Yes, securing the endpoint is hard, especially given the non-hardened OS and applications we mostly use. However, you can't extrapolate from that to say with certainty what has and hasn't been exposed via security flaws.
The USSR was much more successful at espionage than the US was, and they took a low-tech approach to it. For decades, they developed contacts within the govt, gave them money, and had documents handed to them by authorized insiders.
Let's not assume computer exploitation is the only culprit. History has shown a variety of techniques, even very low-tech ones, have been employed for espionage and it's impossible as an outsider to determine how much has been taken, by whom, and by what means.
> > First, the journalists working with the documents.
> Bruce Schneier is falling into the trap of saying since computer security is hard, the NSA has certainly been compromised and we can assume these docs have been out there for a while.
The NSA has been compromised. By Snowden. There's no assumption there, that's fact. Now, access to the documents not longer just means having NSA access (or a complicit person with access) or hacking the NSA, it includes access to any system or person who has access to all the files, which are no longer restricted to NSA servers. It's no longer about what the NSA's security practices are.
> The open question is which countries have sophisticated enough cyberespionage operations to mount a successful attack against one of the journalists or against the intelligence agencies themselves. And while I have my own mental list, the truth is that I don’t know. But certainly Russia and China are on the list, and it’s just as certain they didn’t have to wait for Snowden to get access to the files.
The most obvious example is when one country manages to uncover another country's nuclear assets to such a high degree of confidence it feels (rightly or wrongly) it can make a 100% successful first strike.
The explanation is called protecting intelligence sources: Russia, China - or whoever had their spies inside NSA long before, can now act on the intelligence they got without triggering counterintelligence alarms.
The spy you know about is much less dangerous than spy that you don't know about.
Edit: corrected number of diplomats & added citation
Those people are administrators. Your actual covert operatives will never interact with the embassy in a detectable/obvious way.
What is the probability that at least one guy with same access as Snowden spied for China or Russia? I would say close to 1.0.
Even with oaths and allegiences, the probability that Snowden is the only one to take advantage of the lax security in the NSA is 0.
In my experience, the NSA performs its own security clearance checking and does not use the OPM for this function, but, in any case where OPM did perform a background check, that background check provided China with far more compromising information than China otherwise would have had.
That people place such faith in vetting in the first place is a huge problem. Furthermore, background checking performed by most of the rest of the US government has actually been a huge source of actionable intelligence for our enemies.
In my opinion, it is not possible for an organization the size of the NSA to keep its secrets. It's, what, 1000x larger than the Manhattan project? And, would you say that James Clapper's intellect was in the same ballpark as those of Leslie Groves and Robert Oppenheimer?
In fact, when confronted with opportunities to avoid mistakes, the US government's reflexive response is compulsion toward secrecy so as to avoid reform. IE, so much of this secrecy is motivated by desire to escape oversight, rather than to provide our nation actual advantage over rivals. If the latter were our goal, oversight and strictly limiting classification to the most sensitive subset of weapons research and ongoing military operations would be a road to it. Instead, such approaches are termed dangerous and even intellectual property normalization treaty negotiations are treated as military secrets in order to protect the power of entrenched political influences.
When secrecy is so rampant that it makes it impossible for us to keep secrets, you might ask why we have so much fucking secrecy.
Of course no one can say foreign spies inside the NSA or access to their top secret files is impossible, I'm simply suggesting it's safer to assume this is not likely, and comparing the NSA to civilian corporations in this regard is unreasonable.
His points are:
* China and Russia probably ALREADY had access to that material BEFORE Snowden, based on the NSA's poor internal security.
* Now that journalists have the remaining unpublished Snowden documents, any nation-state can hack the journalists.
That said, it's also possible he got lucky. He lives in a fairly isolated farmhouse with a lot of dogs, so maybe it really is hard to do a black bag operation on him. And I'm not sure how even a nation state could do a purely internet-based attack on an air-gapped computer.
That said, Laura Poitras in bustling Berlin or an entire major newspaper might be an easier target ...
That incident where British government officials destroyed the laptop containing The Guardian's copy of the documents makes more sense in light of this.
It's hard to know how bad or good the US's security is, because most intelligence operations are secret and I don't know enough about the field to have a standard by which to judge it. Maybe these things are the norm for most governments.
I would not be surprised if other governments already knew much of what Snowden made public. Some secrecy clearly is necessary for governments but how often does "secret" merely mean "unknown to the public" (but already known to enemies)?
this is necessarily the case. people are the biggest flaw followed by technology itself which is expected to be cheap and easy.
But I think the most common use of it is probably the fact that politics is a game of hypocrisy, and you can't play unfairly if you don't get to keep secrets.
EDIT: and it was worth it, excellent article.
There is alot of spin when it comes to security.
It's pure speculation from Schneier. Also Interesting that Schneier has not mentioned this article on his twitter.