This last week we had yet another NSA event. This time it was the leak of advanced tools that could be used to exploit unreported defects in networking gear from U.S. manufacturers. This seems to further enforce a position by a variety of U.S. agencies to focus on breaking into things rather than help secure them. However, given that these break-ins are largely illegal and this practice appears to be doing massive damage to the technology market, not to mention exposing our firms to attack by a variety of nasty players, shouldn’t these agencies be reclassified as hostile?
I think the current mindset of these government agencies is foolish and puts not only our firms and customers at risk, but the nation itself. Let me explain.
At the core of this appears to be an incredible arrogance that product defects can be discovered only by the NSA. There is nothing I’ve seen that suggests the NSA is substantially more capable than the collective efforts of large hostile or friendly governments, large criminal organizations, or a variety of technology schools -- both domestic and abroad.
This suggests that if the NSA can create tools to exploit these defects so can those who are hostile to the U.S. and it is arrogant to believe otherwise. Of course, even if that wasn’t true, these constant leaks point like neon signs to this approach making it far more likely someone will do the U.S. harm as a result.
I think much of this is due to tactical thinking where someone trades off an easier path to do their job for the larger strategic problem of critically damaging the U.S. technology industry and opening the nation to attack.
Let’s use Lockheed as an example. Let’s assume a government agency discovered a problem with Lockheed’s avionics package where a signal could be sent that would cause Lockheed planes to crash, but they kept this secret in case the U.S. were attacked by these planes so they could push a button and stop the attack. But given the U.S. uses more of these planes than anyone else, this defect would wipe out much of the U.S.’s airpower so it would be incredibly stupid not to report it to Lockheed so it could be fixed. This would be doubly true if it became known that the U.S. had this power because foreign governments would stop buying Lockheed jets.
We are already highly networked and are aggressively moving to everything from autonomous cars to smart cities that all rely heavily on U.S. sourced technology to keep them running and the folks that use them safe. Leaving a defect unreported in the hope it could be used for illegal spying in exchange for the potential to bring the nation to its knees would seem to be a stupid tradeoff. In addition, it also appears to be the one that the nation is making, including the part where it is killing sales of U.S. technology products.
At its heart these decisions suggest ineffective oversight in the U.S. government. It isn’t at all unusual for any agency, public or private, to act in ways that enhance its mission. Nor is it unusual for them to prioritize a benefit for them over a larger exposure for the company or nation.
This is why you have things like internal audit and compliance so that, when this happens, the executive in charge can be caught and disciplined for putting his needs over those of the organization he works for, or in the case where an organization misacts, over the needs of the investors, customers, or, in this case, the citizens.
[ Related: Cisco, Fortinet issue patches against NSA malware ]
When do we say enough is enough?
An agency with “security” in its name should have security as a priority. This means such an agency should be working to assure we are secure and that should more important than finding ways to break into things. In short, when given a choice between doing something that fixes a security exposure for the nation and exploiting that exposure the choice should naturally fall to fixing it.
The fact it currently doesn’t suggests there is something seriously wrong in the U.S. with the concept of security, the understanding of technology, and the related oversight in the NSA and for the sake of the nation we need to say enough is enough and get it fixed.
If we don’t and we continue down this path of connecting everything there is a real likelihood that this practice will have national catastrophic consequences. Bottom line: There should never be a case like the one that appears to exist today – one in which a U.S. Agency appears to be a greater security problem than an asset. Fixing this should be a higher priority than it obviously is.