NSA on the Future of National Cybersecurity

Glenn Gerstell, the General Counsel of the NSA, wrote a long and interesting op-ed for the New York Times where he outlined a long list of cyber risks facing the US.

There are four key implications of this revolution that policymakers in the national security sector will need to address:

The first is that the unprecedented scale and pace of technological change will outstrip our ability to effectively adapt to it. Second, we will be in a world of ceaseless and pervasive cyberinsecurity and cyberconflict against nation-states, businesses and individuals. Third, the flood of data about human and machine activity will put such extraordinary economic and political power in the hands of the private sector that it will transform the fundamental relationship, at least in the Western world, between government and the private sector. Finally, and perhaps most ominously, the digital revolution has the potential for a pernicious effect on the very legitimacy and thus stability of our governmental and societal structures.

He then goes on to explain these four implications. It’s all interesting, and it’s the sort of stuff you don’t generally hear from the NSA. He talks about technological changes causing social changes, and the need for people who understand that. (Hooray for public-interest technologists.) He talks about national security infrastructure in private hands, at least in the US. He talks about a massive geopolitical restructuring—a fundamental change in the relationship between private tech corporations and government. He talks about recalibrating the Fourth Amendment (of course).

The essay is more about the problems than the solutions, but there is a bit at the end:

The first imperative is that our national security agencies must quickly accept this forthcoming reality and embrace the need for significant changes to address these challenges. This will have to be done in short order, since the digital revolution’s pace will soon outstrip our ability to deal with it, and it will have to be done at a time when our national security agencies are confronted with complex new geopolitical threats.

Much of what needs to be done is easy to see—developing the requisite new technologies and attracting and retaining the expertise needed for that forthcoming reality. What is difficult is executing the solution to those challenges, most notably including whether our nation has the resources and political will to effect that solution. The roughly $60 billion our nation spends annually on the intelligence community might have to be significantly increased during a time of intense competition over the federal budget. Even if the amount is indeed so increased, spending additional vast sums to meet the challenges in an effective way will be a daunting undertaking. Fortunately, the same digital revolution that presents these novel challenges also sometimes provides the new tools (A.I., for example) to deal with them.

The second imperative is we must adapt to the unavoidable conclusion that the fundamental relationship between government and the private sector will be greatly altered. The national security agencies must have a vital role in reshaping that balance if they are to succeed in their mission to protect our democracy and keep our citizens safe. While there will be good reasons to increase the resources devoted to the intelligence community, other factors will suggest that an increasing portion of the mission should be handled by the private sector. In short, addressing the challenges will not necessarily mean that the national security sector will become massively large, with the associated risks of inefficiency, insufficient coordination and excessively intrusive surveillance and data retention.

A smarter approach would be to recognize that as the capabilities of the private sector increase, the scope of activities of the national security agencies could become significantly more focused, undertaking only those activities in which government either has a recognized advantage or must be the only actor. A greater burden would then be borne by the private sector.

It’s an extraordinary essay, less for its contents and more for the speaker. This is not the sort of thing the NSA publishes. The NSA doesn’t opine on broad technological trends and their social implications. It doesn’t publicly try to predict the future. It doesn’t philosophize for 6000 unclassified words. And, given how hard it would be to get something like this approved for public release, I am left to wonder what the purpose of the essay is. Is the NSA trying to lay the groundwork for some policy initiative ? Some legislation? A budget request? What?

Charlie Warzel has a snarky response. His conclusion about the purpose:

He argues that the piece “is not in the spirit of forecasting doom, but rather to sound an alarm.” Translated: Congress, wake up. Pay attention. We’ve seen the future and it is a sweaty, pulsing cyber night terror. So please give us money (the word “money” doesn’t appear in the text, but the word “resources” appears eight times and “investment” shows up 11 times).

Susan Landau has a more considered response, which is well worth reading. She calls the essay a proposal for a moonshot (which is another way of saying “they want money”). And she has some important pushbacks on the specifics.

I don’t expect the general counsel and I will agree on what the answers to these questions should be. But I strongly concur on the importance of the questions and that the United States does not have time to waste in responding to them. And I thank him for raising these issues in so public a way.

I agree with Landau.

Slashdot thread.

Tags: cybersecurity, national security policy, NSA, risks

Posted on October 1, 2019 at 6:54 AM • 37 Comments

Comments

me • October 1, 2019 7:12 AM

This will have to be done in short order, since the digital revolution’s pace will soon outstrip our ability to deal with it

i might be biased, but since Snowden revelations i see NSA as the evil guys, not the americans, not the america, just the nsa.
seems that they spend all the time crying about “going dark” and asking for more power all the time.
I don’t want to be offensive or to seems like hate speech but i’m not good writing in english, i just think that they ignore society moral compass.

If only they/all start focusing on defence rather than offence.
Military usually think that attack wins, always. i mean with bombs is true, there is no safe bunker against nuke.
but computers are different, you code a program that require password to login and there is nothing you can do to bypass that, defence wins.
The reason right now seems the opposite is that we have useless pre-auth data exchanges.
i’d like to see more and more auth like open-vpn where if you use tls-crypt option, first data is checked for valid digital signature, if it’s not valid there is no decryption attempt, no answer, no computing on that data, NOTHING!
As you can see there is little to no attack surface on it.

me • October 1, 2019 7:18 AM

extraordinary economic and political power in the hands of the private sector that it will transform the fundamental relationship, at least in the Western world, between government and the private sector

this is something that worry me, big tech company has so much money and influence over public and seems that they have more power than a state.
even if imperfect i trust much more a state than a big tech company

Paulo Marques • October 1, 2019 8:08 AM

Seem people hear about Cyberpunk and think: “Now, that’s a world I’d like to rule”. Empowering more undemocratic organizations to rule everyone can’t end well.

Jon • October 1, 2019 8:30 AM

He talks about national security infrastructure in private hands, at least in the US.

Step 1: Fire Booz Allen Hamilton (and Halliburton, Blackwater, et. al. while you’re at it…).

(Ohno, they can’t do tha-aat…) J.

Cassandra • October 1, 2019 8:38 AM

Giving more power to corporations, and especially allowing corporations to take over functions of government, can only end badly.
While people are quite rightly concerned about the Chinese government using information technology to impose a particular way of life and approved culture on its citizens, allowing entities with corporate personhood to do so is worse. Corporations can be transnational and difficult to punish effectively, especially if they have influence over politicians.
Do not evaluate a case on its effects if everything goes well. Please look at what the effects might be and how they can be mitigated if someone uses, with malicious intent, what you intend to allow.

Bruce Schneier • October 1, 2019 9:19 AM

“even if imperfect i trust much more a state than a big tech company”

“Empowering more undemocratic organizations to rule everyone can’t end well.”

“Giving more power to corporations, and especially allowing corporations to take over functions of government, can only end badly.”

I mostly agree with this. Well-run states are more trustworthy than well-run modern multinational corporations. What I think works best is multiple power centers watching each other: governments, corporations, press, NGOs, etc. In tech we have had a power vacuum because government has been unwilling to regulate, and corporations have expanded in power to fill that void.

tds • October 1, 2019 9:50 AM

From the OP: “The first is that the unprecedented scale and pace of technological change will outstrip our ability to effectively adapt to it.”

https://www.nytimes.com/2019/09/26/technology/government-disinformation-cyber-troops.html

“At Least 70 Countries Have Had Disinformation Campaigns, Study Finds
[ up from 48 in 2018 and 28 in 2017 [1]]

“Despite increased efforts by internet platforms like Facebook to combat internet disinformation, the use of the techniques by governments around the world is growing, according to a report released Thursday by researchers at Oxford University [ https://comprop.oii.ox.ac.uk/wp-content/uploads/sites/93/2019/09/CyberTroop-Report19.pdf ]. Governments are spreading disinformation to discredit political opponents, bury opposing views and interfere in foreign affairs.”

[1] https://www.technologyreview.com/f/614438/70-countries-around-the-world-now-run-organized-disinformation-campaigns/

TimH • October 1, 2019 10:16 AM

Given the general insecurity of online activity, I’d like a right in law that I can order any gov or private institution that I do business with to NOT allow access to my account etc over the internet and/or phone, but only by mail or in person with selectable ID for validation. Instructions have to be confirmed in writing to an agreed address.

Evan • October 1, 2019 10:34 AM

@Bruce, others: I think we need a thoroughgoing reassessment of what government is allowed to do and what it’s allowed to keep secret, which we’ve hitherto punted on in the hopes that some kind of consensus will emerge. But so far it hasn’t – government agencies are want to collect data and reserve capabilities for themselves regardless of necessity or even efficacy (most heinously, the CIA wants to be able to use “enhanced interrogation” even though it’s well demonstrated that such techniques are actually useless for extracting actionable intelligence). With things like facial recognition and online life merging more and more with “real life”, that trend is only going to continue, unless we establish limiting principles in advance.

Bob • October 1, 2019 10:57 AM

The federal government does everything it can to make sure it’s an unattractive employer. Anyone smart enough to help do what needs done can see that they’re full of shit, so it ends up being a cesspool of psychopaths and sycophants.

Clive Robinson • October 1, 2019 12:08 PM

@ Bruce,

I mostly agree with this. Well-run states are more trustworthy than well-run modern multinational corporations.

Either on their own are generally controllable. The problem is Monopolies and Cartels.

Nearly all large governments are in effect cartels of monopolies. It’s almost the text book discription of a federal government.

But when you start to consider say the Five-Eyes and it’s extentions these are genuinely worse cartels than any group of corporates have sofar been dragged into court over.

But the worst aspect of all is the worlds largest industry that is in essence built on unprovable unsutatanable beliefs. No I’m not talking about religion but marketing. Without doubt it is the biggest faux market in existance.

Behind this unsustainable belief system is that there is some marketing Holy Grail that will if we can only gather sufficient data open up untold riches. It will of course fail such beliefs always do.

Thus it will get replaced with the belief of “we just need to know the magic of AI to unlock the secret that is in all that data gathered

That to will fail, thus I guess someone will invent “Quantum AI” or some such to provide yet another myth to chase.

The simple fact is there is no Holy Grail, it’s a story for the gulible to be milked with.

We can see this with online advertising, vast amounts of money get put into campaigns by the gullible. Some fraction of a percent of that money gets paid to the entity “putting the adds in front of eyes”. The question that arises is where has all that money gone? Even Pyramid schemes pay better, and they are mostly illegal…

Impossibly Stupid • October 1, 2019 12:19 PM

This will have to be done in short order, since the digital revolution’s pace will soon outstrip our ability to deal with it

Many have commented on this bit, but nobody has said what really matters about it: it’s fundamentally wrong. The exponential changes brought on by the growth of technology are not a “forthcoming reality” or of “unprecedented scale and pace”, but something that’s been occurring for decades. Whether it’s smartphones or Y2K before that or the Internet before that or PCs before that, the NSA only embarrasses itself when it tries to assert that any of this is new or that we ought to be in a rush to do something special about it now.

Finally, and perhaps most ominously, the digital revolution has the potential for a pernicious effect on the very legitimacy and thus stability of our governmental and societal structures.

This nobody has commented on, but I find the most interesting admission. When the agency tasked with securing your nation says, “Hey, you know what, we’ve entered an era of science and technology that can demonstrate we have an illegitimate government”, that’s pretty significant. Instability should be taken as a given in that kind of world, and you have to wonder what the role of the NSA (and other agencies) should be when it comes to embracing evolution as a hedge against revolution. Similar lessons are in the current China/Hong Kong divide.

I am left to wonder what the purpose of the essay is. Is the NSA trying to lay the groundwork for some policy initiative ? Some legislation? A budget request?

Money is always a prime motivator. If there’s a policy change, it might be to increase the scope of what the mission of “security” is at the federal level. But the rhetoric of urgency makes me think it will come with a lot of waste rather than wise spending.

tds • October 1, 2019 2:12 PM

-1 for Surveillance Capitalism corporations (Google, Facebook, etc., see below) vs. -0 for “Well-run” governments equals net +1 for Well-run governments

https://www.vox.com/recode/2019/10/1/20893133/mark-zuckerberg-elizabeth-warren-facebook-sue-us-government-tech-breakup

“Leaked: Mark Zuckerberg threatens “major lawsuit” if President Warren tries to break up Facebook

The Facebook CEO tried to rally staff in internal staff meetings this summer.”

and https://www.theverge.com/2019/10/1/20892354/mark-zuckerberg-full-transcript-leaked-facebook-meetings

Clive Robinson • October 1, 2019 3:10 PM

@ Bruce,

As you may remember I linked on a squid page a couple of weeks ago to a very disingenuous article by Stewart Baker who was the NSA legal advisor some years ago.

It might be interesting to “compare and contrast” it with Glenn Gerstell’s piece

It might open s few eyes as to the game the NSA has going into play.

Dysnomia • October 1, 2019 3:34 PM

I think there are two competing potentials for the digital revolution – increasing centralization versus increasing decentralization of knowledge and power – and what kind of society we’ll have in the future depends on which potential wins out.

Technology has the potential to be used to construct a digital panopticon around us, a world of complete information asymmetry where our watchers know everything about us but we know nothing about what they’re doing and why.

This information asymmetry is the result of the centralization of knowledge (which means the centralization of power, since knowledge is power). The more knowledge about us our technology vacuums up for powerful corporations and governments, the more power they will have over us and the less ability we will have to influence them.

But technology has another potential as well, to decentralize knowledge (or the ability to acquire knowledge) – almost unlimited knowledge on almost any subject is available on the internet.

And it’s more than just knowledge, it’s organization. Our society is currently organized around a few very powerful institutions – the state, powerful corporations and wealthy interests. The digital revolution has the potential to facilitate alternative modes of societal organization, to allow people and communities to organize themselves outside the umbrella of the state and its institutions.

This is what Gerstell is talking about here:

“Finally, and perhaps most ominously, the digital revolution has the potential for a pernicious effect on the very legitimacy and thus stability of our governmental and societal structures.”

From the perspective of state institutions and powerful corporate interests, decentralized organizational structures facilitated by technology are an existential threat.

So I think the question is which potential or tendency of this technology will win out in the end, centralization versus decentralization of knowledge/power, and there will be increasing conflict in this realm. We know which side Gerstell is on.

SpaceLifeForm • October 1, 2019 5:53 PM

And, JIT, Twitter moves the DM search out of beta.

But, only for iPhone.

That is a hint.

Think • October 1, 2019 9:07 PM

Just a data point.

“Thus the U.S., which is hyperconnected, is at particular risk. Securing the nation is no longer a matter of protecting against physical invaders at the borders (a situation in which the United States has had tremendous geographic advantages compared with most other nations). And the jewels of the kingdom, whether the intellectual property of pharmaceutical design or the personal data of hundreds of millions of people, are maintained by the private sector, which lacks the capability to repel nation-state adversaries. No matter how much private companies invest, they will never be in a position to thwart attacks from a determined and highly capable nation-state.”

I agree with the above as I have seen it in person and from the logs of corporate internet connected devices ill prepared for the APT that state sponsored attacks bring. Corporations fear the ‘government.’ But might trust an NSA agent to help them secure their data better or start a security department where none existed before.

I am glad to be on the side of ‘our NSA’ vs China’s equivalent. I prefer my freedom here. The ability to write this comment on this blog and not be flagged by my big brothers on WeChat for an intervention and a personal visit for a though process adjustment or worse….

(https://en.m.wikipedia.org/wiki/WeChat)

Maybe some of those huge corporate trump tax cuts can be tapped to help fund a better private-public partnership.

Tax reform is a hard pill for any corporation to swallow after eating a sugar coated smorgasbord the last few years have offered.

What did these corporations pay in taxes?
You may be surprised. See this site—

https://itep.org/notadime/

We the people that consume and pay for these corporate goods and services may have little to spend if our identities are stolen or if our jobs disappear due to Intellectual property theft making us or our companies less competitive or bankrupt.

SCADA or cloud attacks could cost multiple millions without effective protection. That money saved in taxes isn’t so important if you cease to be a going concern.

Clive Robinson • October 2, 2019 6:10 AM

@ Think, All,

I agree with the above as I have seen it in person and from the logs of corporate internet connected devices ill prepared for the APT that state sponsored attacks bring.

Perhaps people should ask,

Why is this system connected to the Internet?

A quick analyse usually shows that the answer is,

No real reason that justifies the risk involved.

Orhers should ask,

Why do our employees take very valuable company property home?

But you hear a lot of political rhetoric about “China APT” and similar. Politicians make a lot of noise over IP theft, yet won’t talk about how corporations in effect “give IP away”. It is well known that any valuable IP you take out of your juresdiction “will be stolen”. There are “No ifs, Buts or Maybes about it” every nation steals IP as part of it’s spying. Centuries ago even the stupidest of Monarchs were aware of this and made the revealing of such “trade secrets” capital crimes.

So why do corporations and others,

Freely out source all of their IP abroad?

That is why in this “modern age” are “information goods” different from “physical goods” from a risk/theft perspective?

The real answer to all these questions almost always appears to be a pathalogical desire to cut costs short term by ignoring the real risks involved. Thus think of it as “corporate suicide”

Untill people start asking these questions and acting on them properly any modern Western country is going to be very very vulnerable, thus others will take advantage to “fill their boots”.

But there is another series of questions the NSA and politicians don’t want you asking. You touch on it with,

Corporations fear the ‘government.’ But might trust an NSA agent to help them secure their data better or start a security department where none existed before.

The NSA is duty bound in it’s charter to have two important roles. The first is a duty to go after the communications of all other Nations “Friend and foe alike”. The second and now way way more important duty is to protect the communications of the US.

Whilst we see a great deal of “gung ho” “The best defence is offence” nonsense out of the NSA and other US IC entities and unthinking politicians, the simple fact is it’s a compleatly failed policy.

But worse the NSA is effectively “Absent Without Leave” on it’s second duty. As a general rule the NSA appears to have the attitude that “our second duty makes our first duty harder, so we will keep our second duty secret in all respects”.

What this paper from the NSA is a “signed confession” that they know they are failing in their second duty and have done before the ink dried on the signiture on their charter…

The world has changed and is changing beyond measure since the days of the forming of the NSA. Back then nearly all cross border communications was Military, Diplomatic or Propaganda, and all more or less under Government control. Now however that “under Government control” traffic is a very very tiny fraction of cross border communications. The NSA has consistently failed “to move with the times” and has, and still does actively resist to do what is now the most important part of the job.

Corporations are right to be in fear of the government, the government is untrustworthy. For the same reason citizens are right to be in fear of government.

Look at it this way, how many people at the end of the day would alow “Hostile troops to be quatered in their homes?”. The founding fathers were well aware of the dangers of such first hand thus banned it from the very begining. Many high school students have had in the past to read George Orwell’s “1984”, some even Niccolò Machiavelli’s “The Prince”, from the 16th century. Not so long ago it was all the rage for young corporate types to read the much much earlier work of “The Art of War” attributed to 5th Century BC Chinese military strategist Sun Tzu. All of these and numerous other works in effect tell you to “Beware Governments and their agents as they can not be trusted” for good reason.

Time after time the NSA has proved it’s self not just “untrustworthy” to US Corporations and Citizens but down right hostile actively seeking to undermine security at every opportunity. Thus the point of view of “The NSA can not be trusted in any way” is not one that is going to go away in most of this blogs readers life times, if ever.

Petre Peter • October 2, 2019 7:20 AM

The NSA gets its money from the government and because of it, they protect the government. The government gets its money from the people and because of it, they protect the people. With corporations is more complicated but in the end they too pay the government for protection but in cyberwar I am not sure that they’ll get that protection. This is probably because of attribution -governments do not know if the attacker was a nation state or a competitor. From what I am seeing it seems like governments will protect corporations from nation state attackers but not from competitors.

Patriot • October 2, 2019 7:34 AM

“recalibrating the Fourth Amendment”

The part of the U.S. Constitution that prohibits unreasonable searches and seizures needs to be recalibrated.

Recalibrating the law sounds like something out of the German news from 1933.

This is about self-interest, about making money, and not about protecting the American people in any way whatsoever. Once the Constitution goes, the country goes with it, and people who put a lot of money in their pockets are not going to be that sad about the process. No. It needs to be stopped.

We have already seen a stunning set of failures that smack of raw apathy–the OPM hack, 9-11 itself, the Iranian CIA hack, Snowden, and the fact that the U.S. has not won in Iraq or Afghanistan–and that apathy and failure should not have even more money thrown after it. The resources they have should be used better.

Patriot • October 2, 2019 8:50 AM

There is a further point.

We do not need to recalibrate the 4th Amendment. Doing so would be North Korea-esque, and a shocking development.

The enormous transfer of technology, especially military technology and critical industrial production technologies from the U.S. to China, was done under the noses of several U.S. entities who let it happen. It has been described as the greatest transfer of technology in human history. The apathy and lack of leadership that allowed that to happen is a disgrace.

vas pup • October 2, 2019 12:49 PM

@TimH
You do have good point.

First, I’ll ban and forcefully disable all current applications (except extreme cases of LEAs activity)which allow spoofing sender’s e-mail address, callers phone # and name on caller Id. Consider all such activity as fraud attempt in particular when recipients are seniors.

Second, Include (that is for Liz Warren) in the list of high tech monopolists which need to be braking down AT&T which come back after it was affected by antitrust procedures in the past.

Third, all calls from/to private companies which allowed them to record such calls automatically assign the same right for recording same calls for general public for balance of rights.

I guess it is not difficult to adopt, but as @Petre Peter money is talking louder than needs of the general public.

SpaceLifeForm • October 2, 2019 6:02 PM

@Petre Peter

“but in the end they too pay the government for protection”

No, bug corporations basically pay no tax.

See Apple, Microsoft, Ireland.

It’s fascism, plain and simple.

Dysnomia • October 2, 2019 6:55 PM

@Think,

“I am glad to be on the side of ‘our NSA’ vs China’s equivalent. I prefer my freedom here. The ability to write this comment on this blog and not be flagged by my big brothers on WeChat for an intervention and a personal visit for a though process adjustment or worse….”

I come at this from a different angle. I don’t want to be spied on at all, but if I had to choose, I’d rather be spied on by Chinese state agencies than U.S. equivalents. The reason is that the Chinese government has basically no power over me. They can’t use anything they find against me, and they can’t lock me up.

But the U.S. government has the power to send armed people to my house to drag me away, which combined with universal domestic surveillance has a strong chilling effect on dissent. I don’t want U.S. state agencies to be able to read my communications, and I don’t care if that puts them at a disadvantage against their Chinese equivalents, who are not in a position to harm or control me.

Dysnomia • October 2, 2019 7:00 PM

@Clive,

“The real answer to all these questions almost always appears to be a pathalogical desire to cut costs short term by ignoring the real risks involved.”

That’s the nature of capitalism. Absolutist short-termism, immediate bottom-line profits above all else. Any firm that fails to prioritize short-term profits goes out of business, making way for firms that comply with the system’s requirements.

Thus the ecological crisis. Fossil fuel company CEOs know full well the consequences of their actions, but they won’t stop. They can’t. If they do, their companies will fail and others will take their place. Our economic system simply does not allow for long-term thinking.

Patriot • October 2, 2019 10:28 PM

The Founding Fathers tried to prevent this–they tried to keep small parties within the government from killing the host.

It works this way: undermine the Constitution and you will get this money. There is the money, on the table, you can almost touch it.

Don’t want to go that way? Let’s make the pile bigger.

I see you gulping from excess saliva. Let’s make the pile a bit bigger (by the way, it comes from national debt).

Not yet? OK, let’s heighten the pile.

Good job! Indeed, we are doing a tremendous national service, and thank you for spying on Americans without a warrant and dealing a blow to the very foundation of what it means to be an American and be free.

Congratulations! You are a winner!

Patriot • October 2, 2019 10:44 PM

@Mr. Schneier

It’s a very long article. You may want to look at that part which says:

“The roughly $60 billion our nation spends annually on the intelligence community might have to be significantly increased during a time of intense competition over the federal budget.”

This makes the intent quite clear.

Think • October 3, 2019 5:53 AM

@Clive – yes there is out sourcing and abject greed of corporations – they give away their own IP in exchange for cheap labor and access to ‘the Golden market opportunity’ that China is promised to be. The 2nd amendment helps enforce the no quarter amendment.

Short term greed seems to be the driving force with corporations. They sometimes act like a group of 10 year old children without parents if governments don’t regulate them. They will naturally act to enrich those few in control without governance and a longer term outlook.

@Dysnomia – if I had to pick a place to live and be spied on – I pick the US. Here I have a lot of institutional protection and a powerful if sometimes apathetic population of Americans looking out for each other’s rights. A group that if threatened – I hope would fight with me to keep those rights.

We will be spied on by many nation states wherever we go – either directly or through each nation exchanging information or exfiltrating it from each other’s spy agencies.

The huge overwhelming debt will be the lynchpin that changes the game. Bankruptcy, property transfer in lieu of payment, or war are likely outcomes.

Alejandro • October 3, 2019 10:25 AM

NSA’s mission is to break the internet at any cost by any means, so they can never be trusted about anything. They are directly responsible for many of the domestic and international internet security problems we now have, because they set the precedent.

IMHO.

Alyer Babtu • October 3, 2019 12:26 PM

@Dysnomia

Re: nature of capitalism

Maybe not the nature of capitalism as such, but as Deming suggests in “Out of the Crisis” (1986!), the result of Wall Street reducing companies to the single dimension of stock price, ignoring the other natural dimensions that apply in the real world, leading to unrealistic, destructive expectations and demands. Wall Street also tends to treat stock investment like a bond by in effect insisting absolutely on a certain return. This introduces economic distortion since nature, hence real-world enterprise, is uncertain. The investor instead should be willing to assume risk just as the company does. We have irresponsible investment, the economic equivalent of the political “taxation without representation”.

Ismar • October 4, 2019 12:57 AM

A bit late to the party but it can all be summed up in a couple of words- When $60 billion is not enough and NSA goes public admitting it then the best explanation is very close to

FUBAR

tds • October 4, 2019 6:16 AM

I don’t recall the NSA recently clamoring (like FBI, DOJ, or law enforcement, in general, do) about below. Regardless, @emptywheel retweeted

https://twitter.com/RidT/status/1179909887142313985 Thomas Rid, ‏@RidT

“Encryption is about trust. The less you trust—the more you encrypt. If you can’t trust your gov’t, you encrypt end-to-end.

And now three gov’ts, two in outright constitutional crisis caused by lying at the top, are asking us to put stronger trust in weakening democracies. Srsly? …”

gordo • October 4, 2019 8:38 AM

@tds,

lying at the top

The lying is always there. It’s a matter of kind and degree. One can wrap oneself in the flag or the constitution which says that this is mainly a political or partisan argument or affair.

So much, I say, for transparency, leaks and backdoors, i.e., trust. E2E just moves the man in the middle off to the sides. Unless I’m mistaken, there are hacks or apps for that, too.

Security Sam • October 5, 2019 3:13 PM

The cyber security mirage
Is but a marketing barrage
It all began in some garage
But it turned into a corsage
That begs for a deep massage.

Geoffrey Nicoletti • October 6, 2019 6:09 AM

First of all…under AI actions based on “prediction” moves the sense of responding to an active threat to initiative. (Rob Joyce—right before he went to NSC—text me on the aspect of prediction.) Secondly, I think increasingly “digital collateral damage” where the reliability for data/services (not an attack on you) impairs operations is a concern. And third, the highest priority in this infrastructure war is not the policy tweaking nor the hiring of temporary red teams but of a permanent position: a white hat position who daily strikes at the orporation to find the vulnerabilities (usually the newly installed app) before the black hat does. Let budget determine how many white hats in house but create the position universally just as everybody has a system administrator.

Dick Mills • October 6, 2019 10:24 AM

extraordinary economic and political power in the hands of the private sector that it will transform the fundamental relationship, at least in the Western world, between government and the private sector

Deja vu: the military industrial complex

tds • October 6, 2019 11:35 AM

@gordo

Although OT, I was thinking about possible future social media messaging, or WhatsApp, backdoors and treaties, which were mentioned elsewhere on this blog [1].

Perhaps “Collect it all” has morphed into “Collect most of it” in light, of things like:

https://www.washingtonpost.com/outlook/2019/09/29/i-helped-classify-calls-two-presidents-white-house-abuse-system-is-alarming/ [2]

“Moving a conversation to the ‘code word’ server can be justified only by national security concerns”

or https://www.eff.org/deeplinks/2019/10/open-letter-governments-us-uk-and-australia-facebook-all-out-attack-encryption

[1] https://www.schneier.com/blog/archives/2019/10/friday_squid_bl_697.html#c6799603

https://www.schneier.com/blog/archives/2019/09/friday_squid_bl_696.html#c6799403

[2] alternative link https://www.msn.com/en-us/news/opinion/opinions-i-helped-classify-calls-for-two-presidents-the-white-house-abuse-of-the-system-is-alarming/ar-AAI1q8o