NSA Considers Its Networks Compromised 239
Orome1 writes "Debora Plunkett, head of the NSA's Information Assurance Directorate, has confirmed what many security experts suspected to be true: no computer network can be considered completely and utterly impenetrable — not even that of the NSA. 'There's no such thing as "secure" any more,' she said to the attendees of a cyber security forum sponsored by the Atlantic and Government Executive media organizations, and confirmed that the NSA works under the assumption that various parts of their systems have already been compromised, and is adjusting its actions accordingly."
Definition of security (Score:4, Interesting)
Security is achievable provided you start with good parameters. Believing your systems are "unhackable" is silly. No physical security is impenetrable, why would electronic security be different? But what you can do is make the cost of breaching that security more than the value of whatever it is being protected. Keep in mind though that what you're protecting also includes access, not just the data itself.
Problem is, in the private sector you have all these companies trying to control the internet, instead of keeping it as a public commons. The net result is that the cost to access it is often the main price consideration, at least in the United States.
Open source government? (Score:0, Interesting)
So to me this raises a fundamental philosophical question: why keep secrets at all, as a government? Unless of course what "we" do as a government is fundamentally evil to begin with? Should government be open-sourced in the sense that it should be fully (100%) transparent? If full transparency works wonderfully in the coding world, why would it not work in the realm of the government...unless again, the things we wish to keep secret are things we are fundamentally evil and immoral, like WikiLeaks had repeatedly proven already?
Think of systems as prisons (Score:5, Interesting)
In other words, no internal trust. You eliminate all assumptions in-house with the requisite sandboxes, minimal privileges, etc. Like prison: no one is your friend, you merely have alliances that can be severed at the moment that trust is no longer needed.
Good for them (Score:4, Interesting)
If you've played around with any rootkits you know how devious an attacker can be with your system. If you read about the Gawker story, they had a couple signals that their systems were compromised but nothing catastrophic had happened so they carried on their merry way.
This is how most businesses are approaching IT security: if it ain't broke, don't fix it.
It almost takes a govt organization to sit down and say "wait a minute, we could be hacked and not even know it". Especially a very, very high profile target like the NSA. They're facing legions of hackers funded by foreign governments. This isn't the dawn of the Internet anymore, it has to be taken seriously.
Re:Well (Score:5, Interesting)
They didn't say their networks are compromised. To be on the safe side, they just assume they are.
Yep it's a RIAA/MPAA model. Assume guilt until proven otherwise, in this case compromised until proven otherwise. Makes you wonder what the NSA is really good for.
Wow...you've leaped from a national security organization adopting a policy of extreme care to a comparison with the recording industry lawsuits. Do you have some sort of associative-compulsive disorder or are you really stating there is any relationship between the two? Or are you just bitter?
Re:Which is the sane thing to assume (Score:3, Interesting)
If you have on your computer: ... you are an electronic jewelry store.
- access to online banking;
- personal information;
- spare CPU to do somebody else's processing;
- spare bandwidth to store or handle someone else's illegal data;
- company confidential information;
- etc...