Why the NSA should be considered a hostile agency

When an agency with security in its name chooses to exploit a security exposure rather than fix it, we have a problem, writes columnist Rob Enderle.

This last week we had yet another NSA event. This time it was the leak of advanced tools that could be used to exploit unreported defects in networking gear from U.S. manufacturers. This seems to further enforce a position by a variety of U.S. agencies to focus on breaking into things rather than help secure them. However, given that these break-ins are largely illegal and this practice appears to be doing massive damage to the technology market, not to mention exposing our firms to attack by a variety of nasty players, shouldn’t these agencies be reclassified as hostile?

I think the current mindset of these government agencies is foolish and puts not only our firms and customers at risk, but the nation itself. Let me explain.

[ Related: Snowden: Auction of stolen NSA malware likely political ]

Arrogance

At the core of this appears to be an incredible arrogance that product defects can be discovered only by the NSA. There is nothing I’ve seen that suggests the NSA is substantially more capable than the collective efforts of large hostile or friendly governments, large criminal organizations, or a variety of technology schools -- both domestic and abroad.

This suggests that if the NSA can create tools to exploit these defects so can those who are hostile to the U.S. and it is arrogant to believe otherwise. Of course, even if that wasn’t true, these constant leaks point like neon signs to this approach making it far more likely someone will do the U.S. harm as a result.

Tactical thinking

I think much of this is due to tactical thinking where someone trades off an easier path to do their job for the larger strategic problem of critically damaging the U.S. technology industry and opening the nation to attack.

Let’s use Lockheed as an example. Let’s assume a government agency discovered a problem with Lockheed’s avionics package where a signal could be sent that would cause Lockheed planes to crash, but they kept this secret in case the U.S. were attacked by these planes so they could push a button and stop the attack. But given the U.S. uses more of these planes than anyone else, this defect would wipe out much of the U.S.’s airpower so it would be incredibly stupid not to report it to Lockheed so it could be fixed. This would be doubly true if it became known that the U.S. had this power because foreign governments would stop buying Lockheed jets.

We are already highly networked and are aggressively moving to everything from autonomous cars to smart cities that all rely heavily on U.S. sourced technology to keep them running and the folks that use them safe. Leaving a defect unreported in the hope it could be used for illegal spying in exchange for the potential to bring the nation to its knees would seem to be a stupid tradeoff. In addition, it also appears to be the one that the nation is making, including the part where it is killing sales of U.S. technology products.

Security

At its heart these decisions suggest ineffective oversight in the U.S. government. It isn’t at all unusual for any agency, public or private, to act in ways that enhance its mission. Nor is it unusual for them to prioritize a benefit for them over a larger exposure for the company or nation.

This is why you have things like internal audit and compliance so that, when this happens, the executive in charge can be caught and disciplined for putting his needs over those of the organization he works for, or in the case where an organization misacts, over the needs of the investors, customers, or, in this case, the citizens.

[ Related: Cisco, Fortinet issue patches against NSA malware ]

When do we say enough is enough?

An agency with “security” in its name should have security as a priority. This means such an agency should be working to assure we are secure and that should more important than finding ways to break into things. In short, when given a choice between doing something that fixes a security exposure for the nation and exploiting that exposure the choice should naturally fall to fixing it.

The fact it currently doesn’t suggests there is something seriously wrong in the U.S. with the concept of security, the understanding of technology, and the related oversight in the NSA and for the sake of the nation we need to say enough is enough and get it fixed.

If we don’t and we continue down this path of connecting everything there is a real likelihood that this practice will have national catastrophic consequences. Bottom line: There should never be a case like the one that appears to exist today – one in which a U.S. Agency appears to be a greater security problem than an asset. Fixing this should be a higher priority than it obviously is.

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoFortinetNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rob Enderle

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place