Steven Roosa is a Partner in our New York office
A December 3rd opinion piece in U.S. News & World Report advocates making the National Security Agency the agency responsible for "assuring" cybersecurity for critical infrastructure. Before anyone rushes to embrace such a plan, it's important to sit back and reflect on the role of the NSA.
The NSA in the Interior of the Network
The mission of the NSA, broadly stated, is to collect signals
intelligence on international terrorists, other governments,
foreign bad actors, and to provide the resulting intelligence to
the U.S. government. To achieve its mission since 9/11, there
are at least two broad categories of Internet traffic that the NSA
has positioned itself to intercept: (1) foreign Internet traffic,
(network traffic whose origin and destination are outside the U.S.,
but which often transits networks in the U.S.) and (2) Internet
traffic between foreign NSA targets and servers/people located in
the U.S.
Because both categories of traffic can be found on networks located
in the U.S., the NSA—according to first-hand accounts
summarized well by James Bamford in The Shadow Factory (2008) —installed
highly specialized splitters and data mining equipment at key
exchange points and/or mega-switching facilities in the U.S. in
order to intercept the network traffic. One can argue back
and forth regarding the relative value of the information that has
been collected, but what isn't up for debate is that the NSA,
from an engineering standpoint, has compromised the physical
integrity of the network infrastructure to achieve its ends.
Susan Landau, a highly respected mathematician and engineer who has
done research at Cornell, Harvard, Yale, and MIT, and who is a 2012
Guggenheim fellow, observes that wiretaps are "risky
business" because "they are an architected security
breach that can be subverted and put to nefarious use."
One of her books, Surveillance or Security: The Risks Posed by New
Wiretapping Technologies (2010) discusses the topic at length,
and recounts, at one point, how the Greek government, from
2004-2005, was itself subjected to ten months of wiretapping when
bad actors exploited similar built-in wiretapping
infrastructure.
The NSA at the Edge of the Network
In addition to wire intercepts, the NSA also has an interest in
being able to compromise the software running on servers and
end-user devices at the "edges" of the Internet in order
to ensure its ability to collect meaningful intelligence. In
a world where cryptography can often diminish the value of network
traffic collected in transit, compromising host machines at the
edge of the network is an effective way to perform an
"end-run" around the limits of wire
intercepts.
How does one compromise host machines most effectively? One uses
unknown and un-patched security vulnerabilities—so-called
"zero-day" vulnerabilities—found in operating
systems, browser software, and other applications, in order to
takeover the device, collect the desired information, and secretly
exfiltrate data back to home base. According to noted
security researcher, expert, and author Bruce Schneier, not only is the NSA presumably
a significant player in the "grey market" for purchasing
"zero-day" vulnerabilities from private companies, it
most definitely has an operational interest in seeing that such
vulnerabilities remain unpatched:
[T]he new market for security vulnerabilities results in a variety of government agencies around the world that have a strong interest in those vulnerabilities remaining unpatched. These range from law-enforcement agencies . . . to intelligence agencies like the NSA who are trying to build mass Internet surveillance tools . . .
The Bottom Line for Cybersecurity
The NSA obviously possesses world-class expertise in cyber operations and incredible tech and personnel resources. Any proposal, however, that would seek to put the NSA in charge of assuring cybersecurity, must first come to grips with the NSA's avowed operational interests in: (1) keeping software vulnerabilities unpatched as a way to maximize the collection of intelligence and (2) compromising the security of networks for the same purpose.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.