NSA's first and overriding mission is in conducting signals intelligence against our adversaries. As people have pointed out here and elsewhere: regardless of what other missions NSA may have crept into in the last 40 years, when SIGINT comes into conflict with some other NSA mission, SIGINT wins.
(This analysis is descriptive, not normative.)
But it seems like it's just words and business as usual.
I'm curious what their response would be in the perfect storm scenario. A foreign country or criminal enterprise causes severe damage to much of the US. Both the intelligence agencies, government secrets, and the technology industry are severely impacted, crippled even. And the enabler? A series of vulnerabilities they didn't disclose.
How much damage has to be done before people wake up and realize that what NSA doing is effectively pointing armed nuclear warheads at high-value targets in the US and giving our enemies the controls? The fact that NSA refuses to disclose serious vulnerabilities is an indication to enemy governments and criminals that spending money finding these vulnerabilities is going to be an extremely effective tactic.
I mean this seriously: this is actively telling our enemies how to attack us. How is this not treason?
> Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.
"If we have a policy of not disclosing the vulnerabilities we know, what we're really doing is promising foreign countries that the exploits they discover against us will work forever."
Consider that while something like Heart Bleed would be an enormous asset to the NSA, if both NSA and a foreign powers found out about it at the same time it'd provide the foreign power with a disproportionate benefit because they'd likely have fewer other ways of infiltrating many sites.
I'm sure that in situations where they're confident they're the only ones with the knowledge, they'll still hold off on releasing anything.
You forget to mention the assumption that NSA willfully ignore the IA component of its mission.
How can they be sure? They simply can't. And this means they're putting US business at risk for their own benefit.
(The other way to put US business at risk is via worldwide reputation damage.)
I doubt this makes US companies more interesting for investors.
And yet that didn't prevent them from sitting on heartbleed for two years (since approximately the moment it was introduced).
This is a PR move.
Compare this to GITMO
"GITMO sucks, i vow to close it immediately" -- "Oh congress blocks me, my hands are tied! Tear!"
"Security vulnerabilities suck, i vow to make them open!" -- "oh look at that, the security apparatus says it makes US vulnerable, my hands are tied! Tear!"
But when it comes to pure presidential powers like killing people in foreign countries from the skies his hands arnt tied.
One way to start to repair their reputation would be to responsibly disclose some vulnerabilities and then take credit for their disclosure. That might motivate whitehats to join them, and whitehats are exactly the type of people they need.
In 10 years, the US is going to be in trouble unless they can continue recruiting good hackers. In 20 years, they'll be in serious trouble when foreign powers have clearly begun dominating the SIGINT arena. And at the rate technology is changing, those timelines seem optimistic.
The NSA can likely get all the recruits it needs by just offering the chance to hack with legal immunity.
We also kind of want the NSA to stop monitoring the whole network.
On the internet, and to global citizens, what you write amounts to "screw those people" (non-US Hacker News readers).
I don't believe the NSA's mission comes into conflict with Obama's order, it merely suggests the NSA change how they go about their mission. But it's still just as clear to me how one would solve it, and IMHO they would have an easier time going the social engineering route anyway.
Perhaps I should explain my reasoning a bit then.
midas007: It seems like just another lie
tptacek: I don't think he's lying. I don't think he understands what he's saying.
me: To paraphrase President Nixon, the President ought to know whether or not he himself is a crook.
So if tptacek is correct in that Obama doesn't actually understand what he is saying, the universe divides into two possibilities. In universe (1) Obama is so dumb as to be incapable of understanding the issues involved. In universe (B) Obama has the capability to understand the issues but has for some reason chosen not to exercise it.
Because Obama is a scholar, I assert that (1) is unlikely. Thus Obama, like many of us when confronted with complex but ultimately tractable problems (such as optimal Pokemon strategy), has made a conscious decision not to immerse himself deeply in the issue.
This represents a problem for Democracy because the President is our civilian leader who is supposed to be in command of the military. If in fact it is the military/intelligence that is leading him, then the Presidency has failed.
C.f. Reagan https://en.wikipedia.org/wiki/Iran%E2%80%93Contra_affair
> This represents a problem for Democracy because the President is our civilian leader who is supposed to be in command of the military. If in fact it is the military/intelligence that is leading him, then the Presidency has failed.
Democracy is not a government of presidents. It is a government of people. I agree that you can usefully argue that "the Presidency has failed", but the existence of the Presidency was always a hack, in software terms. It was never a well-designed system; it was a convenience which has been subject to feature creep due to a long history of abuse and counter-abuse. Try to put yourself in the Founders' shoes and seriously think about the question of why the executive branch needs to be headed by a single person; it doesn't. It was just easier that way.
To fix this, the response isn't to whine about NSA overreach or Presidential doublespeak. It's to actually establish a democracy.
(P.S., it is inaccurate to characterize the POTUS as in command of the NSA. He is responsible and accountable for them, but he is not in command. The continued incapability of HNers to internalize basic facts listed on Wikipedia suggests either, how did you put it, that they are either "dumb" or choosing "not to exercise their capability" in understanding their government. I think I like your false dichotomy after all.)
POTUS can fire the head of the NSA. Truman fired Macarthur.
It's an interesting discussion the extent to which reality matches the law, but according to the US Constitution Obama is in command of the NSA.
The authority that the POTUS has over the NSA is more analogous to that of a CEO over a departmental division than that of a general over a battalion. As I said, the POTUS is responsible and accountable for the NSA, in the same way he is responsible and accountable for what our diplomats and ambassadors say to foreign governments, in the same way he is responsible and accountable if the FCC fails to secure network neutrality.
One of the more interesting consequences of this is that, if you were to place the USAF under the authority of the NSA, it would not violate the principle of civilian control of the military.
This is getting tiring.
Take a look at this list of former Directors of the NSA and count how many are ranking uniformed military officers. Spoiler: since the founding of the agency, all 17 of them.
They could at least throw a few over the fence and get their names in some advisories to at least pretend there is a shred of truth to this.
This is a dishonest argument - many of the zero days held by the Chinese are likely to be the same zero days being withheld the N.S.A., so by disclosing them the N.S.A. would be dealing a huge blow to our adversaries' offensive capabilities.
The NYT should have gotten a quote to counter-balance this argument from a "senior intelligence official" (upon whom they shamefully, but predictably, bestowed anonymity). Now many of the people reading this article will come away believing this is akin to nuclear disarmament, which is a totally inapt comparison.
I'm with you on the rest of your points but not on this one. Balance would be nice but anonymity is often key to good reporting. There's nothing shameful about soliciting a quote and then keeping that person anonymous.
In narrow circumstances, such as whistle-blowing where the source would face harm from a disclosure of their identity, anonymity is both appropriate and essential (and in such a case it's essential for the newspaper to do as much verification as possible before conferring anonymity). But a government employee spewing pro-government propaganda does not need the protection of anonymity.
Edit: reworded for clarity.
> During his shuttle diplomacy in the Middle East, Kissinger insisted on anonymity even though the information was reported by the press traveling with him and attributed to the "senior official on the plane." On one of Kissinger's sojourns, humorist Art Buchwald attributed information to a "high U.S. official with wavy hair, horn-rimmed glasses and a German accent."
> Periodically, journalists grow weary of the insistence on anonymity and rebel. But generally not for long.
> In 1971, then-Washington Post Executive Editor Ben Bradlee ordered that information provided by Kissinger about a pending summit meeting be attributed to him because it was simply too important to be reported anonymously, according to Walter Isaacson's book "Kissinger."
> "The Post's action caused a widespread realization that reliance on backgrounders had gone too far," Isaacson wrote. Nevertheless, the White House Correspondents Association soon passed a resolution agreeing to abide by Kissinger's briefing rules.
How does it help us, the public, to let Kissinger choose when to make anonymous statements?
Overall that American Journalism Review link points out that time and time again, with only a few exceptions, anonymity is abused.
Are you sure?
Emphasis added is mine.
The "in most circumstances" means they can pretty much do whatever the hell they want.
Why is there not more of a furore about this? When Bush set up (and it was found out) about the extensive activities of the NSA, the reaction was vitriolic in every sense of the word. Here Obama is tacitly agreeing to similar intrusion. This is not a comment on Bush vs Obama, it is more a comment on the media and public reactions.
Kudos to them for switching it to a much more accurate description of the situation.
More generally, it's a convenient if limited way into the publishing process. It deserves scrutiny, all the more so for those PR-type articles that essentially try to covey nonsense.
The new title doesn't seem to fit well with the rest of the article, though.
Also, the US has a much larger attackable surface area and far more to lose in this domain. So it makes perfect, cynical sense if the US government wants internet security in general to be better.
Just like a naval power with strong international trade interests has reasons to keep shipping lanes open to all and to deter naval piracy.
None of this requires benevolence, it's all self-interested
By very direct corollary, one would hope the NSA regards protection of the digital lanes of communication open as one of its principle missions. Trade begets economic interdependence. It's tough to go to war with major trade partners.
"When Federal agencies discover a new vulnerability in commercial and open source software ... it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."
I have to scratch my head because I can't reconcile this. I also can't reconcile what meaningful impact the White House statement will have since it has such a vague loophole. The White House statement reminds me of when Putin plays lip service to democratic processes inside Russia. Lots of words, little if any meaning or change.
But Mr. Obama carved a broad exception for “a clear
national security or law enforcement need,” the officials
said, a loophole that is likely to allow the N.S.A. to
continue to exploit security flaws both to crack
encryption on the Internet and to design cyberweapons.
But Mr. Obama then went on to say "discount everything I've just said, the NSA should go on with business as usual, interpreting all current and future situations to further their offensive needs regardless of what is best for the American people or becoming of a modern democracy."
Or a law enforcement need? So this is almost pointless then. Don't expect regular iPhone or Android bugs to be reported, because law enforcement uses them all the type to tap people, so of course in their view there's a "need" for them.
He should've just left it to NSA only, and for very specific cases, if at all. Everyone else (FBI, police, DHS, etc) should be reporting the exploits.
As it is, don't expect them to reveal more than one relatively major bug every 2 years or so - and even that sounds optimistic, I think.
Is this supposed to apply to instances where the flaw affects the competition more than civilians -- say, a security flaw that somehow disproportionately affects Iran, China and Russia over the US? (there are obvious reasons why the government cannot explicitly acknowledge this, but I'm wondering if this is a direct implication)
If they find something which they don't see any chatter about on any of these sources, then it's reasonable to presume no one has found it. Moreover, actually exploiting heartbleed would leave a signature. You can fake SSL certificates, but eventually someone has to lose their money, or some innovation has to come out of the blue. MitM's involve traffic diversions unless they're conducted at a government level.
Espionage always leaves a trail - even if you don't know where someone gets their intel, you can always tell they must be getting it somehow.
Snowden's leak suddenly left people wondering if the United States itself posed the greatest threat to the US's own "cyber security." There is little doubt that the revelations did severe and lasting damage to US companies who want foreign customers.
Today the problems are, someone might have been able to access your Yahoo mail in the past two years. As computing and bandwidth expands and blends in to the background, future exploits will be things like, every moment, visual and audio, of the past two years of your life, was recorded and is available to playback in full detail. For better or worse, of course the government will get heavily involved.
It was base-level obvious that the US, EU and every other nation had cyber-warfare programs because there was no technical reason they couldn't, and the risks were the same as they were to China and others: its an invisible, zero-casualty engagement, indistinguishable from the actions of lone individuals or groups.
Moreover, it should always have been apparent that things inside the US could be arbitrarily subjected to search and seizure. This is not a problem companies are unfamiliar with - mining companies are big on sovereign risk, but moreover, it's not like Microsoft stores it's technical data on Google cloud services for exactly the same reasons.
The most surprising thing which has been disclosed nowhere by the Snowden leaks is any evidence of the NSA passing stolen technical schematics or plans off to US companies for competitive advantage. I'm sure a lot of people will insist this totally happened, but no one has come up with hard evidence that it has.
(Coverity Scan contract expired in 2009, but Coverify found out finding bugs in open source software is a great marketing campaign anyway, and continued the service.)
Actions, not speeches, count.
"The government/administration/specific department" is the headline when it is negative. Look out for it...
It's almost as inaccurate as "NSA says it should disclose exploits."
"Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say"
Read: unless we really want to.
In black and white hat circles it is understood that using an internet security flaw is in fact revealing it as your adversaries find out by such acts..
His ex order has not rational meaning that context, the context of NSA's mission, the CIA's mission or DoD's mission..
What does Obama think we effing five?
Go to hell you fucking snake.