Classified Cyber-Security Directive Puts NSA In Charge

dpreformer sends word that President Bush signed a classified directive Jan. 8 (it only came to light this week) putting all cyber-defense and counter-offensive activity for government networks under the aegis of the National Security Agency. Previously, federal agencies had disparate intrusion and attack monitoring programs. The directive does not address private-sector networks and systems. While some lawmakers and civil-rights advocates are unhappy with expanding the NSA's role domestically, one alternative that was considered and rejected — putting Homeland Security in charge — might have been worse. "A proposal last year by the White House Homeland Security Council to put the Department of Homeland Security in charge of the initiative was resisted by national security agencies on the grounds that the department, established in 2003, lacked the necessary expertise and authority. The tug-of-war lasted weeks and was resolved only recently, several sources said."

From a technical perspective ...

[ScrewMaster]

these guys do know what they're doing so far as security is concerned, that's true. The problem here, though, is less one of technical expertise as it is enforcement of standards and security best practices. The NSA would be the one of the best groups, I'd say, to lay out those standards in the first place ... whether they're a wise choice to enforce them is another question entirely. I don't have an answer to that.

Classified Governance.

[Irvu]

While this is not the most secret of the secretive (for years the very existence of the NSA was a secret) the fact that duties this big were assigned by a classified letter is appalling. When you couple this with the use of National Security Letters to compel the handover of goods to any thug in a trenchcoat it more and more appears that the goal of the present administration is to produce a kingly executive. One where oversight by the public and for the public is nonexistent and the whole process is simply inscrutable to us even as were are expected to knuckle under.

It is also interesting to me that it comes from this president who campaigned on the idea of a less controlling government, a smaller government, one that stayed out of our lives. This was based largely on the accusation that Clinton's favoratism for "Hate Crimes" legislation was an invasion of our privacy. It would be ironic if it was the least bit funny.

What I find is most interesting through is the use of the NSA in this manner. In many ways it is a textbook illustration of the way in which powers and agencies once built simply grow to fill all space they can. The NSA as initially instituted was a cold-war shop with the sole purpose of tapping and securing communications abroad while the existence of the group was a secret (many Americans were not aware of it until the 70's and the publication of the book "The Crystal Palace") it was, like the CIA, clearly setup to operate abroad and to spy on everyone but Americans.

It was, for lack of a better description a tool intended to work with us against others. With this addition that role has formally changed (it practically chainged with the AT&T hypocracy). While the formal change has been a secret the fact of the matter is that ever more of our resources are being turned inwards, onwords. Ever more effort is being expended to spy on us, on Americans with the understanding that our own government fears us as much or more than the rest of the world or at least that our own resources are better spent to attack us than others.

The idea of an executive floating on hostile seas rather than operating in safe waters has one crucial flaw. Dictators fall, and take everything around them, with them.

Re:As eerie as it is...

[Amorymeltzer]

It seems like the impetus for this is to give the NSA greater powers to protect the government from "cyber-attacks." In that vein, it's a smart move - hell, it is the National Security Agency.

I doubt it's that contained. The government protecting itself by better monitoring its own channels is obvious, but it's hard to disconnect the NSA from their past. As TFA said, "The NSA has particular expertise in monitoring a vast, complex array of communications systems..." This whole thing sounds to me like steps to make their dubious actions more allowable. That's how you'd start it anyway, first declare the NSA in charge of protecting the government. Then, since "90% of the threat" lies in the private sector, it needs to protect that. And so on.

At the very least, though, it's nice to know that some things are being done to make some of the important machines more secure.

That stooge Paller is quoted in the article, again

[Jeremiah Cornelius]

Does he blow Schmidt and Clarke for a living? Why is he always quoted in these propaganda stories about InfoSec - not Schneier?

"If you're looking for needles in the haystack, you need as much data as you can get because these are really tiny needles, and bad guys are trying to hide the needles."

So what this fascist stooge is saying translates thusly: "When trying to find a needle in a haystack, what you really need is to gather all of the hay in the world into one pile. There's probably some needles in there!"

Bullshit. To find meaninful events, you are critical and selective. When looking for needles in metaphoric haystacks, you are best able to succeed with smaller haystacks. Anyone who has ever performed log analysis understands wht I always called "the bigger haystack problem". Log everything, and finding meaningful occurrences becomes impossible - or at least requiring too much effort for the value of the event.

Paller is a surveillance apologist, masquerading as a "security guru."

P.S. How do you really find a needle in a haystack? With a match.

Lifetime of USA classified secrets: 18 days

[mosel-saar-ruwer]

dpreformer: President Bush signed a classified directive Jan. 8

Ellen Nakashima; Washington Post Staff Writer; Saturday, January 26, 2008; A03: ...According to congressional aides and former White House officials with knowledge of the program, the directive outlines measures collectively referred to as the "cyber initiative," aimed at securing the government's computer systems against attacks by foreign adversaries and other intruders...

January 26 - January 8 = 18 days.

I.e. it takes less than three weeks for "Congressional Aides" to leak our most sensitive secrets to our enemies.

I don't know why we even bother to have secrets.

In fact, the level of treason in Washington DC is so high these days that I don't even know why we bother to have a military or an NSA.

We might as well just run up the white flag and let the Chinese enslave & sodomize us.

Re:As eerie as it is...

[rhizome]

The NSA's probably the most qualified.

That may be so, but it doesn't speak to the fact that this move is designed to remove domestic surveillance from judicial review. If the NSA gets it, nobody will ever find out about any abuses, not to mention that the NSA is a policy agency and this kind of "protection" would be better put to a military arm of the government.

The Government computer security mess

[Animats]

This is basically about internal U.S. Government computer security. The problem is that the last three agencies assigned this task blew it. Early on, computer security was under NIST, which is really the old National Bureau of Standards. They were just an advisory agency on this. There was also an NSA effort, about which more later.

There's a National Cyber Security Division of Homeland Security. When it was set up, it was headed by Amit Yoran, who actually knew something about the subject. He was unpopular because he publicly mentioned the vulnerabilities of Microsoft operating systems as the biggest single problem. So he was replaced by Gregory Garcia, a lawyer and 3COM's lobbyist in Washington, who has accomplished little, if anything.

The General Services Administration, which handles public buildings and purchasing for most of the U.S. Government, has a role in computer security, but they haven't accomplished much. other than some vendor evaluation.

NSA first got into computer security in the 1980s, when I had some dealings with them. They had an institutional problem. First, it wasn't about the USSR, on which NSA used to be narrowly focused. Second, the computer security effort was located at the "Friendship Annex", which was NSA's lower-security facility near Friendship Airport (now BWI). FANX was where NSA's less important stuff was done - personnel, accounting, etc. Being assigned to FANX was a big career step down within NSA.

NSA went at computer security in the same way they went at safes and locks - you build it, they break it. NSA policy on evaluating the security of computer products was that the vendor got two tries. On try one, NSA told the vendor what was wrong. Try two was pass/fail - if they could break it, it flunked, and went on the rejected list. Vendors hated this.

Under heavy pressure from vendors, security evaluation was outsourced to third party companies, and vendors could retry forever until they wore down the evaluators. The higher levels of security (fully verified everything) were dropped from the evaluation criteria.

NSA Secure Linux was a good idea that didn't really catch on. Most Linux people don't get the point of NSA Secure Linux. It's not about making Linux more secure. It's about getting applications rewritten to work under a tight security model. Unless applications are rewritten to have only very small and heavily verified trusted parts, NSA Secure Linux doesn't help much.

Re:Lifetime of USA classified secrets: 18 days

[The Anarchist Avenge]

You want a government obsessed with keeping secrets from its people? I hear North Korea is looking for sympathetic American people to use for propoganda, maybe you should go there and let us over here have some measure of transparency in our government. I'm goddamn thankful that this was leaked, I personally like to know where my tax dollars are going. You're right though, the level of treason in Washington is unacceptably high, but it's the corrupt politicians selling us out for money and power, not the aides leaking information like this, who are the traitors to the American people.

Re:No political appointees at NSA

[rhizome]

There are no -- as in none -- political appointees at NSA. Not a one.

I think it's a quibble to say that politics haven't played a role in the nomination and confirmations of Negroponte and McConnell, among others.

NSA has back door to all encryption software.

[leftie]

You guys are in denial. You think there's a single public encryption application the NSA hasn't got an easily opened back door into?

Ever heard of Crypto AG?

"It may be the greatest intelligence scam of the century: For decades, the US has routinely intercepted and deciphered top secret encrypted messages of 120 countries. These nations had bought the world's most sophisticated and supposedly secure commercial encryption technology from Crypto AG, a Swiss company that staked its reputation and the security concerns of its clients on its neutrality. The purchasing nations, confident that their communications were protected, sent messages from their capitals to embassies, military missions, trade offices, and espionage dens around the world, via telex, radio, teletype, and facsimile. They not only conducted sensitive albeit legal business and diplomacy, but sometimes strayed into criminal matters, issuing orders to assassinate political leaders, bomb commercial buildings, and engage in drug and arms smuggling. All the while, because of a secret agreement between the National Security Agency (NSA) and Crypto AG, they might as well have been hand delivering the message to Washington. Their Crypto AG machines had been rigged so that when customers used them, the random encryption key could be automatically and clandestinely transmitted with the enciphered message. NSA analysts could read the message traffic as easily as they could the morning newspaper. The cover shielding the NSA-Crypto AG relationship was torn in March 1992, when the Iranian military counterintelligence service arrested Hans Buehler, Crypto AG's marketing representative in Teheran...."

http://mediafilter.org/caq/cryptogate/ [mediafilter.org]

It's not like people can read through the machine language output of a crypto application to make sure there isn't anything extra that been attached to the output that gives away the key. It's encrypted. it looks like garbage.

All the NSA has to do is either get someone to join the project helping develop the software, or swap the download file with one that includes whatever the NSA wants included. Matter of fact... how do you know the developers of, for example, "true crypt" isn't the NSA itself?

This is the Bush Administration, dude. The most secrecy obsessed White House in US History. They've got the FBI tracking and conducting surveillance like little senior citizen Quaker pacifist groups.