
NSA’s top policy advisor: It’s time to start putting teeth in cyber deterrence - deanalevitt
https://arstechnica.com/tech-policy/2019/03/nsas-top-policy-advisor-its-time-to-start-putting-teeth-in-cyber-deterrence/
======
adrianN
How about the NSA and similar institutions in other countries don't hoard
zerodays and instead actively work to improve security? Defending against
hackers is a lot easier than defending against nuclear missiles. We don't need
an active deterrence if the defenses are good.

~~~
zelon88
While I agree and I hate the NSA's practice of hoarding zero days, they do
this to keep software vulnerable on purpose. They've invested millions in
uncovering zero days SPECIFICALLY so they could then spend millions more to be
the only ones exploiting these vulnerabilities. If they share the zero day,
the vendor will write a patch and it's game-over for their multi-million
dollar exploit.

Don't get me wrong, it's entirely inappropriate for an American government
agency to be subverting the security of American products made by American
companies and used by the American public. We have a unique opportunity that
no other country has to coordinate our secret intelligence work with the
private sector to completely own the security industry, but we allow our
government to take an adversarial approach to defense. It's insane and
criminal, but that's how it is.

Imagine how effective an intelligence campaign would be against, say, Iran, if
the NSA went to Microsoft, disclosed a vuln, and then told them to patch the
vuln ONLY in specific markets. Roll out the patch to American companies first,
but leave select targets still vulnerable. No other country could get
Microsoft to do that except the United States... And we waste that opportunity
by trying to lone-wolf everything.

~~~
AndrewGaspar
I'm sorry, but this seems a little naive. 1) It assumes that the NSA would
only want to exploit a vulnerability exactly once, 2) this behavior would be
fairly obvious since hackers examine patch payloads, and 3) this behavior on
the part of American tech would undermine their credibility globally. Wouldn't
you reasonably be very skeptical of Microsoft if you were a foreign government
if you knew they were actively working with the American government to pwn
you?

The status quo of a semi-adversarial relationship between the NSA and tech
companies for offensive cyber capabilities seems better to me for both
parties. Of course it would be good if they were collaborating on defensive
cyber security.

~~~
woodman
> I'm sorry, but this seems a little naive.

[https://en.wikipedia.org/wiki/NSAKEY](https://en.wikipedia.org/wiki/NSAKEY).

I thought everybody already knew that US corporations serve as an extension to
the surveillance apparatus. Remember all the corporations fighting against the
government's mandate at an artificially crippled maximum keysize of 40 bits,
in order to allow continued surveillance in the 90s? Yeah, neither do I.

~~~
geofft
The claim is not "naive" as in "of course the NSA wouldn't want to exploit
things, they're innocent angels", the claim is "naive" as in "they have better
ways to exploit things."

Interpreting _NSAKEY as an NSA backdoor is similarly naive. First, it's named
_NSAKEY. Surely they could name it something else. Second, its purpose was
reverse-engineered, and it's capable of signing cryptography modules, same as
the existing Microsoft key named _KEY. Anything that could be done through
_NSAKEY could also be done through _KEY, so it would be easy for the NSA to
just ask for a copy of _KEY such that nobody would notice. The conspiracy
theory makes no sense - it's like saying "$politician is trying to take away
our freedoms by pouring mind-control agents into the water" when $politician
is just straight-up signing bills to take away your freedoms.

~~~
woodman
It was a debugging symbol that a Microsoft developer either negligently or
heroically included in a public release... so that explains away the "nobody
would be so stupid" argument. You are aware of how the Intel ME killswitch was
located right? A commented xml file included with the flashing software
helpfully informed anybody willing to look that a field was related to the
NSA's High Assurance Platform program. This was after ten years of security
researchers pointing at the fact that this was a backdoor. For whatever reason
both Intel and the NSA were happy to let the public remain needlessly
vulnerable all that time... But yeah, I'm just like one of those water
fluoridation loons. The NSA wasn't at all hamfisted in the intentional
weakening of elliptic curves and blatant RSA bribery, this isn't an obvious
pattern emerging.

~~~
ryanlol
NSAKEY people have had over two decades to produce any evidence in support of
their weird conspiracy theory, but strangely enough they’ve utterly failed to
do so.

~~~
woodman
The demand for evidence in the wake of all the NSA leaks is laughable.[0] What
does evidence of the NSAKEY being a backdoor look like to you, a provably
malicious CSA shim, signed by the key, hand delivered by James Clapper?

I'll tell you what it looks like to me:

After the debug symbol is found, Microsoft gives a seemingly very stupid
explanation for it[1]: "It is a backup key. Yeah, uhhhh... during the export
control review - the NSA said that we had to have a backup key, so we named it
after them..." After being challenged on the plausibility of their backup
scheme they refuse to provide any further explanation.

Here is the funny part: Microsoft might be technically telling the truth about
it being a "backup". Consider what else was going on around this period:
ridiculous export controls on key-length, the clipper chip... and finally:
government managed private-key escrow[2]. At that time the export regulations
did not specify a backup requirement, and yet Microsoft claims otherwise. You
know who else was talking a lot about backups? The Whitehouse, in its proposal
for allowing the export of key-lengths above 56-bits - so long as applicants
implement "key-recovery".[3] Somehow I don't think that we share the same
definition of the word "backup".

Also, ECI Sentry Raven[4], have fun with that.

[0] [https://assets.documentcloud.org/documents/784280/sigint-
ena...](https://assets.documentcloud.org/documents/784280/sigint-enabling-
project.pdf)

[1] [https://cryptome.org/nsakey-ms-dc.htm](https://cryptome.org/nsakey-ms-
dc.htm)

[2]
[https://web.archive.org/web/20000818204903/https://csrc.nist...](https://web.archive.org/web/20000818204903/https://csrc.nist.gov/keyrecovery/admin.txt)

[3]
[https://epic.org/crypto/key_escrow/key_recovery.html](https://epic.org/crypto/key_escrow/key_recovery.html)

[4] [https://archive.org/details/nsa-sentry-eagle-the-
intercept-1...](https://archive.org/details/nsa-sentry-eagle-the-
intercept-14-1010/page/n8)

~~~
geofft
Evidence of the NSAKEY being a backdoor includes some description of how the
backdoor might work, backed up by a reference to the relevant Windows source
code or its disassembly, both of which are easily available to researchers.
What sort of backdoor is it? Does it provide remote access to Windows? Does it
enable certain cryptographic modes that are disabled? Does it disable certain
cryptograph modes that are enabled? Does it trigger key recovery, and if so,
how?

Evidence of X does not include "X would have been done by Y, and Y did Z, and
X and Z are both bad, so why _wouldn 't_ Y do X too." That is basically the
definition of an ad hominem argument. Whatever else the NSA may have done, and
however much it's reason to believe the NSA might have wanted to do this
specific thing, it's not _evidence_ of them doing this specific thing (and
again I'm not sure what this specific thing is even supposed to be). And if
anything, the lack of mention of NSAKEY in the leaks is a reason to believe
that there wasn't anything there.

Evidence of X also does not include "Y refused to talk about X." That might be
evidence that Y is suspicious and untrustworthy (or evidence that the person
asking was a conspiracy theorist who wouldn't be satisfied by any
explanation), but it's not evidence that Y actually did X.

So, that's my definition of evidence. I'll turn this around: what would
evidence that NSAKEY _was not_ a backdoor look like to you? Would anything
convince you, or is your claim unfalsifiable?

~~~
woodman
> Evidence of the NSAKEY being a backdoor includes some description of how the
> backdoor might work...

It would only work one way with an API relying on a PKI with a single CA, zero
transparency, and trusted keys named after spy agencies suddenly appearing out
of nowhere. I'm gonna bail here, because I'm now not sure if you honestly
don't know what the CAPI was in relation to the NSAKEY - or if you're trying
to waste my time by getting me to explain the most basic principles of public
key infrastructure.

~~~
geofft
Here is a basic principle of public key infrastructure: anything signed by one
CA can be signed equally well by another, unless the code is designed to give
one CA special permissions (like EV certs, in the HTTPS PKI).

You are wrong on the facts that there is a "single CA" \- there is _KEY in
addition to _NSAKEY.

So, this brings me back to the point I mentioned at the top of the thread: why
didn't the NSA just demand a copy of the private key for _KEY instead of a
separate key? A separate key always carried a risk, and also required a
rebuild - handing over _KEY could have happened immediately. If _NSAKEY has
special permissions, can you point me to where in disassembled CAPI code /
leaked source these special permissions are implemented, and what they are?

Your conspiracy theory is "The NSA is evil and also stupid." This is a more
complex and less likely, _and less worrisome_ conspiracy theory than "The NSA
is evil." If the only thing we have to worry about from the NSA is things
bungled as badly as this alleged _NSAKEY backdoor and the actual Dual_EC_DRBG
backdoor (which was noticed by cryptographers basically instantly), we have
nothing to worry about. That doesn't seem like the rhetorical position you
want to take.

------
mtgx
> Citing the WannaCry and NotPetya malware attacks

Wait, did he just use Wannacry as a reason for more NSA involvement in cyber
defense? Wannacry exists _because_ of the NSA. Its exploitation tools leaked
(as it always happens, even to the NSA or the Chinese spy agencies) and then
others used them to create the highly-effective Wannacry.

So...thanks, but no thanks NSA! You're done enough already. Not to mention the
fact that the NSA is _actively_ trying to this day to sabotage security
efforts both in standards bodies and in private organizations (see recent
Simon and Speck controversy, or how they asked Yahoo to put a backdoor in
their email servers, Dual_EC scandal, etc).

------
scarmig
From the beginning, the NSA should have held itself to having a primary
purpose of cyber defense and deterrence. Even if it has some more aggressive
programs running sub rosa, those defensive programs should be its central
focus, and it'd be easier to sell as a patriotic career choice if cyber
defense was what the NSA was known for.

Now we're left playing catch-up, and the NSA is mostly known for cyber
espionage against global adversaries and domestic surveillance.

~~~
mr_overalls
Cyber-espionage is a valid role, IMHO, but it should be separated from their
defensive one. (Or the defensive role spun off into a different org
altogether. I think there's just no other way way to manage the opposing
incentives at work here.

~~~
Valmar
> Cyber-espionage is a valid role

Agreed, but the NSA doesn't seem to act like they care about defense, but
wielding it only as a weapon.

If they care about defense, I'd be interested to see any meaningful examples.

~~~
lern_too_spel
[https://en.m.wikipedia.org/wiki/Security-
Enhanced_Linux](https://en.m.wikipedia.org/wiki/Security-Enhanced_Linux)

[https://en.m.wikipedia.org/wiki/NSA_Suite_B_Cryptography](https://en.m.wikipedia.org/wiki/NSA_Suite_B_Cryptography)

------
leroy_masochist
The greatest trick the SIGINT Enterprise ever pulled was convincing the world
that its capabilities were in danger of being outclassed by the Chinese,
Russians, Iranians, Israelis, etc. Nice to see they're still at it.

------
abugheratwork
> Joyce expressed the pride the NSA's workforce took in "delivering a midterm
> election that was free of malfeasance and interference" [...]

Oh, that's good. I was just imagining all the news out of Georgia, then.

~~~
TACIXAT
I know this is tongue in cheek, but the NSA's mission has to do with foreign
interference. They are far less authorized to do anything involving US
citizens.

~~~
jonathanwallace
There's a bunch of relevant information but here's the one showing nation-
state interest in Georgia. [https://www.ajc.com/news/state--regional-govt--
politics/russ...](https://www.ajc.com/news/state--regional-govt--
politics/russian-agent-visited-election-websites-georgia-
counties-2016/slgj3hy2KIzidtSFrvNG6M/)

------
mgleason_3
I'm not a security expert, but even a layperson has to wonder if the NSA can
actually be successful.

Apparently, he thinks the "defend forward to disrupt or halt malicious cyber
activity" strategy was effective for mid-terms. Was it actually? Or, did "...
the responses come, if ever, after the costs [of those attacks] are already
realized."

If it was effective, how long will it take for the adversaries to work around
it (which apparently he acknowledges in the last paragraph)?

Even if they somehow walled all traffic off from Russia and North Korea,
wouldn't they just exploiting unwitting computers as 'hop points' to get
around the limitations?

Maybe I'm missing something? Maybe there's some "teeth" that can provide cyber
deterrence I don't know about?

------
teumesios
As if the NSA wasn't part of the problem to begin with.

------
GrryDucape
Since WW2 the difference between war and peace have been more and more
blurred. Proxy wars, drones and "cyber warfare" have made open conflicts
directly between superpowers almost non-existent.

Classic warfare, atomic, biological and chemical weapons all have rules and a
loads of regulations. The "cyber" sector have a long process ahead to catch
up. Unfortunately no one seems interested in being really serious about it it,
but I certainly wish they will start work on it.

Hopefully we will never experience an all-out "cyber war". Probably a new kind
scenario with massive damages to infra structure, lots of civilian casualties
and almost no losses among military personal.

------
omouse
The best offense is a good defense, so the sooner they start patching
software, the better. The sooner they get developers to use safer languages,
the better. But that's not gonna happen, it's apparently too costly to develop
safe and secure software, but the damage caused by poor cybersecurity is
somehow an externalized cost which means it costs nothing in the current
equation.

------
espeed
Foreign actors hacking some servers and systems and placing malware is one
thing -- that's been going on for a long time, and it's not unexpected -- but
having the insight and expertise to run a campaign that exerts more influence
than the entire media and PR industry put together, well that's something
else. That would require something above and beyond -- we're not that fragile.

Consider this...

NB: These are the same questions I posed in a thread a few days ago
([https://news.ycombinator.com/item?id=19282809](https://news.ycombinator.com/item?id=19282809)).

Do you know the size of the Russian economy?
[https://en.wikipedia.org/wiki/Economy_of_Russia](https://en.wikipedia.org/wiki/Economy_of_Russia)

How many individual US states have an economy larger than Russia?
[https://en.wikipedia.org/wiki/Comparison_between_U.S._states...](https://en.wikipedia.org/wiki/Comparison_between_U.S._states_and_sovereign_states_by_GDP_\(nominal\))

And the size of the PR industry? [https://www.statista.com/topics/3521/public-
relations/](https://www.statista.com/topics/3521/public-relations/)

We invented the modern PR industry, AI, and social media. And the PR industry
has been perfecting the design of campaigns for 100 years. That's our
bailiwick.

You think Russia outclassed us at our own game, at home on our own platforms,
on the biggest stage, in the highest stakes game of all?

And then to pull that off with no one noticing or countering it in the most
measured world of all time?

That would be like the Russian basketball team [0] beating the US Dream Team
[1] in all of our major sports combined, at the same time. Not gonna happen.

And to what extent would a feat like that even be possible for someone from
the US? And if some super-genius person or group of US citizens with the
combination of intimate understanding, sophistication and skill did exist,
then why wouldn't they just work for the campaign? And if one in the US could
pull that off, why think Russia could?

[0] Russian Basketball
[https://en.wikipedia.org/wiki/Russia_national_basketball_tea...](https://en.wikipedia.org/wiki/Russia_national_basketball_team)

[1] US Dream Team
[https://en.wikipedia.org/wiki/1992_United_States_men%27s_Oly...](https://en.wikipedia.org/wiki/1992_United_States_men%27s_Olympic_basketball_team)

~~~
DFHippie
To win a U.S. election you don't need millions of votes. You need tens of
thousands of votes in strategic locations. It was something like 50,000 votes
in three states in 2016 that determined the outcome of the election. Clinton
had roughly 3 million more votes but they weren't in the right places. An
influence campaign doesn't have to "exerts more influence than the entire
media and PR industry put together". It has to move a few tens of thousands of
votes in the right places. Also, it's easier to win any game by cheating. U.S.
actors are less free to cheat since they will be subject to U.S. law if they
are caught. If scales are balanced with 200 metric tons in each pan, you can
through off the balance by chucking a hammer in one pan of the scale.

Besides, it seems like the U.S. intelligence agencies are better positioned
than random people on Hacker News to assess the extent and influence of the
Russian influence campaign. What do they say?

~~~
espeed
Who's the random person in this scenario you or me?

And regarding my assessment and their response, that's why I asked the
questions. I have a pretty good history of being on the mark [1], and every
time I've talked to them, they've appreciated my perspective. Consider all
things, that's the job -- that's what you want -- just like anyone else in
strategic positions, they like hard questions.

[1]
[https://news.ycombinator.com/item?id=5897654](https://news.ycombinator.com/item?id=5897654)

------
czbond
And here I was expecting a way to record keystroke noise via a tooth recorder.

~~~
jerkstate
Wake up, Kent.. it's me, Jesus

~~~
sctb
Could you please not post unsubstantively like this?

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

