NSA Reorganizing

The NSA is undergoing a major reorganization, combining its attack and defense sides into a single organization:

In place of the Signals Intelligence and Information Assurance directorates ­ the organizations that historically have spied on foreign targets and defended classified networks against spying, respectively ­ the NSA is creating a Directorate of Operations that combines the operational elements of each.

It's going to be difficult, since their missions and culture are so different.

The Information Assurance Directorate (IAD) seeks to build relationships with private-sector companies and help find vulnerabilities in software ­ most of which officials say wind up being disclosed. It issues software guidance and tests the security of systems to help strengthen their defenses.

But the other side of the NSA house, which looks for vulnerabilities that can be exploited to hack a foreign network, is much more secretive.

"You have this kind of clash between the closed environment of the sigint mission and the need of the information-assurance team to be out there in the public and be seen as part of the solution," said a second former official. "I think that's going to be a hard trick to pull off."

I think this will make it even harder to trust the NSA. In my book Data and Goliath, I recommended separating the attack and defense missions of the NSA even further, breaking up the agency. (I also wrote about that idea here.)

And missing in their reorg is how US CyberCommmand's offensive and defensive capabilities relate to the NSA's. That seems pretty important, too.

EDITED TO ADD (2/11): Some more commentary.

EDITED TO ADD (2/13): Another.

Posted on February 5, 2016 at 3:15 PM • 37 Comments

Comments

Zephram CochraneFebruary 5, 2016 3:35 PM

Bruce:

I wonder if the consolidation here is one of management logistics and getting the most mileage out of their budget. The budget is sizable, however, as anyone who manages a budget will tell you, there's never enough money coming in. This may be a move purely to get more mileage out of the money.

ELCFebruary 5, 2016 3:59 PM

@Bruce Schneier:
I recommended separating the attack and defense missions of the NSA even further, breaking up the agency.

If you break up the agency and separate attack from defense, you risk the possibility that they end up working against each other.

This is esp. the case because some of the attack targets are inside USA.

So in this case the left hand needs to communicate with the right hand. That they one can know what the other is doing.

FYIFebruary 5, 2016 4:14 PM

Security Firm CrowdStrike Warns of New Chinese Cyber Attacks

http://freebeacon.com/national-security/security-firm-warns-of-new-chinese-cyber-attacks/

Condensed:
Gov't intrusions to date have amassed for the attackers enough detailed information to begin highly customized pinpoint attacks. All bets are off.

Also:
General Michael Hayden past director of both CIA and NSA warns the Internet is the Wild West, there is no rule of law, and companies should not expect the gov't to protect them or to help them when they are attacked.

FYIFebruary 5, 2016 4:32 PM

In other words, reorganization is a euphemism for going to war - pool all resources, batten down the hatches, lock and load. Spend just a little on a thin façade to say "America, we mean you no harm." But get ready for attacks the likes of which we are not prepared for.

HFebruary 5, 2016 4:53 PM

@Bruce

It's nice to know that whatever you recommend, they will do the total opposite. Maybe you should recommend we disband the pretense of democracy and just go straight to open dictatorship in your next book, complete with herding people into gas chambers and everything, so they'll decide to fix all this mess...

@ELC

You obviously haven't heard of the idea of "conflict of interest"... if I'm supposed to BOTH kill you and protect you from being killed, which will win? Can't be both! So I'm guaranteed to fail catastrophically at one of those missions whatever I do, even if I do nothing. Same when the NSA is supposed to both weaken/attack all infrastructure, and strengthen/protect it at the same time... Remember, "foreigners" are using the same technology we are, whatever you do to one you do to everyone.

HFebruary 5, 2016 5:16 PM

@FYI

The internet's only the wild west because people like General Hayden himself keep running around like stupid hooligan cowboys, and starting gangs doing the same (like 5 eyes). He himself is the very one who made it into the wild west! (or at least made it much much worse, and much more like that, instead of trying to improve it by following the rule of law and order himself!)

ArchonFebruary 5, 2016 5:16 PM

@ELC > If you break up the agency and separate attack from defense, you risk the possibility that they end up working against each other.

I thought that was the point.

A judge who refuses to give a warrant is working against the police. Courts that rubber-stamp warrants are seen a sign of corruption and injustice.

The judicial, legislative, and executive branches of government regularly do things counter to each other's interests, and that division of power is considered a strength.

The entire US legal and governmental framework seems to be built on the concept that an entire organization can go off the rails, and that eventuality should be planned against.

kevinFebruary 5, 2016 5:48 PM

This was foreshadowed when they formed the Cyber Command and made Gen Alexander (then Director of the NSA) the commanding officer. The power of the ring could not be resisted.

ThothFebruary 5, 2016 5:51 PM

@all
By merging the attck and defense side, it will spell greater trouble and more abuses. A blurring of the missions and finally the attack side always wins since attack is always interesting and gets more support while defense is always marginalized and pushed to a corner.

GrauhutFebruary 5, 2016 5:54 PM

@Bruce: Smells more like instant hackback

All in the biz have a problem with attribution. Could mean quick hack attribution units.

"You hack a fed member wallstreet bank? We make you visible in the light of sun, hack you back, send Golem Glotiac some live meta to kill you by drones, boots or bombers."

911February 5, 2016 10:42 PM

@H I realize you can't get a job and have been living in someone's basement for the past two years, but really...

HFebruary 6, 2016 12:35 AM

@911

Attack me personally when I refute you with logic? Classy. I invite you to read the constitution and become a whistleblower.

Fazal MajidFebruary 6, 2016 12:51 AM

@ELC
Intelligence agencies are the single most dangerous threat to democracy. That's why it makes sense to have multiple competing rivals. When J Edgar Hoover ran the FBI, he blocked the NSA from doing the dragnet surveillance they now engage in.

name.withheld.for.obvious.reasons February 6, 2016 1:24 AM

As infrequently a visit to this site finds me, I needed to reiterate the unconstitutional position NSA has taken given both offensive and defensive leveraging of ALL IT/IS/COMM components worldwide, it is nothing less than disturbing.

PPD 20, Presidential Policy Directive #20, is clear in its scope and self-proclaimed authority that steps well outside of Executive Authority. Only public law could begin to posit the level of authority and the subjugation of private and personal property. It is a form of eminent domain without disclosure or method of redress or contest.

When talking with fellow scientists their opinion and understanding changed markedly when understanding the text and underlying reasoning that brought life to this most grievous of crimes. What I find disheartening is a complete lack of push back or resistance to what has been claimed prudent (in the dark) since 2011/2012.

Gerard van VoorenFebruary 6, 2016 2:43 AM

I agree with the opinion of Bruce Schneier. Howcome it is possible that such logic can't be applied? You just can't wear the good cop hat and bad cop hat at the same time and expect people to trust you.

KurzlegFebruary 6, 2016 7:32 AM

Seems to me that there's a big downside to this reorg. Rolling each mission into one org has the potential for the neglect of one of them, probably the defensive one as others have pointed out. Reading between the lines, it seems likely that the NSA may feel like their pipeline of exploitable vulnerabilities is drying up or at least not as heavy a flow as it once was. This reorg is probably meant to address the issue.

CarpetCatFebruary 6, 2016 9:00 AM

Eventually, when things get 'bad' enough, those in power forget why they have to do things. Things like jury of your peers, due process, posse comitas, etc.

Imagine you are a mid to high level government intelligence/LEO. The bad guys are right there, right in front of you! You can see them, you know who they are! You have special training, no one else sees how 'bad' it is but you! You could just round them up, or 'make sure' if only you could do this one little thing, peek around this little obstuction.

Besides, you can be trusted! You're the good guys! A quick sweep is all it takes!

And after they have collectivly cultified or brainwashed themselves, they will actually do a performance review. In this review, they will realize how much more quickly and effictively they can do there jobs without the 'old' way of doing things, meaning the rule of law.

Which brings us, dear readers, to the most important question. WHAT ARE THEIR JOBS? Is it to follow the law? Is it division of powers to check tyranny, ala the usa constitition? Is it recognition of human liberty and protection thereof by limiting the powers of the police and government?

No, no and no. Its about power. Its about maintaining control. Control over you, of course. Rules, laws, old parchment with limits, ha! Those are things of the past. Its about time you found this out. Let me give you a hint: You're gonna find out one way or another.

rFebruary 6, 2016 9:30 AM

I'm willing to bet that due to the feeding table of open source being available to all that there won't be too many contributions from them there. Why feed China?

Data TargetFebruary 6, 2016 11:54 AM

NSA is an ideological driven military organization which has exempted itself from the rule of law.

More specifically, the military NSA chooses which laws it upholds, and chooses those it deems might be obstructive to the mission to ignore. They choose the mission, too.

In short, they can do anything they want and there is no one who can or will stop them.

So, agonizing over the latest re-org to expand and consolidate it's power is a fool's errand.

SoWhatDidYouExpectFebruary 6, 2016 12:48 PM

Though not found explicitely stated, can this post be considered the Friday squid entry? If not, the following is off topic, but maybe not so when you consider one aspect of the following "outside the law", or at least outside the rule of decent behavior.

Found on Slashdot:

Even With Telemetry Disabled, Windows 10 Talks To Dozens of Microsoft Servers

http://tech.slashdot.org/story/16/02/06/1550249/even-with-telemetry-disabled-windows-10-talks-to-dozens-of-microsoft-servers

From the post:

"Curious about the various telemetry and personal information being collected by Windows 10, one user installed Windows 10 Enterprise and disabled all of the telemetry and reporting options. Then he configured his router to log all the connections that happened anyway. Even after opting out wherever possible, his firewall captured Windows making around 4,000 connection attempts to 93 different IP addresses during an 8 hour period, with most of those IPs controlled by Microsoft. Even the enterprise version of Windows 10 is checking in with Redmond when you tell it not to — and it's doing so frequently."

And Microsoft wonders why NOBODY wants Windows 10. And we wonder why Microsoft is making Windows 10 a recommended update for Windows 7 and Windows 8.1 users. How many of those connections are to the spooks?

CarpetCatFebruary 6, 2016 3:14 PM

What interesting times we live in when one cannot tell the difference between a private enterprise and the state itself? When compulsary actions are considered the norm!

Soon there will be no more reason to continue the charade.
me, you, that other poster you waste time argueing with? We're the coal mine canarys. Cept no one paying attention.

Bad things, man. Bad things. I fear the end is nigh!

Paul RainFebruary 6, 2016 8:41 PM

@ELC :
If you break up the agency and separate attack from defense, you risk the possibility that they end up working against each other.

Isn't that kind of the point, if you care about information security? I mean, the main aim of the NSA attack is to rape the information systems of enemies.. which would include all US allies except 'the greatest Ally', as well as private companies in the US and overseas which have information that the NSA might want.

The only possible interest that the NSA attack side might have in security would be if they wanted to get everyone's systems to the point where they were secure against private actors and most/all other national intelligence agencies, but not against them. If you believe they're capable of doing that, may I suggest that you should remember to vote in your local Republican primary this year? Many of their candidates also believe that the people employed by the US Government are orders of magnitude more capable than anyone that China or Iran employs, by god, and we should damned well compromise actual security and invade the world and invite the world and all that other good shit that's worked so well since 2001.

65535February 7, 2016 6:40 AM

“I recommended separating the attack and defense missions of the NSA even further, breaking up the agency.” Bruce S.

I agree. It appears what little checks-and-balances within the NSA will be removed.

@ FYI

Christian Science Monitor

“The clearest example of that tarnish is evidence that the NSA intentionally weakening a cryptographic standard, handicapping all of our security for a better chance to breach adversaries. That meant that the needs of the spies were prioritized over those meant to defend the rest of us. And that's something that will likely continue in the reorganized agency… Even with a separate information division, many companies and privacy advocates were convinced the newly passed information sharing act [CISA slipped into the omnibus budget to force passage - ed] was simply another vector for passing along data to NSA's digital spies…” –CSM

http://www.csmonitor.com/World/Passcode/Passcode-Voices/2016/0204/Opinion-How-NSA-reorganization-could-squander-remaining-trust

The military/intelligence Cannon is now pointed at US citizens. There is no hope of redress because of the CISA corporate immunity shield.

@ H

“It's nice to know that whatever you recommend, they will do the total opposite.”

Good Point. Ha. Maybe Bruce should use reverse-physiology on the NSA.

[Next, no reasonable expectation of privacy with Gmail]

'Google’s EULA indicates no expectation of privacy [Via Emptywheel and comments]
See: “no reasonable expectation of privacy” re gmail (I searched on ixquick)

The Guardian:

‘Not the worst thing Google does’

“Google’s ads use information gleaned from a user’s email combined with data from their Google profile as a whole, including search results, map requests and YouTube views, to display what it considers are relevant ads in the hope that the user is more likely to click on them and generate more advertising revenue for Google.”

Salon:

“On Wednesday it was revealed in the form of a legal filing, uncovered by Consumer Watchdog: Email users have “no reasonable expectation of privacy” for information passed through Google’s email server.”

“The comment from Google’s lawyers came out in a class action lawsuit in June which the Internet leviathan is being challenged over Gmail’s feature for scanning emails to target ads. Plaintiffs claim that Google’s practice goes against wiretap laws, but the Google’s lawyers argued otherwise, stating:
“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery. Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’”

http://www.theguardian.com/technology/2014/apr/15/gmail-scans-all-emails-new-google-terms-clarify

http://www.salon.com/2013/08/14/gmail_users_have_no_reasonable_expectation_of_privacy/

[And]

https://www.emptywheel.net/2016/02/05/what-would-it-take-for-the-government-to-obtain-googles-counter-terror-ads-algos/#comment-700018

[See Emptywheel’s discussion on the legal ramification of no expectation of privacy]

https://www.emptywheel.net/2016/02/05/what-would-it-take-for-the-government-to-obtain-googles-counter-terror-ads-algos/

[Emptywheel on Twitter’s efforts to track and delete terrorist’s tweets]

“Yesterday (that is, the same day this algorithm report came out) it did, however, announce how many perceived terrorists it has kicked off Twitter.” Emptywheel

“Like most people around the world, we are horrified by the atrocities perpetrated by extremist groups. We condemn the use of Twitter to promote terrorism and the Twitter Rules make it clear that this type of behavior, or any violent threat, is not permitted on our service. As the nature of the terrorist threat has changed, so has our ongoing work in this area. Since the middle of 2015 alone, we’ve suspended over 125,000 accounts for threatening or promoting terrorist acts, primarily related to ISIS.” -Twitter

https://www.emptywheel.net/2016/02/06/when-your-lived-reality-becomes-an-algorithm-of-the-popular/

@ SoWhatDidYouExpect

“Even after opting out wherever possible, his firewall captured Windows making around 4,000 connection attempts to 93 different IP addresses during an 8 hour period, with most of those IPs controlled by Microsoft.” Slashdot

Windows 10 telemetry network traffic analysis, part 1

[See the two posts by CheesusCrust]

https://voat.co/v/technology/comments/835741

That is very disturbing. But, some note more deep packet inspection needs to be done to see the contents of the data being sent to Microsoft.

[Discussion of incomplete test]

“I read TFA, the guy is an idiot and screwed up the test…He configured the router to drop all connections. So Windows tries to access Windows Update, and it fails. So it tries the next server on the list, which fails. Strange, the interface has an IP address, try the next one...”

http://tech.slashdot.org/comments.pl?sid=8716005&cid=51453795

I still wonder why Windows 10 Enterprise with all of the telemetry turned-off is still trying to connect to about 90 Microsoft IPs. That seems to be too high of a number just for updates and so on.

The real question is What is Windows 10 penetration in government offices of hostile countries such as China, North Korea, Russia, Iran and so on? If the number is low then surely those governments must not trust Windows 10.

Next, do US governmental contractors with sensitive information. Do these Contractors use Windows 10? What are the sales of Windows 10 to these contractors? Is it high? If not then Windows 10 cannot be trusted. Microsoft should come clean about exactly what data they are sending home to the mother ship. This is even more important with the passage of CISA.

The so-called reorganization of the NSA and it extensive tentacles is very alarming. There should be a robust public debate about the NSA’s role in spying on its very citizens.

rFebruary 7, 2016 3:55 PM

@Paul rain,

It's also within their interests to make sure the Russians and Chinese aren't embedded into Britain or Australia or any of the other 5 eyes we supposedly share data with.


@all
Whatever happened to the air force's anti information warfare unit? Aiwu??

Clive RobinsonFebruary 7, 2016 11:01 PM

@ Moderator,

The above from "Chuck Sedlacek" appears to be sales promotion of what sounds like "snake oil" from the wording.

Nick PFebruary 7, 2016 11:10 PM

@ Chuck Sedlacek

"It is apparent that the industry STILL has not correctly identified the problem. It is not the hackers and malware and about keeping the bad guys out, it is about the computer architecture. The architecture can be re-engineered through software to make it serve up computer processes in a secure manner making the computer immune to any Cyber-borne threats."

This much is true. We saw Burroughs, KeyKOS, CAP, SCOMP, GEMSOS, Boeing SNS, EROS, HYDRA, and MULTOS do this in the past. We are seeing Nizza, INTEGRITY-178B, seL4, SourceT, Sandia's Score, Caernarvon, GenodeOS, crash-safe.org, CHERI, and Edmison's SSP do it today. These either resisted penetration testing with source plus internal access by NSA for years or follow principles used to accomplish that. Whereas the monolithic or traditional styles were smashed most of the time. So, fixing the root causes is certainly the way to do it.

"The only security firm I know in the world that is doing this is Vir2us. "

I just disproved that given the first company to do it was the first business mainframe in 1961. Dijsktra followed shortly after with his focused on correctness. Early commercial systems with high security were in 70's-80's. Many followed. Quite a few left today with dozens if you count academic prototypes that can be built on or licensed. So, plenty doing it and with two in (or done with) EAL6+ category. One of those has been doing the architecture your site describes since 2005. Original version of that goes back to 80's or 90's in CMW's on B3/A1 kernels.

Anyway, let's look at your architecture:

"
Secure sealed Ring 0 Hypervisor with user resources isolated and inaccessible to attackers
Virtual computing environments that provide intense isolation and segmentation through Nano-virtualization, resulting in the protection of user resources including OS, applications and data
A secure minimum trusted computing base
A reduced attack surface which is limited to a single Virtual computing environment
Trusted Platform module located below the sealed Hypervisor"

Looks like a pale imitation of Perseus Architecture, used in Sirrix TrustedDesktop maybe, that academics threw together which built on concepts of Nizza Security Architecture used in desktops, VPN's, embedded, etc. High assurance security, built with frameworks like mine, needed a bit more than this. Some of the work I cited above from past and present goes way beyond Perseus architecture.

So, that's not unique, the only one of its kind, or anything else. If anything, it's a knock-off of the model that dates back to security kernels that your competition, INTEGRITY-178 on Dell SCC, uses. Academics and military pushing that model backed up when they realized there were holes under and all around it. Now they're talking separation VMM's + CPU hardware with tagging/capabilities/crypto in it. I always had to have separate computers to deal with transport, storage, DMA, etc risks as I couldn't eliminate them from complex *i486* CPU's. You're solution, if on regular Intel & COTS drivers, is definitely not highly assured given the best only achieved their goal with strong restrictions on usage.

That's just the containment part. Intra-partition security is huge and legacy apps screw that up a lot. Then there's distributed compution. Lots of cans of worms where separation & containment is just the beginning. I also wonder what your covert timing channel mitigation is given at least one A1 product was beaten in that area later. I even had to turn the cache off on a Core 2 once dealing with that crap. It's a nightmare. I've only seen one or two people publish the solution I came up with.

"For those who think this is an impossible problem to solve, you are wrong and clearly suffer from the "God Complex"."

The Gods of INFOSEC failed to solve the problem on complex, COTS hardware supporting legacy. Given that, I would think the person claiming they solved the problem using only one layer is the one with the God Complex. :P

"by putting up bigger and bigger walls"

Vir2us is using a Nizza and INTEGRITY-like architecture. That scheme, also called MILS, just puts up walls around things while mediating their resource use and IPC. Internally, the partitions could use HIDS, AV, disk encryption, remote management, recovery tools, safe languages (or C subsets), and so on. Did any of that sound like Vir2us's marketing material? I haven't read the whole thing: just assuming another wheel being reinvented in this very active branch of INFOSEC SW.

"We are putting a band-aide on the problem and trying to treat the symptoms instead of fixing the actual problem itself."

The problems are at every layer of the stack. Fixes at the CPU level will be needed that integrate changes to both CPU's and I/O. Two of the best methods we've seen for legacy support are CHERI-style hybrid and the Edmison style crypto processors. These can prevent, contain, and detect problems with minimal CPU changes. DIFT is great on detection, too. Another hypervisor plus heuristic monitoring solution will fail against nation states like every one that came before it if you're goal is anything other than stopping inter-partition leaks on custom SOC's w/ firmware developed against an accurate ISA model. In that case, you're indeed ahead of COTS and doing a subset of what academics did in medium-assurance projects years back. ;)

rFebruary 7, 2016 11:12 PM

@Clive,

How many of these snakes must one catch and milk before one can sell 100ml vials of whatever oil is greasing their advertising machines?

Nick PFebruary 7, 2016 11:12 PM

@ Clive

Appears that the poser got hit with two people from high-assurance security at same time: I was revising during your post. Decided that it might not be snake oil so much as another security product given its resemblance to both MILS architecture and AV industry. So, I gave it a proper review and reality check. ;)

Clive RobinsonFebruary 8, 2016 6:31 AM

@ r,

How many of these snakes must one catch...

The problem with snakes is not the catching of them, but recognising them through their camouflage before they put the bite on you or others you know ;-)

@ Nick P,

Appears that the poser got hit with two people...

And a third "Knock-out" blow from the moderator ;-)

Though kudos for doing the thorough debunking, hopefully --though I doubt it-- "Charlie Boy" will learn something on reading it.

Clive RobinsonFebruary 8, 2016 7:09 AM

@ Bruce,

The NSA is undergoing a major reorganization, combining its attack and defense sides into a single organization

Maybe I'm being a bit cynical here, but "reorganization" is often used as a code word in business for getting rid of staff that managment see as "not on their team" or "expensive deadwood".

It is known through amongst others Ed Snowden that the NSA has been "outsourcing" a significant number of jobs, very profitably --for a chosen few-- for several years now.

As has been noted bring together the "Two Missions" makes little sense unless one is entirely subsumed by the other.

The "Attack Mission" has had the upper hand now for some time, and senior managment has made it clear that, that is "their team" prefered option.

Thus I suspect the "Defend Mission" will be culled and the --supposed-- savings used as it often has in the past as an excuse at "appropriations time" to extract more tax dollars...

As was once observed "You don't need cowboys if you fence off the prairie to grow grain". And as certain seniors from the NSA have noted ItSec is "a lawless wild west". And their behaviour more than suggests that's how they like it with their "to boldly go where no man has gone befor" mentality.

Thus the civilising "Defend Mission" that helps bring law, peace and thus prosperity will get cut so that the lawless few can enjoy their freedoms at the expense of everybody else, just like the "Robber Cattle Barons" of old.

Johannes SebastianFebruary 8, 2016 1:51 PM

I have pondered this a bit here and there since it came out. I was going to point out how maybe it is 'much ado about nothing', but read the WP article before posting and saw this:

“When it comes to cyber in particular, the line between collection capabilities and our own vulnerabilities — between the acquisition of signals intelligence and the assurance of our own information — is virtually nonexistent,” said Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee. “What is a vulnerability to be patched at home is often a potential collection opportunity abroad and vice versa.”

This is a horrible idea, and a terrible understanding of the nature of security vulnerabilities. I hope this is his own, uninformed, unadvised opinion.

If you find a security vulnerability in an application, that does not mean it is an opportunity for hacking. It means that - very likely - someone else has already found that security vulnerability. Very "possibly", is a better term then "likely".

Further, when you use such attacks, there is a strong possibility the attack could be detected and then the attack could be used by the target.

It is akin to discovering your local airport has an open door with easy access to the airfield. Or that your local water treatment plant has a physical vulnerability in it. Maybe, on friday nights, you discover an area local teenagers have been using to go and smoke pot there. Where terrorists could find the same spot and throw who knows what into the water.

Or, if you are inspecting your house before a vacation and discover you forgot to close a front window.

Literally, such parallels have to be made, because for whatever reason the abstract concepts otherwise do not make it into the brains of those who do not work around these matters on a regular basis.

So, if NSA hacks Russia with vulnerability X in Android and Apple OS, and Russia detects that, then Russia might swing around and hit the very same systems across the US.

Or, if NSA hacks a well organized terrorist group like ISIS, they might turn around and hit up the whole world with it.

Or, if this scenario was not ISIS or Russia, but the mix of them, North Korea.

And who makes Android, but Google, an American company. Who makes IOS, but Apple, an American company. The mandate is to protect, not leverage weaknesses of companies to engage in espionage.

In software security the ever pushing challenge is vectors like "time to fix".

TTF. It even has an abbreviation and is used in *any* software shop which is competent.

The faster the company knows about the vulnerabilities, the quicker the company can get it fixed. And you do not want to be against that. If anything, as an auditor, you want to force them to get off their hineys and get to work and fix it.


Why, is the NSA auditing code, for that matter? Because it is mandated for code which runs on DoD systems, that is why. It is not a mere friendly gesture. It is a military focused defensive gesture.

A good example of sabotage there might be when the US and Brits got a line in the telco traffic of East Germany, but a mole in the British intelligence told East Germans about the *vulnerability* and the East Germans used that to tamp the damage and send time and resource wasting disinformation attacks against them. The entire operation ended up being self-destructive.

Another good example is when a Japanese cult integrated themselves into positions of contracting for their government and put in backdoors and other destructive code into military code. You may recall that cult. They were the one's who released sarin gas in a packed Japanese subway some years before.


What can DoD software vulnerabilities end up doing? Taking over drones, is one bad scenario. Disengaging gps defenses on any manner of air traffic, is another. Opening backdoors into core military networks, is yet another. But the list here could go on and on.


So, bad idea from this level.


On the good idea level, sure, they could use all of that vulnerability data to tune and enhance systems designed to find vulnerabilities for purely offensive nature.

That would be incredibly valuable. More good, strong sample sets, for any such system, as people might be able to imagine, the better.

And, fact is, for vulnerabilities which are critical but also very difficult to find and exploit, that is the sweet spot they want. Very likely, they will have to keep those very difficult to find and exploit vulnerabilities away from being fixed so quickly.

Logically, if you have intelligence relying on vulnerabilities for signals intelligence, that would have to be done. And it is very difficult to argue that - placed right, done right - there is not a legitimate need for that.


SFJ123May 24, 2017 11:27 AM

It's all about warfare in cyberspace and "Principles and Functions" of warfare and their cyber analogies. SECURITY is just "one" of "nine" US POW and "one" of "six or seven" US Joint Functions of war. Mix and match to the mission and capabilities, adapt, and integration, integration... integration!!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.