and clean house with the stroke of a pen, fire tens of thousands of people on a whim, totally reverse the course of a facility overnight and no one can say anything about it. [well a large company like NG or GD can probably win a settlement, but the actual workers dont benefit]
Once I was at a DoD facility where a new contractor had won a bid on an operating contract. The interesting thing was that the new contractor had very close to zero employees. After they were awarded the contract, they came to the existing employees one afternoon (about 250 people) and said "you are out of a job tomorrow with no severance or benefits. If you sign this agreement right now, we will keep you on with health insurance and a 25% pay cut but you will be required to stay on the job at least 3 months". Naturally with a bombshell like that dropped on them practically everyone signed. They all left as soon as they could, but by then the new company had refilled the office with new employees.
HumInt always reigns. We used to be good at it, but we got enamoured of our toys.
"You try to protect the country by having reasonable policies so that we won't have to worry about terrorism so much. It's just getting harder and harder to find them."
Thank you Mr. Chamberlin.
“Having worked for many contractors, I can say one of the reasons for this is, with civil service employees, once you have them, you are stuck with them until they retire.˝
And isn't that a GOOD thing when you're dealing with state secrets? On the minus side, you might not extract as many working hours from the contractors, nor will wealthy campaign contributors be able to steal a significant percentage of the federal budget. On the plus side, you can actually hope to keep a few state secrets, well, secret.
Very interesting, especially next to your DNS Dead Drop post. No matter how vigilant, a clever and determined attacker will find an "out of band" communication channel (and probably the Russians had a few of them, too). So what's an agency to do?
It's a great book. I'm about 5 or 6 chapters in.
How is it that there are still no linguists? Do the managers involved think that if you just listen very loudly and slowly the meaning will get across?
While it's nice to argue that these problems could be solved by ditching hard-to-eliminate public servants in favour of easily-removable contractors, there are some other pretty significant factors that need to be considered here.
The most obvious of these factors is the fact that most of these people have really non-trivial security clearances. Screening prospective contractors/employees to decide whether or not to grant such a clearance isn't cheap, so having a cadre of lifers can really cut down on this cost.
On top of that, people have these funny innate ideas about loyalty and reciprocity. Hiring someone on as a lifer demonstrates a certain degree of loyalty to them. The expectation is that this would cause them to be more loyal in return. Needless to say, said reciprocal loyalty is really important in this particular field of endeavour.
To make a household analogy: people share their credit cards with spouses, not prostitutes.
I would recommend buying a dvd called "The Listening" (2006, starring Michael Parks).
"You try to protect the country by having reasonable policies so that we won't have to worry about terrorism so much. It's just getting harder and harder to find them."
Let me get this straight. So now the Taliban gets to dictate our foreign policy?
Simonl, it seems that they currently are. Having reasonable policies would be going back to before we started letting them dictate to us.
@HuHo and others
"with civil service employees, once you have them, you are stuck with them until they retire"
Not true. Most security service employees, including those at NSA, are excepted civil service employees. They are subject to much different rules that the competitive civil service. A google serach for "excepted civil service" will lead you to more information.
"What was shocking to me was the people who were there were saying they didn't have anybody [at the time] who spoke Pashtun. We're at war in Afghanistan and the main language of the Taliban is Pashtun."
Not that shocking. When I studied at the School of Oriental and African Studies at the University of London it was no secret that the British created it as an institution to study local languages in countries where they sent soldiers/colonialists.
It started during WWI and they called it "administration of overseas posts of the empire" back then.
The concept is not new and the NSA is familiar. In fact the Anglo-American history of the Horn of Africa, and the story of Diego Garcia is closely related. I could go on, but I'd probably bore you with my thesis...
Should probably also mention that the better place to look for a command of foreign languages is the Defense Language Institute in Monterey, CA
They list Pashto...
As a recent (past 5 years) attendee of the Defense Language Institute Foreign Language Center (DLIFLC) I can tell you that the methodologies employed there are problematic and a legacy of the same type of thinking that was apparently employed by the NSA. In other words, the thrust of the language training I received (Arabic, just about a one year program) wasn't to produce a fully functional linguist, but rather one who was capable primarily of only monitoring electronic communications (classic SIGINT) and transcribing relevant data for further analysis. This was for the benefit of the radio intercept guys (MOS 98G), while I was a 'Human Intelligence Collector' (MOS 97E, aka 'Interrogator'). The HUMINT guys composed perhaps 5-10% of the total number of students at DLIFLC and so received short shrift when it came to receiving the kind of training that would actually make them effective when communicating with local nationals. I don't know that this has changed in the last few years, though reports from buddies who are still on active duty suggest that the Army has been slow to respond to the changing requirements for linguists.
Example: out of the ~60 weeks of Arabic language study, only about 5 *hours* was actually spent studying Iraqi dialect (this was in 2003, so we were well into Iraq by then), while the rest was in Modern Standard Arabic. The end result was that even though we were theoretically capable of carrying on a conversation in Arabic, we almost always had to employ a local national as a translator, even in the presence of Army 'linguists'.
Additionally, there was very little cultural training of a useful sort, and what there was tended to reflect the leanings of our teaching team leader (a retired Egyptian Army officer), rather than those of the people we'd be speaking to or the nation to which we'd be deployed.
Considering the work yet to be done to rebuild goodwill among the international community I would hope this has changed, but knowing the tremendous inertia that exists within the US military apparatus I would guess that it hasn't.
I didn't think that the NSA had a mandate to operate outside the USA. Isn't that the CIA's job?
Their mandate has always included CommInt, which skips lightly over airwaves, ignoring borders, and they've been tourists in Australia, China [& closer Mongolia], and the sceptered, green and verdant isle.
As I recall, there was the UKUSA agreement between the USA, Great Britain, Canada, New Zealand and Australia (http://en.wikipedia.org/wiki/UKUSA_Community) which, among other things, permitted an allied country to intercept US internal civilian communications and forward them to the NSA, thereby bypassing the FISA laws and the NSA charter against domestic intelligence gathering; since the intelligence was, technically, collected by a foreign government. This has been going on since the Church Commission hearings and, I assume right up until 9/11.
I think Bamford, in the interview, glosses over this little detail.
The problem is these guys don't even need to talk in code. Most villages have dialects which are not understood outside that small area.
My wife is from Iran and she speaks the local dialect in addition to Farsi. Her relatives who are not from that village can't understand this dialect.
But even if you could get these guys to talk on the phone, which phone? It isn't like every house has a phone and only one person or family has access to that phone.
"The big difference here is that when they were focused on the Soviet Union, the Soviets communicated over dedicated lines."
1. And now we have a world where the US is the global power focused on multiple threats and communications are hyper-ubiquitous. Having 100 people listening to identified Soviet Naval comms gives you good coverage thanks to identified channels, comfort with the culture, and what is frankly an easier language to understand (Russian). Having 1000 people (a gross exaggeration) listening to Taliban comms, on many channnels (though SIGINT doesn't really help us with messages couriered, delivered in meetings, or delivered over AM/FM broadcasts, eh) is likely not prooduce the same granularity of understanding, and that is before we address our difficulty understanding their culture and language. Why is the Middle East such a mystery to us?
2. In the post 9-11 world we have a hugely grown IC. Bigger agencies has produced more competition - too often analysts are trying to "scoop" one another, getting ninformation which will appeal to the policy-maker, miulitary decision-maker, or customer. Yes, collaboration has gotten better of late, but the sad truth is that we are ore competitive than collaborative.
What to do? I could go into a long discourse on this, but the simplest way to put it is we need true cross-agency analytic collaboration. In the end we don't actually have "Chimneys of excellence". This really isn't rocket science.
And now my comment on contractors - this is an outgrowth of the huge post 9-11 expansion of the IC. Theoretically, as budgets contract, contractors should be the first to go. I would gladly say goodbye to a goodly portion of our weaker contractors - though hopefully we can keep the most competent ones. But like crack cocaine - once you start using contractors they are very hard to give up ...
A wikipedia listing for a defense language school doesn't imply that there linguists at the specific place of work that was mentioned.
Learn some logic.
Of course there are linguists at DLI. Where do you think the NSA sends people to learn languages?
Most pashtuns that I meet when I am OCONUS (and I meet a lot of them) seem to be very enthusiastic about my being American.. I am frequently greeted with a huge smile, a raised right fist, and a hearty yell of "Amreeeka Zindabad!!!" (Long live America). Something tells me that more than a few of the pathan homies that I have met in my travels would help with teaching our linguists pashto.. for the right amount of money.
I am actually quite surprised at the constant stream of reports citing a lack of language expertise in the US intelligence community. I also find it odd that we are not tapping the wealth of patriotic and enthusiastic immigrants that we have and employing them to train or translate. People talk about possible bias, but what do you think our current crop of orientalist scholars have?
I think that our intelligence community should start recruiting people from Devon Ave in Chicago and start reap some real benefit from our nations diversity.
Pashtun and Dari are not that difficult to understand, BBC even has a news site in pashto, there is also volumes (and I mean VOLUMES) of both Dari and Pashto literature. Both languages are indoeuropian, both are spoken by populations with more than adequate representation in the US, and both are generally intelligible from village to village. Its not like you have to translate Khowari, Yaghnobi, or Buruzkashi speakers on a radio talking about operations. Pashto is Pashto, local slang should be easy enough to figure out if the analyst has sufficient exposure to published poetry and literature.
Arabic is a whole different story, here in the gulf I have seen first hand Arabs from Egypt try to talk to a Saudi or Badu w/o success. Two Pathans will always be able to communicate intelligibly.
While the NSA is not built on human intel, we do have other agencies that are. I don't think we can say all of those terrorist attacks mentioned in this interview are the NSA's fault, when it was a collective failure of all of the agencies.
Too much redundancy with no collaboration is the reason for the failures.
One cannot learn the cultural nuances, politics, and religious inferences without considerable time in the country of interest. After a good understanding of same, THEN one can begin to incorporate the language subtleties and understand the duality in the message of much spoken arabic. These are often localized to sect, district, and even tribal boundaries. Hyakalla.
@ j dougherty: good point. Learning to translate texts is very different from learning to translate conversations.
Like all endeavors in life, generations learn lessons the hard way, pass, and then those that follow have to repeat even the most basic mistakes again. Take "compartmentalization", as an example: in 1970, no TSC-cleared low-level grunt could have gotten his hands on the 'keys to the kingdom' and then handed them off for worldwide publication, as continues to happen with Wikileaks. Did the entire 'community' lose it's mind with 9/11? What were you thinking!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.