The NSA's Role in Commercial Cybersecurity

Susan Landau has a new paper on the NSA's increasing role in commercial cybersecurity. She argues that the NSA is the wrong organization to do this, and we need a more public and open government agency involved in commercial cybersecurity.

EDITED TO ADD (11/13): David Elliott Bell has a related paper. Also read this review of both papers.

Posted on October 23, 2014 at 8:28 AM • 40 Comments

Comments

vas pupOctober 23, 2014 8:50 AM

Should NSA take lead in providing security of medical devices as well:
http://www.bbc.com/news/technology-29737540
This article has good news: finally proactive approach popped up - addressing of taking preventive measures on existing problem before any tragedy happened, bad news - design of those devices by default does not incorporate security. Many moons ago I suggested on this blog to create special like UL test organisation to evaluate and assign privacy seal of approval for commercial electronic devices. My guess is that for medical electronic devices as those in the article, security/hacking protection should be incorporated into process of approval by FDA.

fajensenOctober 23, 2014 10:15 AM

I don't know about you lot, but I do not feel entirely comfortable with the prospect an NSA-installed backdoor in my pacemaker or insulin pump.

NSA et. al. corrupts everything they touch.

ThothOctober 23, 2014 10:32 AM

For security of digital data, there can only be two approaches. A Government workgroup / organisation for digital defensive initiatives as Bruce and others have mentioned.... or the community forms it's own standards and initiatives which the private crypto researches (as shown by the huge amount of decent quality articles in the IACR database) is good enough to form a community standards version for commerical and private sector.

In fact, a whole lot of us are doing pretty well on community algorithms (Blowfish crypto and offshoots that includes BCRYPT, SCRYPT, IDEA cipher ...) which a lot of open source and community projects rely on until AES got popular and became a community accepted algorithm to a popular extend.

I do not see any difficulties if the community itself were to continue it's activities with as little Government intervention (otherwise the Government might corrupt the community's efforts).

Besides supplying NIST/NSA Suite B stuff (to do business with the Govt), it is and has always been a good practice to offer community stuff (do business with the community).

ArclightOctober 23, 2014 11:26 AM

The NSA has a lot of concentrated technical expertise that's not found anywhere else. That said, I am much more comfortable with the NSA as a theory and standards organization than I am with the NSA as an operational outfit.

There is much less potential for mischief when they are not involved in the actual implementation of technology and security solutions. Given the efforts to undermine TLS and other standards, I think they should probably be placed in the outer "research" ring of the ecosystem at this point.

Arclight

AiDOctober 23, 2014 11:43 AM

According to leaked NSA documents, “SIGINT Enabling Project actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs. These design changes make the systems in question exploitable.” “Base resources in this project are used to . . . insert vulnerabilities into commercial encryption systems [and] . . . influence policies, standards, and specifications for commercial public key technologies.”


Americans may be willing to drink that kool aid, but everyone else won't. And plenty of Americans won't.

Fox. In. Henhouse.


AnuraOctober 23, 2014 11:47 AM

I've brought this up in the past, but I think the NSA should be migrated to an organization that is purely dedicated to securing our infrastructure, whether public or private. SIGINT and anything else focused on intelligence gathering should be moved to the CIA and be well regulated with heavy oversight, and entirely focused on foreign intelligence against threats to national security, not economic espionage. Domestic intelligence should be done by a completely separate agency (Which I'll call the DIA), and should be focused entirely on domestic threats to national security, and be bound by domestic privacy laws while sharing intel with the CIA - again, they should be well regulated with heavy oversight. The FBI should be purely a crime-fighting organization.

parrotOctober 23, 2014 11:48 AM

Margaret Salter is (or was) a higher-up in the IAD. She's associated directly with the Extended Random TLS extension that broke Dual EC.

The NSA played a significant role in the origins of Extended Random. The authors of the 2008 paper on the protocol were Margaret Salter, technical director of the NSA's defensive Information Assurance Directorate, and an outside expert named Eric Rescorla.

http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

The IAD also decided that evaluation of DBMS, Operating Systems, and Enterprise security products (e.g. identity managers, SSO solutions, etc) aren't worth their time to evaluate at this point. You can see the position papers here:

https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/DBMS%20Position%20Statement.pdf

https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/ESM%20Position%20Statement.pdf

https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/GPOS%20Position%20Statement.pdf

Also, take a look at their interest in entropy sources in products during evaluation:

https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/Entropy%20Documentation%20and%20Assessment%20Clarification.pdf

There are also some requirements listed at the end of the Network Device Protection profile here:

https://www.niap-ccevs.org/pp/PP_ND_V1.1/

The requirements are vague. So vague, in fact, that I would not be surprised if vendors are simply offering all their documentation and test results of their entropy sources and just asking the IAD "Is this good?" No real statistic requirements, no way of looking at the design and self-assessing. Just hand over your design and you get a yes or no. If they find something interesting, I wonder if they'd tell the developer about it?

Finally, you can find discussion here and there about the new movement within the Common Criteria international community to reduce the cost of evaluation and make it more effective for both developers and end-users. NIAP jumped at the chance to take advantage of this complaint, but instead of removing the costly areas, they simply just reduced the assurance down to almost pure cost. It's now just a little bit better than a check box paper exercise. They've removed any analysis of security architecture and replaced it with "Use TLS 1.2, these cipher suites, and don't allow IP fragmentation".

I apologize for the rant. My interactions with and observations of the IAD ruined me on the NSA well before I knew what a Snowden was. There's a lot of implication here of motives and intention which I cannot prove. I suppose it's left to the reader to decide for themselves.

You wrote it, you're respnsibleOctober 23, 2014 1:47 PM

Manufacturers should be monetarily responsible for the faults of their products, and this includes software. If a device allows a non-authorized person to change settings, it's the manufacturer's fault. They produced it, they are responsible for it.

If somebody hacks a pacemaker and ups the heart rate until a patient dies, the manufacturer should face punishment. There is a significant difference between medical equipment and cutesie phone accessories.

Here's what really, truly bugs me: software engineering has been around for quite some time. Yes, it really is the process of writing software that doesn't have bugs. The fundamentals have been known for decades, but they are ignored in favor of flinging out software faster than a goose can s***! There are many proven design techniques, found in many very good books.

It's well past time to end the escape clauses which basically say that the software is garbage, caveat emptor.

vas pupOctober 23, 2014 1:58 PM

@Anura:"The FBI should be purely a crime-fighting organization."
If I may, my version would be: "The FBI should be politically neutral a serious federal crime-fighting and serious federal crime-preventing organization. FBI day-by-day activity is based on strictly following US Constitution and Bill of Rights in particular. FBI is prohibited of black-listing any US citizen or legal resident based on their political views expressed within scope of the First Amendment of US Constitution [i.e. FBI is not 'Thought Police']".

Jordan BrownOctober 23, 2014 2:05 PM

> Manufacturers should be monetarily responsible for the faults of
> their products, and this includes software.

Yes.

> If a device allows a non-authorized person to change settings,
> it's the manufacturer's fault. They produced it, they are
> responsible for it.

Maybe. With a few minutes under your car, I could damage your brakes or install a tracker or a bomb. Should the auto vendors be responsible for my deliberate criminal acts? If you've ever locked yourself out of your car, the ease with which the locksmith gets in should tell you something about the true security... so should the auto vendor be responsible when somebody steals stuff out of your car?

Let's hold manufacturers responsible for providing some reasonable level of security, with the understanding that it will never be perfect, and hold criminals responsible for their own behavior... just as we do for physical products.

GrauhutOctober 23, 2014 2:35 PM

Susan Landau is a little old school, this is the new nomal 2014:


The National Cybersecurity and Communications Integration Center Act
of 2014 seems to mean new business for the NSA

"Top cybersecurity leaders in government are now hashing out how
various cybersecurity-related agencies will handle the mission to
protect critical infrastructure from cyber attacks.
"

c4isrnet.com/article/20140625/C4ISRNET07/306250001/Agency-heads-hash-out-critical-infrastructure-protection-roles

Applause from financial institutions

www.sifma.org/newsroom/2014/sifma_statement_on_passage_of_national_cybersecurity_and_communications_integration_center_act_of_2014_by_senate_committee/

LessThanObviousOctober 23, 2014 3:13 PM

@Anura Yes, please. That would be much preferable to the mess of perverted authorities we currently suffer.

AiDOctober 23, 2014 3:20 PM

@Anura

The FBI has been doing domestic and not a little foreign intelligence as a primary portion of their agency since their founding.

The CIA really is focused on overseas operations. That is a huge mandate. That the NSA is doing what they are doing, onshore, actually is very troubling. Their laser sights are supposed to be aimed overseas, not here.

Like with the CIA.

DHS has some oversight of cyber security, as does the Secret Service. For counterintelligence investigations you are talking about the FBI, though.

Lotsa turf wars, and always have been. So you see all of these overlapping problems.

And stuff like counterintelligence, you don't just start a department from scratch and think it will be A-OK.

You should have departmentally decades of hard won experience.

Not sure if anything will change, though, because so much is overlapping and everyone is very hungry for more turf, not less. Outsiders have little control.


USSS - counterfeiting, comp sec, protection details (seriously can you get more random)
DHS - something with comp sec standards and actions, border patrol, immigration issues, health issues... not sure what else
CIA - foreign intelligence on foreign shore with analysts usually here, little work onshore is my very limited understanding
FBI - all other federal crimes, domestic counter-intelligence
NSA - sig ops, technical... no human intelligence, no effective analysts, few undercover agents, relies heavily on other agencies... seen as a sort of utility player, rather then a main player

And is mandated to be foreign intelligence.

Though hardly authoritative, could be quite wrong. Just an outside observer with an unfortunate memory.


Anonymous GuyOctober 24, 2014 7:46 AM

The CIA has stood up a successful company that sponsors new start-ups. The company is called In-Q-Tel and obviously focuses on technologies that may have use in the intelligence community. They act like typical VC firms (perhaps even a bit less "vulture" than Silicon Valley's Sand Hill firms). Some examples of companies they have funded are:
--ArcSight
--Bay Microsystems
--Cloudera
--FireEye
--Huddle
--MongoDB
--Palantir
--Tenable
--Veracode

Not exactly a bad track record for a government funded agency.

keinerOctober 24, 2014 7:55 AM

Snort, has been bought by NSA-Cisco, the is alternative Suricata developed on under the auspices of "US-homeland security". All fu**-up...

ThothOctober 24, 2014 8:08 AM

@keiner
What are we left with if the TLAs are buying up all these technologies ?

A Github, 2-clause BSD stuff would be plausible ?

keinerOctober 24, 2014 8:17 AM

...nearly nothing left to defend the ideals of the great free Western world against... eeehh...

paulOctober 24, 2014 9:46 AM

Yet another example of what mass surveillance is costing us. The NSA definitely has expertise that could be useful for commercial cybersecurity, but until there have been salutary, visible, changes in its operation and management any company would have to be suicidally stupid to take anything an NSA technical representative said at face value. Even if the NSA were to offer useful advice or IP, the cost of going over that advice or IP with a fine-tooth comb to overcome the presumption of duplicity might well result in a net loss.

AiDOctober 24, 2014 11:09 AM

@Anonymous Guy

Anonymous Guy • October 24, 2014 7:46 AM The CIA has stood up a successful company that sponsors new start-ups. The company is called In-Q-Tel and obviously focuses on technologies that may have use in the intelligence community. They act like typical VC firms (perhaps even a bit less "vulture" than Silicon Valley's Sand Hill firms). Some examples of companies they have funded are:


The CIA is not the NSA.

Like Hoover and Donovan are not the same people.

The CIA is not tasked with compromising signals intelligence specifically.


That a spy agency funded these companies, obviously means that end users will take precaution. These sorts of companies are security companies oriented towards US defense, and I do not think end users really distrust the CIA in that way.

I doubt China would be using FireEye.

And the CIA does not have a record for being interested in spying on Americans, not on American soil, anyway.


AspieOctober 24, 2014 11:39 AM

" ... the competition for choosing AES was quite open and ended up with a European designed algorithm. Fears that the NSA was seeking to exercise tight control over private sector cryptography began to ebb."

I rather like that. When the NSA selects an algorithm (Rjindael) the weeds grow tall, the banks of the river are far away and the ducks are shitting grenades.
When your enemy chooses a stick of celery to fight with, do you tell him it's an
unwise choice or do you smile politely as you pocket a switchblade?

AnuraOctober 24, 2014 11:51 AM

@AiD

Yes, I realize what the agencies do today. My proposal is to split off the domestic intelligence and counter-intelligence from the FBI into a new agency leaving it a pure law enforcement agency because it makes it a lot easier to oversee them - the FBI can no longer say "Oh, yeah, we need this broad wiretap... because terrorism!" since terrorism would not be in their role. Furthermore, the new DIA would not be concerned with things like drug smuggling or criminal activity which means that no one gets a pat on the back by expending resources on minor criminals. This separation of roles reduces abuse on their end.

By merging the SIGINT portion of the NSA into the CIA, well, we already know the CIA has a much better track record than the NSA. By making sure their focus is entirely foreign (which, yes, theoretically the NSA is bound by those rules as well), then we can stop the mass surveillance of US citizens. However, that still requires strong regulation and oversight. We then have an NSA with a completely different focus: they do not do intelligence gathering, they only focus on securing our infrastructure. Realizing that hacking not only does significant economic harm, but also has the potential to leak secrets, a big part of their mandate is to help improve standards and systems to actually be more secure across the public and private sectors, rather than less secure.

The biggest problem in the NSA is the conflict of interest between departments, and the biggest problem in the FBI is that they have two completely separate roles which makes oversight a lot more difficult.

Nick POctober 24, 2014 11:53 AM

I posted a rebuttal to Landau's paper here because I didnt see this thread first. I cite Bell's work showing IAD has done constant harm to high security industry. They're still doing it. It's NSF and DARPA leading the way on the good path.

Nick POctober 24, 2014 12:24 PM

@ AiD

Actually CIA is in SIGINT business via partnership with NSA on SIGINT enabling. The Tarex teams and black bag work involve CIA operatives. Further, that CIA owns (partly or in full) these companies would give them extra leverage in backdooring them. That CIA uses SIGINT gives them motive.

That said, In-Q-Tel is an exemplar program for getting the best of public and private sector, while keeping costs down. Their tech also benefits U.S. companies. Subverted or not, I call it money well spent.

parrotOctober 24, 2014 1:32 PM

@Nick P:

Good analysis. From your write up, you said:

So, they certainly know what they're building will be riddled with holes, esp against nation states. Heck, EAL4 can't stop regular black hats (see Windows). Why is IAD creating and pushing low security methods across the board if they have access to *existing* high security products?

In 2014, the state of affairs is worse than it was. Assurance levels have been scrapped, along with most of the methodology in the Criteria that made it useful (e.g. security architecture analysis and design-informed vulnerability assessment). They replaced EAL-4 with IAD approved protection profiles that amount to a cursory enumerations of interfaces, a check to see if certain features are enabled (e.g. Does it use TLS with suite B algorithms?), and some configuration checks done by limited functional testing. Their argument has been these assessments are more repeatable and comparable, but of course most checklists are.

That's not to mention how they yank the industry around with abrupt policy changes. Sometimes they ask for input on drafts by laboratories and vendors, but comments are regularly ignored. The policies tend to also have inconsistencies or are so vague that vendors may suspect different evaluations get different levels of treatment depending on lab, IAD representative overseeing the evaluation, or the current wind direction in Maryland. That is of course if they actually give you a written policy.

I think the worst part is that they've spearheaded the dismantling of the standard internationally, backed by U.S. allies. This crusading of their new vision of what software assurance should be turned into has undone all the progress Europe and the U.S. made by introducing the Criteria in the first place. What we have now is the Orange Book Prime--with less assurance. I'll be the first to admit Common Criteria has its deficiencies, but it seems the IAD's definition of "fix" is actually what Bob Barker asked everyone to do to their dogs and cats.

(Side note: Pointing at Windows' EAL-4 certificate may not be fair; EAL-4 evaluations basically do everything you can at the architectural level. They do not handle implementation flaws easily. We should point to the various Linux EAL-4 evaluation if we wanted to be fair. I'm no Microsoft fan, but we need to recognize the value of Common Criteria is it's architectural analysis, not its ability to identify buffer overflows.)

(Side note: I also suspect the reason they went to COTS from GOTS was because it was cheaper at the end of the day. I imagine their priorities list their budget first and then their mission(s).)

AiDOctober 24, 2014 4:44 PM

Nick P

Actually CIA is in SIGINT business via partnership with NSA on SIGINT enabling. The Tarex teams and black bag work involve CIA operatives. Further, that CIA owns (partly or in full) these companies would give them extra leverage in backdooring them. That CIA uses SIGINT gives them motive.
That said, In-Q-Tel is an exemplar program for getting the best of public and private sector, while keeping costs down. Their tech also benefits U.S. companies. Subverted or not, I call it money well spent.

I have complete confidence in In-Q-Tel. I suppose they could be diabolical about it and go, "Okay, we are going to be open about this, but secretly do it 'in plain sight'". And it is open. That is important. They are telling everyone what they are doing and who they are.

I am not familiar with that full list of companies, but I have worked with and do know people at FireEye & VeraCode -- both companies are top notch.

I do not think anyone here would disagree.

As for creating cover companies abroad or whatever, I am sure the CIA can do a llllliiitttle bit better then using such an obvious cover. I could see how that would make an excellent honeypot operation.

There are of course other factors here. Like motive, and "how they would do it", and "what would be the cost if they got caught".

I think those factors go: it is okay, in most situations.

But that is the CIA, whom I have a lot more respect for in handling human intelligence responsibly. They have to play by rules all the time. The NSA, well, you have, this mess they have created here in our telecoms. The FBI, plenty of divisions there I have a lot of respect and admiration for. But, this PR program they are doing with the NSA is an unmitigated disaster.

Frankly, if everyone was doing everything by the game of "less people know, the better", and "rule number one do not get caught", I might actually be okay with everything. What we do not know about, what does not effect us, who cares?

Then it would be: so they are wiretapping everyone. But it wouldn't be like they could do much with it because that would reveal they are doing this. That severely limits true black bag operations and forces them to play by rules.

As it is, they are wiretapping everyone and everything they can, and then arguing, "We are not doing anything", and "we want to do it even more". That? Is a clown show. Zero trust, zero confidence.

AiDOctober 24, 2014 4:46 PM

@Anura

You have some good ideas. I apologize for kind of throwing out stuff, I am kind of just bopping around myself and I am more interested in seeing ideas.

Nick POctober 24, 2014 5:55 PM

@ AiD

Their talent is irrelevant except for their investors or customers. The question about subversion is whether someone in there planted backdoors. I'm just saying it's easier for this to occur with In-Q-Tel companies because they're owned by and largely work for the CIA. Those doing the sneaky stuff would be a core group. Maybe even one engineer with access to the repository that the CIA insist they have there "for security or reporting reasons." Most wouldn't (and shouldn't) know about what was going on because it's a Top Secret Codeword program.

That said, a company not worried about Five Eyes eavesdropping can certainly benefit from the offerings if they're better than what the competition offers. The only remaining risk is the vulnerabilities inserted being the common kind that foreign I.P. thieves find. We know NSA et al use this approach often for deniability: "Oh, it's just a developer error. Happens all the time in industry." If they use that approach, using their stuff might increase the vulnerability to foreign TLA's. Then again, the reason it's deniable is that it's so common so this may not produce a measurable difference compared to competitors' products.

They're all so full of shit security-wise. (sighs) A few exceptions in industry and In-Q-Tel, but that's the general rule about assurance claims.

Nick POctober 24, 2014 6:10 PM

@ parrot

I'm guessing you've been involved with the process or researching its current activity. I'll admit I haven't for past several years except for checking for new protection profiles or high assurance products to see how they're progressing. What I've seen didn't look too beneficial to real security so I didn't look too much more. if it's what you say, it's worse than I suspected and I'd like to say so at one of those Common Criteria conferences where they pat each other on the back for their "security advances."

re your critiques

"Pointing at Windows' EAL-4 certificate may not be fair; EAL-4 evaluations basically do everything you can at the architectural level."

Not really. All Common Criteria evaluations match either a Security Target or Protection Profile to an Evaluated Assurance Level. The architecture, features, etc are in the former. The *lifecycle process* is in the latter. Neither the Windows Protection Profiles nor the EAL4 process requirements can stop the kinds of attackers we see outside the government. And then there's governments. This is true for most if not all of them. The Shapiro essay on the Window's one is worth the read.

"I also suspect the reason they went to COTS from GOTS was because it was cheaper at the end of the day. I imagine their priorities list their budget first and then their mission(s)."

Might be the case and might not be. Then there's the "we're better so let's take charge" mentality. The thing that bothers me is that they're constantly working on high security style stuff in parallel with the garbage they're pushing as secure. Only one is available to us. That's what makes me suspicious of them.

parrotOctober 24, 2014 8:33 PM

@Nick P

Thanks for your response.

I'm guessing you've been involved with the process or researching its current activity.

Yes, I've been closely involved.

... it's worse than I suspected and I'd like to say so at one of those Common Criteria conferences where they pat each other on the back for their "security advances."

I've attended those conferences. Protesting there is about as effective as protesting against the government on your front lawn. No one important listens. (Well, maybe if your lawn happens to be in a compound in Waco, Texas, but then that's a different kind of protesting against the government on your front lawn. Ha!)

Anyhow, it's all politics.

The thing that bothers me is that they're constantly working on high security style stuff in parallel with the garbage they're pushing as secure. Only one is available to us. That's what makes me suspicious of them.

Agreed. Case in point: Suite A versus Suite B.

ThothOctober 24, 2014 8:48 PM

Community Cipher Suite
======================

Symmetric Block Cipher:
- Twofish
- Serpent
- Waiting for CAESAR competition...

Symmetric Stream Cipher:
- Salsa20 family (eSTREAM)
- HC family (eSTREAM)
- Above block cipher in CTR mode

ECC Cipher:
- Safecurves (http://safecurves.cr.yp.to)


In simple, just avoid the NIST stuff and those supported by organisations that have a closed source habit and are trying to commercialize their crypto algorithms.

AiDOctober 24, 2014 9:54 PM

@Nick P

Ah, 'intentional vulnerabilities'. There are problems with that. Whether they are carefully crafted and put in there...or simply found and not reported.

I am not persuaded that these companies stamped In-Q-Tel which is openly CIA would make any sort of good cover.

But, yes, Dildog, Mudge, Farmer, and so on are all irrelevant. They could just be unknowingly participating in a cover operation they know nothing about. And there, of course, be something unseasonable in there. I think though, while people may not think out such details, they would be natively aware that going with a CIA company might have consequences.

That is far from the same as meaning there would be some legal right for such behavior. (Such as tuning an AV system to allow some attacks, or a code review system to ignore some vulnerabilities).

Or that customers might be willing to accept such behavior.

With some of these systems there are, at least, potential problems in comparison tests.


There is, of course, other issues here. Such as an intelligence company generating considerable revenue outside of congressional discretion...

Though, in In-Q-Tel's case, I am sure everything is well accounted for. I would think that such companies and activities would work very well for positive PR which is important and well understood by the CIA.

I mean, isn't a huge part of keeping any manner of disguise first persuading and building, even sustaining, confidence?

Anything that can be done to control confidence enables one to allay suspicion, and so better enable disguise.


Which is why I find the NSA's & FBI's activities in these ways so deplorable from even a level of "that is your job".

Not a confidence building statement from my own self, but then I am not attempting to do so. The world has enough insincere pundits out there always attentive to managing confidence.

Nick POctober 25, 2014 9:34 AM

@ parrot

About what I expected. I might present my "Common Criteria: An Overunity FAIL generator" speech there anyway because screw them. And yeah the A vs B options they have are a good example.

@ AiD

Why do you keep bringing up In-Q-Tel companies as a cover? I'm not saying I think that at all. It would be ridiculous to use an overtly CIA funded company as cover. I'm saying CIA owns them and so they'll do what's good for CIA in addition to what's good for business. Even independent companies are doing SIGINT enabling so these almost certainly will. As it can be done discretely, they'll risk the black eye in the marketplace. The Snowden leaks showed a bit of money is all it takes for most, with FBI coercion for others.

"There is, of course, other issues here. Such as an intelligence company generating considerable revenue outside of congressional discretion..."

I've mainly focused on how good ROI the strategy is where they pick a tech that benefits them + commercial sector, do a one-time investment in it, and fund further development through sales. In-Q-Tel's was a brilliant model that other government agencies might follow. Stronger than NSA's model of having 3rd parties develop crypto products. Yet...

You made an *extremely good point*. I don't remember seeing anyone (myself included) bring that up in an In-Q-Tel discussion. The CIA has a long history of trying to funnel money through convoluted paths to obscure what they're doing. There's also a steady stream of accusations of the making money through drugs, insider trading on stocks, etc. This might be another way for them to funnel money to 3rd parties for both legal or illegal reasons.

So, yes, I'll add to my policy recommendations that I post that strong oversight should be required for any company receiving a majority of its income from or owned by government agencies. If it's In-Q-Tel style or a defense contractor for classified work, maybe we should further impose a forfeit of rights against search for the company. The company's assets and activities are monitored by an organization like GAO to whatever extent they want to look for potential wrongdoing.

Personally, I think such a proposal might also help for that company's customers where they know they're quite audited and highly motivated to deliver what they say they will. There's also a certain future-proofing benefit because the government will continue to fund what it depends on. And the government tends to outlast private companies, esp IT companies.

AiDOctober 26, 2014 1:29 PM

@Nick P

You made an *extremely good point*. I don't remember seeing anyone (myself included) bring that up in an In-Q-Tel discussion. The CIA has a long history of trying to funnel money through convoluted paths to obscure what they're doing. There's also a steady stream of accusations of the making money through drugs, insider trading on stocks, etc. This might be another way for them to funnel money to 3rd parties for both legal or illegal reasons.

Yes, I forgot, there is a new movie out I should see about the CIA making money through selling crack.

I kind of wonder, on saying this, might it be some contracting firms do not work for the government, but maybe the government secretly works for them?

I wonder if there are full blown Swordfish style operations out there, or even worse, agencies.


So, yes, I'll add to my policy recommendations that I post that strong oversight should be required for any company receiving a majority of its income from or owned by government agencies. If it's In-Q-Tel style or a defense contractor for classified work, maybe we should further impose a forfeit of rights against search for the company. The company's assets and activities are monitored by an organization like GAO to whatever extent they want to look for potential wrongdoing.


It would seem GAO would be the anti-thesis, the worst enemy, of many a secret program, division, or agency.

I wonder if they find themselves wrapped up in red tape, or paralyzed by ninjas with blowguns. Maybe even diverted from within.

I mean, if you have a foreign intel agency discover your secret operation, they won't try and tell anyone or even try and stop it. So they can trace it through the connections of people and find out more about what secret things they are doing. But some group like the GAO, well, they might be very much capable of stopping it.

Though if completely off the books, how could you maintain your authority? I suppose it would have to be very good at integrating into other agencies to take the authority they need when they need it.


AiDOctober 26, 2014 2:28 PM

^^

That, is, to say: the contracting firm IS the government, and the government is just the contracting firm. :-) Complete role reversal. But hidden.

Democracy is just show business.

Andrew_KOctober 27, 2014 3:16 AM

It appears to me as if one of the underlying problems is the blind misbelief in standardization and certification that can be found in industry management (not necessarily in in industry research). The more "serious" the certificate seems, the better.
"Something has been verified to be secure by government" (and can thus is sold with the respective label) still beats "Something has been verified to be secure by science/community" (but there is no label put on the product).

Face it, it's marketing. And agencies are clever in marketing -- since they know exactly what their customers want.
Unless (industrial) customers will stop looking for government-approved labels, things are unlikly to change.

RGP SecurityOctober 27, 2014 8:47 AM

From the viewpoint of the individual business interest:

Stop the NSA. If you can stop them, then you can stop everyone.

If the NSA hates your guts, then you are winning. That means that no one else can break into your stuff.

The game of letting the NSA into the backdoor while barring China is not working and it is not going to work. That pimply-faced kid in Novosibirsk is in on it too. Sometimes he can squeeze in along with Uncle Sam.

There is a solution...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.