NSA's first and overriding mission is in conducting signals intelligence against our adversaries. As people have pointed out here and elsewhere: regardless of what other missions NSA may have crept into in the last 40 years, when SIGINT comes into conflict with some other NSA mission, SIGINT wins.
(This analysis is descriptive, not normative.)
But it seems like it's just words and business as usual.
I'm curious what their response would be in the perfect storm scenario. A foreign country or criminal enterprise causes severe damage to much of the US. Both the intelligence agencies, government secrets, and the technology industry are severely impacted, crippled even. And the enabler? A series of vulnerabilities they didn't disclose.
How much damage has to be done before people wake up and realize that what NSA doing is effectively pointing armed nuclear warheads at high-value targets in the US and giving our enemies the controls? The fact that NSA refuses to disclose serious vulnerabilities is an indication to enemy governments and criminals that spending money finding these vulnerabilities is going to be an extremely effective tactic.
I mean this seriously: this is actively telling our enemies how to attack us. How is this not treason?
> Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.
"If we have a policy of not disclosing the vulnerabilities we know, what we're really doing is promising foreign countries that the exploits they discover against us will work forever."
Consider that while something like Heart Bleed would be an enormous asset to the NSA, if both NSA and a foreign powers found out about it at the same time it'd provide the foreign power with a disproportionate benefit because they'd likely have fewer other ways of infiltrating many sites.
I'm sure that in situations where they're confident they're the only ones with the knowledge, they'll still hold off on releasing anything.
You forget to mention the assumption that NSA willfully ignore the IA component of its mission.
How can they be sure? They simply can't. And this means they're putting US business at risk for their own benefit.
(The other way to put US business at risk is via worldwide reputation damage.)
I doubt this makes US companies more interesting for investors.
And yet that didn't prevent them from sitting on heartbleed for two years (since approximately the moment it was introduced).
This is a PR move.
Compare this to GITMO
"GITMO sucks, i vow to close it immediately" -- "Oh congress blocks me, my hands are tied! Tear!"
"Security vulnerabilities suck, i vow to make them open!" -- "oh look at that, the security apparatus says it makes US vulnerable, my hands are tied! Tear!"
But when it comes to pure presidential powers like killing people in foreign countries from the skies his hands arnt tied.
One way to start to repair their reputation would be to responsibly disclose some vulnerabilities and then take credit for their disclosure. That might motivate whitehats to join them, and whitehats are exactly the type of people they need.
In 10 years, the US is going to be in trouble unless they can continue recruiting good hackers. In 20 years, they'll be in serious trouble when foreign powers have clearly begun dominating the SIGINT arena. And at the rate technology is changing, those timelines seem optimistic.
The NSA can likely get all the recruits it needs by just offering the chance to hack with legal immunity.
We also kind of want the NSA to stop monitoring the whole network.
On the internet, and to global citizens, what you write amounts to "screw those people" (non-US Hacker News readers).
I don't believe the NSA's mission comes into conflict with Obama's order, it merely suggests the NSA change how they go about their mission. But it's still just as clear to me how one would solve it, and IMHO they would have an easier time going the social engineering route anyway.
Perhaps I should explain my reasoning a bit then.
midas007: It seems like just another lie
tptacek: I don't think he's lying. I don't think he understands what he's saying.
me: To paraphrase President Nixon, the President ought to know whether or not he himself is a crook.
So if tptacek is correct in that Obama doesn't actually understand what he is saying, the universe divides into two possibilities. In universe (1) Obama is so dumb as to be incapable of understanding the issues involved. In universe (B) Obama has the capability to understand the issues but has for some reason chosen not to exercise it.
Because Obama is a scholar, I assert that (1) is unlikely. Thus Obama, like many of us when confronted with complex but ultimately tractable problems (such as optimal Pokemon strategy), has made a conscious decision not to immerse himself deeply in the issue.
This represents a problem for Democracy because the President is our civilian leader who is supposed to be in command of the military. If in fact it is the military/intelligence that is leading him, then the Presidency has failed.
C.f. Reagan https://en.wikipedia.org/wiki/Iran%E2%80%93Contra_affair
> This represents a problem for Democracy because the President is our civilian leader who is supposed to be in command of the military. If in fact it is the military/intelligence that is leading him, then the Presidency has failed.
Democracy is not a government of presidents. It is a government of people. I agree that you can usefully argue that "the Presidency has failed", but the existence of the Presidency was always a hack, in software terms. It was never a well-designed system; it was a convenience which has been subject to feature creep due to a long history of abuse and counter-abuse. Try to put yourself in the Founders' shoes and seriously think about the question of why the executive branch needs to be headed by a single person; it doesn't. It was just easier that way.
To fix this, the response isn't to whine about NSA overreach or Presidential doublespeak. It's to actually establish a democracy.
(P.S., it is inaccurate to characterize the POTUS as in command of the NSA. He is responsible and accountable for them, but he is not in command. The continued incapability of HNers to internalize basic facts listed on Wikipedia suggests either, how did you put it, that they are either "dumb" or choosing "not to exercise their capability" in understanding their government. I think I like your false dichotomy after all.)
POTUS can fire the head of the NSA. Truman fired Macarthur.
It's an interesting discussion the extent to which reality matches the law, but according to the US Constitution Obama is in command of the NSA.
The authority that the POTUS has over the NSA is more analogous to that of a CEO over a departmental division than that of a general over a battalion. As I said, the POTUS is responsible and accountable for the NSA, in the same way he is responsible and accountable for what our diplomats and ambassadors say to foreign governments, in the same way he is responsible and accountable if the FCC fails to secure network neutrality.
One of the more interesting consequences of this is that, if you were to place the USAF under the authority of the NSA, it would not violate the principle of civilian control of the military.
This is getting tiring.
Take a look at this list of former Directors of the NSA and count how many are ranking uniformed military officers. Spoiler: since the founding of the agency, all 17 of them.
They could at least throw a few over the fence and get their names in some advisories to at least pretend there is a shred of truth to this.