A December 3rd opinion piece in U.S. News & World Report advocates making the National Security Agency the agency responsible for “assuring” cybersecurity for critical infrastructure. Before anyone rushes to embrace such a plan, it’s important to sit back and reflect on the role of the NSA.
The NSA in the Interior of the Network
The mission of the NSA, broadly stated, is to collect signals intelligence on international terrorists, other governments, foreign bad actors, and to provide the resulting intelligence to the U.S. government. To achieve its mission since 9/11, there are at least two broad categories of Internet traffic that the NSA has positioned itself to intercept: (1) foreign Internet traffic, (network traffic whose origin and destination are outside the U.S., but which often transits networks in the U.S.) and (2) Internet traffic between foreign NSA targets and servers/people located in the U.S.
Because both categories of traffic can be found on networks located in the U.S., the NSA—according to first-hand accounts summarized well by James Bamford in The Shadow Factory (2008) —installed highly specialized splitters and data mining equipment at key exchange points and/or mega-switching facilities in the U.S. in order to intercept the network traffic. One can argue back and forth regarding the relative value of the information that has been collected, but what isn’t up for debate is that the NSA, from an engineering standpoint, has compromised the physical integrity of the network infrastructure to achieve its ends. Susan Landau, a highly respected mathematician and engineer who has done research at Cornell, Harvard, Yale, and MIT, and who is a 2012 Guggenheim fellow, observes that wiretaps are “risky business” because “they are an architected security breach that can be subverted and put to nefarious use.” One of her books, Surveillance or Security: The Risks Posed by New Wiretapping Technologies (2010) discusses the topic at length, and recounts, at one point, how the Greek government, from 2004-2005, was itself subjected to ten months of wiretapping when bad actors exploited similar built-in wiretapping infrastructure.
The NSA at the Edge of the Network
In addition to wire intercepts, the NSA also has an interest in being able to compromise the software running on servers and end-user devices at the “edges” of the Internet in order to ensure its ability to collect meaningful intelligence. In a world where cryptography can often diminish the value of network traffic collected in transit, compromising host machines at the edge of the network is an effective way to perform an “end-run” around the limits of wire intercepts.
How does one compromise host machines most effectively? One uses unknown and un-patched security vulnerabilities—so-called “zero-day” vulnerabilities—found in operating systems, browser software, and other applications, in order to takeover the device, collect the desired information, and secretly exfiltrate data back to home base. According to noted security researcher, expert, and author Bruce Schneier, not only is the NSA presumably a significant player in the “grey market” for purchasing “zero-day” vulnerabilities from private companies, it most definitely has an operational interest in seeing that such vulnerabilities remain unpatched:
[T]he new market for security vulnerabilities results in a variety of government agencies around the world that have a strong interest in those vulnerabilities remaining unpatched. These range from law-enforcement agencies . . . to intelligence agencies like the NSA who are trying to build mass Internet surveillance tools . . .
The Bottom Line for Cybersecurity
The NSA obviously possesses world-class expertise in cyber operations and incredible tech and personnel resources. Any proposal, however, that would seek to put the NSA in charge of assuring cybersecurity, must first come to grips with the NSA’s avowed operational interests in: (1) keeping software vulnerabilities unpatched as a way to maximize the collection of intelligence and (2) compromising the security of networks for the same purpose.