Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Government News Your Rights Online

Classified Cyber-Security Directive Puts NSA In Charge 109

dpreformer sends word that President Bush signed a classified directive Jan. 8 (it only came to light this week) putting all cyber-defense and counter-offensive activity for government networks under the aegis of the National Security Agency. Previously, federal agencies had disparate intrusion and attack monitoring programs. The directive does not address private-sector networks and systems. While some lawmakers and civil-rights advocates are unhappy with expanding the NSA's role domestically, one alternative that was considered and rejected — putting Homeland Security in charge — might have been worse. "A proposal last year by the White House Homeland Security Council to put the Department of Homeland Security in charge of the initiative was resisted by national security agencies on the grounds that the department, established in 2003, lacked the necessary expertise and authority. The tug-of-war lasted weeks and was resolved only recently, several sources said."
This discussion has been archived. No new comments can be posted.

Classified Cyber-Security Directive Puts NSA In Charge

Comments Filter:
  • It might not be TOO bad of a move. Making one agency group head of related projects might make it more efficient. Uh, this being a government agency might just blow my theory out of the water though...

    • Worse. a relative evaluation of the possible alternatives - begging the question:
      "Worse, for whom?"

      By the way - welcome to East Germany!

    • dpreformer: President Bush signed a classified directive Jan. 8

      Ellen Nakashima; Washington Post Staff Writer; Saturday, January 26, 2008; A03: ...According to congressional aides and former White House officials with knowledge of the program, the directive outlines measures collectively referred to as the "cyber initiative," aimed at securing the government's computer systems against attacks by foreign adversaries and other intruders...

      January 26 - January 8 = 18 days.

      I.e. it takes less than three w
      • Re: (Score:3, Insightful)

        You want a government obsessed with keeping secrets from its people? I hear North Korea is looking for sympathetic American people to use for propoganda, maybe you should go there and let us over here have some measure of transparency in our government. I'm goddamn thankful that this was leaked, I personally like to know where my tax dollars are going. You're right though, the level of treason in Washington is unacceptably high, but it's the corrupt politicians selling us out for money and power, not the
      • by nuzak ( 959558 )
        > the level of treason in Washington DC is so high these days

        Indeed, but we still keep the chief executive in office.

        Leave my country you fucking jackboot thug.
      • Our enemies are Washington Post Staff Writers?
      • is to improve our average IQ by leaving immediately. You'd make a good North Korean.
  • As eerie as it is... (Score:5, Interesting)

    by Lally Singh ( 3427 ) on Saturday January 26, 2008 @02:33PM (#22195148) Journal
    The NSA's probably the most qualified. Friends of mine who've worked there are some of the brightest people I know.

    That said, I'm still pretty unhappy with them over the domestic spying. They really should have known better --- the damage to the democracy far outweighs the security loss involved. Thankfully my friends stopped working there before all this started... well AFAIK, clearances & all.

    This is essentially an official statement, as I'm sure they're reading it right now.
    • Re: (Score:2, Funny)

      Friends of mine who've worked there are some of the brightest people I know. ...

      Thankfully my friends stopped working there before all this started..

      So, it's just the evil geniuses who are left?

    • by Amorymeltzer ( 1213818 ) on Saturday January 26, 2008 @02:47PM (#22195238)
      It seems like the impetus for this is to give the NSA greater powers to protect the government from "cyber-attacks." In that vein, it's a smart move - hell, it is the National Security Agency.

      I doubt it's that contained. The government protecting itself by better monitoring its own channels is obvious, but it's hard to disconnect the NSA from their past. As TFA said, "The NSA has particular expertise in monitoring a vast, complex array of communications systems..." This whole thing sounds to me like steps to make their dubious actions more allowable. That's how you'd start it anyway, first declare the NSA in charge of protecting the government. Then, since "90% of the threat" lies in the private sector, it needs to protect that. And so on.

      At the very least, though, it's nice to know that some things are being done to make some of the important machines more secure.
    • by rhizome ( 115711 ) on Saturday January 26, 2008 @03:25PM (#22195448) Homepage Journal
      The NSA's probably the most qualified.

      That may be so, but it doesn't speak to the fact that this move is designed to remove domestic surveillance from judicial review. If the NSA gets it, nobody will ever find out about any abuses, not to mention that the NSA is a policy agency and this kind of "protection" would be better put to a military arm of the government.
      • Re: (Score:3, Informative)

        NSA is DOD Agency
        • by rhizome ( 115711 )
          NSA is DOD Agency

          Staffed and run by a lot of political appointees.
          • by Derling Whirvish ( 636322 ) on Saturday January 26, 2008 @08:19PM (#22197226) Journal

            >>NSA is DOD Agency

            >Staffed and run by a lot of political appointees.
            There are no -- as in none -- political appointees [akamaitech.net] at NSA. Not a one.
            • Re: (Score:3, Insightful)

              by rhizome ( 115711 )
              There are no -- as in none -- political appointees at NSA. Not a one.

              I think it's a quibble to say that politics haven't played a role in the nomination and confirmations of Negroponte and McConnell, among others.
              • I think it's a quibble to say that politics haven't played a role in the nomination and confirmations of Negroponte and McConnell, among others.

                Neither of those are working at NSA in any capacity. Negroponte is the Deputy Secretary of State and before that he was the Director of National Intelligence. Neither position is in the National Security Agency. Mike McConnell is the current Director of National Intelligence, having previously served as the Director of the NSA having been appointed as such by the Department of Defense like any other flag command position in the military commanded by a general or admiral. But that still doesn't make anyone

                • The NSA is a DoD agency with no vacancies that are filled by political appointment. There are NO political appointees in it. None. Not a one. Not now. Not ever.

                  Dood, in the case in which you haven't been paying attention - and by your remarks that would appear to be the case - NSA has (along with CIA, DIA, CIFA, DTO, etc., etc., etc.) outsourced many, far too many of its intel functions, thanks in part to the Bush administration - although it started back in the Clinton era. So, its fundamentally a moot

                • by rhizome ( 115711 )
                  It would be like saying that since Richard Carmona was appointed Surgeon General from his position as chairman of the State of Arizona Southern Regional Emergency Medical System (ASREMS) that the ASREMS has political appointees in it. Absurd.

                  This may be news to you, but merely saying something is absurd doesn't make it so. It would be like me calling you stupid. As to your assertion above, it's not where you're from, it's where you're at.

                  • Sorry, but claiming that just because someone was appointed to a political position later in life makes all the previous organizations with jobs he/she held, also have positions of political appointment IS absurd. Maybe he worked for McDonald's in high school. Does that mean that McDonald's has political appointees in it? It must following your (il-)logic. And it IS absurd.
        • They aren't a DOD agency in the normal sense. They have a flag officer, but they are outside of DOD for all intents and purposes. The DOD already has a joint network protection group (JTF-GNO) and they are monitoring and protecting their networks across the three branches fairly well now. NSA provides input and expertise, but they aren't doing any of the actual work. The agency that is supposed to be doing this is DISA, but their too screwed up to do anything but manage the telco stuff (and poorly at t

          • by n0-0p ( 325773 )

            They aren't a DOD agency in the normal sense. They have a flag officer, but they are outside of DOD for all intents and purposes. The DOD already has a joint network protection group (JTF-GNO) and they are monitoring and protecting their networks across the three branches fairly well now. NSA provides input and expertise, but they aren't doing any of the actual work.

            Wow, someone should really tell that to the half of the NSA in the Information Assurance Directorate [nsa.gov], not to mention the military units that

            • Read what I wrote again. It didn't dispute that they fall under the Secretary of Defense and were not technically a DOD agency. While they do fall under the Secretary of Defense, and have military personnel, they are outside of the normal DOD functions and function a bit more like a sole-source contractor for the functions they provide the military (intel, comsec, IA functions). They provide services to the army/navy/airforce but do not answer directly to them.
              • by n0-0p ( 325773 )
                I'm not sure what exactly you mean. The SID half of NSA is the hub of the signals intelligence and information operations mission for the DoD. Ft Meade houses the SigInt and IO hub for every branch of service, including the 704th Military Intelligence Brigade, Naval Network Warfare Command, 694th Intelligence Group, and Marine Cryptologic Support Battalion (never ignore the Marines). Then you have the RSOCs and field sites, which are pretty much all military installations, receiving their tasking from and r
                • I was referring to primarily the IAD, which as far as we can tell was the focus of the Directive that Bush signed. As someone else posted, they certainly have the IA expertise and capability on the signint side of the house, but it's not clear if they have the manpower or resources to implement the full scope of the directive. Of course, looking at Bush and Cheney's record there will probably be a sole source contract to Haliburton of EDS to do the actual implementation with Netwarcom or NSA oversight (a
                  • by n0-0p ( 325773 )
                    That's my big fear also. It's too likely that this is just more pork for someone like EDS or Eagle Alliance. On the off chance it's done correctly, however, I can't think of a better agency to handle it.
      • by rindeee ( 530084 )
        That's because it isn't (designed to remove domestic surveillance from judicial review). It's designed to overcome the broad incompetence among the CND efforts of other departments and agencies within the USG. Sorry, no conspiracy here, just good judgment and (as rare as it is) right thinking.
    • 'Efficient government' is better as an oxymoron than an actual fact, especially where the NSA is concerned. Do you prefer the cold efficiency of Orwell's "1984", or the loony incompetence of Gilliam's "Brazil"?
  • by ScrewMaster ( 602015 ) on Saturday January 26, 2008 @02:42PM (#22195202)
    these guys do know what they're doing so far as security is concerned, that's true. The problem here, though, is less one of technical expertise as it is enforcement of standards and security best practices. The NSA would be the one of the best groups, I'd say, to lay out those standards in the first place ... whether they're a wise choice to enforce them is another question entirely. I don't have an answer to that.
    • by DanZ23 ( 901353 )

      The NSA would be the one of the best groups, I'd say, to lay out those standards in the first place ...
      Sure as hell better than the DHS.
      • Your comment is eerily similar to the argument many of my associates use when justifying who they are voting for.

        Is the lesser of two evils no longer evil. Officially sanctioned shrouds of secrecy do not help ensure security, they help ensure the potential for abuse.

        I don't like the DHS any more than the NSA, but neither of them can do a better job securing our infrastructure than publically vetted, periodically reviewed network security procedures.
  • by BadEvilYoda ( 935532 ) on Saturday January 26, 2008 @02:43PM (#22195206)
    "Please remove your shoes before boarding the Series of Tubes..."
  • by Irvu ( 248207 ) on Saturday January 26, 2008 @02:45PM (#22195230)
    While this is not the most secret of the secretive (for years the very existence of the NSA was a secret) the fact that duties this big were assigned by a classified letter is appalling. When you couple this with the use of National Security Letters to compel the handover of goods to any thug in a trenchcoat it more and more appears that the goal of the present administration is to produce a kingly executive. One where oversight by the public and for the public is nonexistent and the whole process is simply inscrutable to us even as were are expected to knuckle under.

    It is also interesting to me that it comes from this president who campaigned on the idea of a less controlling government, a smaller government, one that stayed out of our lives. This was based largely on the accusation that Clinton's favoratism for "Hate Crimes" legislation was an invasion of our privacy. It would be ironic if it was the least bit funny.

    What I find is most interesting through is the use of the NSA in this manner. In many ways it is a textbook illustration of the way in which powers and agencies once built simply grow to fill all space they can. The NSA as initially instituted was a cold-war shop with the sole purpose of tapping and securing communications abroad while the existence of the group was a secret (many Americans were not aware of it until the 70's and the publication of the book "The Crystal Palace") it was, like the CIA, clearly setup to operate abroad and to spy on everyone but Americans.

    It was, for lack of a better description a tool intended to work with us against others. With this addition that role has formally changed (it practically chainged with the AT&T hypocracy). While the formal change has been a secret the fact of the matter is that ever more of our resources are being turned inwards, onwords. Ever more effort is being expended to spy on us, on Americans with the understanding that our own government fears us as much or more than the rest of the world or at least that our own resources are better spent to attack us than others.

    The idea of an executive floating on hostile seas rather than operating in safe waters has one crucial flaw. Dictators fall, and take everything around them, with them.
    • The summary (and the article) makes this program sound a lot more secret than it is. This has been in the works for a while, pretty openly in fact. A lot of people in the civilian sector of the government knew this was coming down several months ago. I'm not really sure how its going to work technically, nor do I think DHS or the NSA know either. A lot of network traffic, particularly things of a sensitive nature, is encrypted. I don't think civilian agencies are going to want to start handing decrypti
    • by ChePibe ( 882378 ) on Saturday January 26, 2008 @03:59PM (#22195642)
      The NSA as initially instituted was a cold-war shop with the sole purpose of tapping and securing communications abroad

      Close, but not quite, if memory serves.

      The NSA's limits were not so much geographical as they were national. The limits are more on foreign targets - whether or not those targets happen to be in the U.S. This would include foreign embassies and consulates on U.S. soil and foreign intelligence agents operating on U.S. soil as well, if memory serves (although much of this falls under the FBI, of course).

      The CIA - another agency with a foreign focus - does much the same. It has numerous intelligence officers who interview U.S. citizens who travel to foreign countries of interest when that citizen allows it, run recruiting, and work with their own officers in the UN and in other places. The difference is not so much where the CIA and NSA operate as against whom they operate.

      Terrorism throws a big kink in this, as some of the terrorist/terror supporters are U.S. citizens who, however, are acting under the power or inspiration of an ideology that knows no legal boundaries. Have these people given up U.S. citizenship, in a manner of speaking, by pledging their allegiance to a "foreign military"? (look at your passport for how to give up your citizenship) But are terrorist groups, such as Al Qaeda, truly a military? Can terrorists - who act with very different motives, generally have different goals, and who often present a greater risk to life and limb - be treated as mere criminals?

      It's a big area of debate at the moment and, unlike many on the web who would come down hard for one side or another, it's not entirely clear what the proper legal or policy answers are to these questions. Most law - international and otherwise - still assumes a type of war that will be increasingly rare for the U.S.; nations facing off against each other with well-identified armies. The simple fact is that war has changed, but the laws and policies are not keeping up with it - and it's doubtful they will be able to adapt with required speed.
      • by TubeSteak ( 669689 ) on Saturday January 26, 2008 @05:31PM (#22196254) Journal

        Terrorism throws a big kink in this, as some of the terrorist/terror supporters are U.S. citizens who, however, are acting under the power or inspiration of an ideology that knows no legal boundaries. Have these people given up U.S. citizenship, in a manner of speaking, by pledging their allegiance to a "foreign military"? (look at your passport for how to give up your citizenship)
        No they haven't.
        AFAIK, the only way to currently renounce your citizenship is
        (a) from a foreign country
        (b) in front of a US diplomatic officer or consular
        (c) in writing

        You can read more about it at the state dept website
        http://travel.state.gov/law/citizenship/citizenship_779.html [state.gov]
        http://travel.state.gov/law/citizenship/citizenship_780.html [state.gov]

        According to their website, you can join a foreign army as long as you do not do so as an Officer or NCO.

        It's a big area of debate at the moment and, unlike many on the web who would come down hard for one side or another, it's not entirely clear what the proper legal or policy answers are to these questions.
        It's one thing to discuss "the proper legal or policy answers" may not be clear, the problem is many people don't seem to understand/care wtf the laws say right now.
        • Great post, thanks!
        • by querist ( 97166 )
          Also,

          serving in a foreign military in an action against the USA will do it automatically without regard for your rank.

          And, taking a "high elected office" (with no definition of "high" in this context given) will do it as well. The catch is the word "high". What counts? Mayor of a small town? Mayor of the largest city in the country? How large of a city does it have to be? The largest city in China has more people than all of Monaco, for example.

          It's a bit vague on that last one, but also it is one that I su
        • Here is the "official" text, straight from page 4 of my US passport.

          "LOSS OF CITIZENSHIP. Under certain circumstances, you may lose your U.S. citizenship by performing any of the following acts: (1) being naturalized in a foreign state; (2) taking an oath or making a declaration to a foreign state; (3) serving in the armed forces of a foreign state; (4) accepting employment with a foreign government; or (5) formally renouncing U.S. citizenship before a U.S. consular officer overseas. For detailed informatio
    • more and more appears that the goal of the present administration is to produce a kingly executive.


      I think this statement cuts to the heart of the matter quite nicely.

      I don't know why the Mad King George moniker hasn't been applied before: perfect for the "kingly executive" and harkens back to the Revolution with a nice bit of foreshadowing.

      But that's just me thinking out loud...

      rb
    • by dens ( 98172 )

      ...it more and more appears that the goal of the present administration is to produce a kingly executive. One where oversight by the public and for the public is nonexistent and the whole process is simply inscrutable to us even as were are expected to knuckle under.
      You mean before this it didn't appear that way? Man, some of you are slow!
  • by Jeremiah Cornelius ( 137 ) on Saturday January 26, 2008 @02:51PM (#22195258) Homepage Journal
    Does he blow Schmidt and Clarke for a living? Why is he always quoted in these propaganda stories about InfoSec - not Schneier?

    "If you're looking for needles in the haystack, you need as much data as you can get because these are really tiny needles, and bad guys are trying to hide the needles."
    So what this fascist stooge is saying translates thusly: "When trying to find a needle in a haystack, what you really need is to gather all of the hay in the world into one pile. There's probably some needles in there!"

    Bullshit. To find meaninful events, you are critical and selective. When looking for needles in metaphoric haystacks, you are best able to succeed with smaller haystacks. Anyone who has ever performed log analysis understands wht I always called "the bigger haystack problem". Log everything, and finding meaningful occurrences becomes impossible - or at least requiring too much effort for the value of the event.

    Paller is a surveillance apologist, masquerading as a "security guru."

    P.S. How do you really find a needle in a haystack? With a match.
    • P.S. How do you really find a needle in a haystack? With a match.

      So, does that mean, if you get all the hay there is, and burn it, you'll find all the needles?
      • Yes.

        Of course, you starve the livestock...
        • by tjstork ( 137384 )
          Yes. Of course, you starve the livestock...

          Ah Jerry/Elric, my sweet, thou art the champion eternal! Of course we know however, that for similar reasons, economic sanctions do not work either...

          Arioch.
    • "If you're looking for needles in the haystack, you need as much data as you can get because these are really tiny needles, and bad guys are trying to hide the needles."

      So what this fascist stooge is saying translates thusly: "When trying to find a needle in a haystack, what you really need is to gather all of the hay in the world into one pile. There's probably some needles in there!"

      That's one possible interpretation. The other is that since it's practically infeasible for a human to manually sort through a haystack, you need additional information not provided by the haystack itself. Such as if you had eyewitness reports or video footage of the needle-hider placing the needle inside, you could narrow down the search space considerably. You're right that additional haystacks will only make the job harder, but that seems to be an uncharitable characterization (though perhaps true...

      • Re: (Score:3, Interesting)

        This is a context thing. Whenever "cybercrime" or "cyberterrorism" is the topic, Paller is unearthed as the rational technology expert - rationailising the unpalatable and invasive loss of liberty that these grave threats require.

        You don't see Bruce quoted by the WaPo or WSJ.
        • This is a context thing. Whenever "cybercrime" or "cyberterrorism" is the topic, Paller is unearthed as the rational technology expert - rationailising the unpalatable and invasive loss of liberty that these grave threats require.

          You don't see Bruce quoted by the WaPo or WSJ.

          Perhaps it's true that Paller gets called in for the evil terrorism angle on security issues... creating a crisis sells papers, after all. However, your last point appears to be in error:

          6 results for "Bruce Schneier" [google.com] on wsj.com.
          3 results for "Alan Paller" [google.com] on wsj.com.

          169 results for "Bruce Schneier" [google.com] on washingtonpost.com.
          96 results for "Alan Paller" [google.com] on washingtonpost.com.

          • Context is the operative word in my post. :-) I mean to provide supportive information on Government surveillance / fourth ammendment abbrogation.
    • Re: (Score:3, Interesting)

      by Adambomb ( 118938 )

      P.S. How do you really find a needle in a haystack? With a match.

      Or, assuming a Ferrous needle, a magnet.

      It's definitely a strange argument to attempt when really what you need when searching for a needle in a haystack, is a method of needle location that IGNORES THE HAY, not cataloging each and every instance of !needle.

      If one is searching for needles amongst haystacks, trying to control the size of the haystack or the number of haystacks seems rather....absurd.... Then the needles that don't want to be found now know exactly which pile to stay out of, even more so tha

    • No, good security and by extension proper log management is rather like finding a needle, in a stack of needles.

      Joel
  • Oh, it doesn't work here. Nevermind.
  • Not that it matters much at this point.

    • I believe, Citizen nurb432, you have made the most cogent post of any of the clueless posts on this thread:

      In case no one has heard, the SAIC has coded the elections/voting software for almost all of the voting machine manufacturers.

      In case no one has heard, Hicks & Associates oversees that Total Information Awarness network. Hicks & Associates (Poindexter and Cheney's handpicked boys) is owned by SAIC. TIA has inputs from NSA, NGA and all those intel contractors who happen to be involved with

  • by KookyMan ( 850095 ) on Saturday January 26, 2008 @03:07PM (#22195344)
    The only thing I can say, is I've started some major "learning" about encryption and various other personal privacy applications.

    So far, what I've found and like are:
    TrueCrypt - "On-The-Fly" Disk/Storage Encryption. [truecrypt.org] Actually, I've been using this for 24 hours and love it. I've also seen great reviews of this, and some of its very interesting features, such as plausible deniability. Oh, and its Free Open Source Software. Available for Windows 2K/2K3/XP/Vista, Linux, and soon MacOS (v5.0, due in Jan 08)
    KeePass - Encrypted Password Storage Database. [keepass.info] I've been using this for years, and love it. Also good reviews. If you wish to try it, there are two versions, v1.x and v2.x. v1.x (1.10 being current) is the original independent version. Can be run standalone, no system requirements (.Net or the like). Can be run from a USB Key. v2.x (2.04 being current) is a total rewrite of the application based on the .Net libraries and are required. This version is ALPHA quality and does not yet meet the current functionality of the 1.x branch. This was started due to the fact of people requesting features that would require significant rewrites to implement. Also FOSS. Available for Windows 98/98SE/ME/NT/2K/XP/2K3/Vista 32 and 64 bit. Third party ports also available for PocketPC, Linux, MacOSX, J2ME, Blackberry, PalmOS.
    Gnu Privacy Guard - An open source PGP implementation. [gnupg.org] I use a port of this, GPG for Windows [gpg4win.org]. It seems a bit clunky, and am actively looking for something to replace it so suggest away if you do know something better. I will say though that it does work as advertised, and its FOSS. GPG is distributed mainly as source code I believe, where as G4W is as binaries.

    People have looked at some of us who use PGP/GPG, and other encryption/digital signatures for a few years with the look of "why do I need that, I have nothing to hide." I keep waiting for people to finally wake up and realize that the concept of "inherent privacy" (meaning anything not actively publicly published is not publicly known) is gone. We have entered the age of "explicit privacy." If you want something to be private, you must make explicitly so, especially on your computer, with these recent news articles of laptops being fair searching territories at Customs, or the reports that the NSA has feeds from AT&Ts offices to intercept everything.
    • Read the article. It says that federal government network traffic will be monitored by the NSA, instead of just being monitored by the individual agencies. Are you planning to send a lot of messages from a government-operated computer network that you don't want anyone to read? If you are, why weren't you just as concerned about that agency's monitoring system catching you? Now, if you do work for the feds and you don't want the NSA to see exactly what you're doing online, your suggested tools won't hel
    • by Magada ( 741361 )
      You haven't gone very far in your thinking - or else you're just advertising KeePass. Trusting Windows (a huge gob of unaudited, closed source code from a producer that is known for openly cooperating with No Such Agency) is the very worst idea if you really care about security.
      Start by using an OS with source code you can inspect and that you can compile in your own home, using your own trusted (and tested) compiler and only then start thinking about what encryption tools you should use.
      What use is your en
  • by Animats ( 122034 ) on Saturday January 26, 2008 @03:44PM (#22195556) Homepage

    This is basically about internal U.S. Government computer security. The problem is that the last three agencies assigned this task blew it. Early on, computer security was under NIST, which is really the old National Bureau of Standards. They were just an advisory agency on this. There was also an NSA effort, about which more later.

    There's a National Cyber Security Division of Homeland Security. When it was set up, it was headed by Amit Yoran, who actually knew something about the subject. He was unpopular because he publicly mentioned the vulnerabilities of Microsoft operating systems as the biggest single problem. So he was replaced by Gregory Garcia, a lawyer and 3COM's lobbyist in Washington, who has accomplished little, if anything.

    The General Services Administration, which handles public buildings and purchasing for most of the U.S. Government, has a role in computer security, but they haven't accomplished much. other than some vendor evaluation.

    NSA first got into computer security in the 1980s, when I had some dealings with them. They had an institutional problem. First, it wasn't about the USSR, on which NSA used to be narrowly focused. Second, the computer security effort was located at the "Friendship Annex", which was NSA's lower-security facility near Friendship Airport (now BWI). FANX was where NSA's less important stuff was done - personnel, accounting, etc. Being assigned to FANX was a big career step down within NSA.

    NSA went at computer security in the same way they went at safes and locks - you build it, they break it. NSA policy on evaluating the security of computer products was that the vendor got two tries. On try one, NSA told the vendor what was wrong. Try two was pass/fail - if they could break it, it flunked, and went on the rejected list. Vendors hated this.

    Under heavy pressure from vendors, security evaluation was outsourced to third party companies, and vendors could retry forever until they wore down the evaluators. The higher levels of security (fully verified everything) were dropped from the evaluation criteria.

    NSA Secure Linux was a good idea that didn't really catch on. Most Linux people don't get the point of NSA Secure Linux. It's not about making Linux more secure. It's about getting applications rewritten to work under a tight security model. Unless applications are rewritten to have only very small and heavily verified trusted parts, NSA Secure Linux doesn't help much.

    • NIST is still has a large role in US government computer security efforts. While NIST's recommendations are advisory in nature, OMB says NIST's recommendations are mandatory in systems that fall outside the realm of national security (the NSA deals with those systems).
    • http://en.wikipedia.org/wiki/FISMA [wikipedia.org]
      FISMA is a big deal.

      Broadly, what's happening now is an effort to reduce the number of gateways to the Internet. To force every bit in the broader organization to flow through the same pipe. Of course there are bottleneck and performance issues, and if a subgroup has their own discretion over funding they may choose to buy cable or DSL service.

      In my view the most important step in the way forward is to limit employees' ability to posses copies of sensitive information. I do
  • While I have some problems with certain things the NSA has been doing of late, from the description in TFA there really isn't a privacy problem here.

    "The directive, whose content is classified, authorizes the intelligence agencies, in particular the National Security Agency, to monitor the computer networks of all federal agencies"
    "Supporters of cyber-security measures say the initiative falls short because it doesn't include the private sector -- power plants, refineries, banks -- where analysts say 90 per
  • by JRHelgeson ( 576325 ) on Saturday January 26, 2008 @04:33PM (#22195878) Homepage Journal
    There is a long history here that needs to be taken into consideration... We are seeing a paradigm shift in our government that is long overdue. It used to be that the government had to protect paper documents, "eyes only", and the biggest threat were photocopiers and miniature cameras... not any more.

    I wrote about this transformation [blogspot.com] last year. Is it any wonder why the NSA is being brought up and groomed to help protect the critical information assets that the United States has?

    From my post:

    HumInt/SigInt:
    Human Intelligence, CIA
    Signal Intelligence, NSA

    The English have been masters at the spy trade for centuries. In WWII, the United States felt that it should get into the act and turned to the English for guidance.

    With their tutelage, the CIA became a formidable tool against the Soviet threat throughout the cold war. We had clearly defined enemies with clearly defined borders. Gathering intelligence became a methodical science... then, once the Soviet Union collapsed, the clearly defined enemies with clearly defined borders went with it.

    The growth of the internet created an atmosphere wherein information and 'intelligence' became a commodity. Then the emergence of an enemy that is not only difficult, if not impossible, to clearly define but who also operates entirely without borders. The polar opposite from what the CIA were trained to do.

    Not only has this rule-set reset turned the CIA upside-down, it has rendered it all but useless. The UK isn't doing much better either. The problem is that western society itself is at odds with the rules required to make an effective spy agency. Our open government(s), free access to information, laws against spying on citizens and so forth are what both protect our civil liberties as well as create the environment in which our enemies can plot against us.

    The CIA knew about al Qaeda operators operating in the USA prior to 9/11, yet did nothing to notify the FBI. This is because of the opposing nature of each agency. The CIA finds a criminal and wants to string them along to see what intelligence they can uncover by monitoring them. When the FBI finds a criminal, they want to string them up. From the CIA perspective, the FBI sure knows how to screw up an investigation and destroy your intelligence network.

    The CIA is now dysfunctional to the point of uselessness. In fact, there isn't a single effective spy agency in the western world. The current battle we're fighting and the enemy we face is one that cannot be defeated by military might, it is a war that MUST be fought using intelligence.

    So, the administration turned to the only other agency with experience in gathering and monitoring enemies. It also happens that this agency is experts at SigInt, as opposed to the HumInt. The problem is that the NSA is forbidden by law from spying on American Citizens, UNLESS they are monitoring overseas communications. This exception has always been allowed, no warrant necessary. There is no law that states that I have the constitutional right to conspire with enemies overseas.

    No other nation even comes close to the SigInt capabilities of the NSA...
    • What an excellent analysis, and history agrees with it; all centralized bureacracies tend to become bloated, ineffective and self-serving.

      But isn't it the case with all models of centralized hierarchy? Despite all the efforts of the democratic systems to promote transparency, the parasitical cliques will take over and bury the old ideals which actually served the society.
  • The bad news is NSA shouldn't have this authority. By the time we're cooked it will be too late to jump out of the pot.

    The good news is this will make it easier to get rid of DHS. I've never been a radical shrink-the-gov-to-nothing person, but DHS is a boondoggle of epic proportions. I hate the word "homeland". This isn't the 21st century of a European country, dammit, this is America. DHS's mission is to secure the nation? Isn't that what the Department of fucking DEFENSE is for? DHS is a wolf in sh
    • Re: (Score:1, Flamebait)

      by Boronx ( 228853 )
      Its fascist/imperialist name and its feudal power structure (essentially everyone is a political appointee) don't help either.
  • by not_hylas( ) ( 703994 ) on Saturday January 26, 2008 @08:45PM (#22197336) Homepage Journal
    The FBI, CIA, NSA are now subcontractors for an unknown (to us, at least) asset managing entity.
    It's like a shell game, Area 51 is now too well known, but they keep up appearances - wave your hand over here - palm the coin in another.
    What we keep doing is concentrating on what we think is possible (tech-wise) while you have absofuckinglutly amazing things happening right under our noses. (i.e. what ARE those networking protocol hardlinks DOING in your bootblock under "bad boot sectors".
    Chip crowding/code obfuscation is another.

    Get the picture?

    The real power doesn't want the exposure.

  • "While some lawmakers and civil-rights advocates are unhappy with shooting this toddler in the face, one alternative that was considered and rejected -- feeding the toddler to the Sarlacc -- might have been worse."

    Just because it could have been worse doesn't mean it wasn't a bad outcome the way it is now.
  • I know most of you don't realize it, but the NSA has had monitoring capabilities in all computers since windows 95.

    Microsoft gave them free reign to windows.

    Don't think that Linux is left out. Do you think the NSA would generously donate the code for SELinux? It's a trade for priority placement in the kernel.

    The NSA knows what they're doing. The real problem is, they're being tasked with things that violate their mandate. They had one rule: Don't spy on Americans.

    The NSA is to thank for all sorts of coo

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...