FUD and NSA Cybersecurity

I’ve been in too many meetings where popular articles led to a string of false – and intensely problematic – baseline ‘truths’ that subsequently led to damaging policy proposals. One of the worst recent articles was by Marc Ambinder, who wrote a piece for Foreign Policy about why the NSA has to support Deep Packet Inspection (DPI) appliances in businesses network. The general premise is that NSA assistance is critical if American companies are to effectively filter out foreign nations’ espionage behaviour. This ‘support’ is supposedly driven by the most recent revelations concerning Chinese attacks against predominantly American business interests.

So, in what follows I’ll pull out offending paragraphs and explain what’s factually problematic and, then, the significance of the false or misleading claims.

[The NSA] has some pretty nifty tools to use in terms of protecting cyberspace. In theory, it could probe devices at critical Internet hubs and inspect the patterns of data packets coming into the United States for signs of coordinated attacks. The recently declassified Comprehensive National Cyberspace Initiative describes the government’s plan, informally known as Einstein 3, to address the threats to government data that run through private computer networks – an admission that the NSA will have to perform deep packet inspection on private networks at some point. But, currently, the NSA only does this for a select group of companies that work with the Department of Defense. It is legally prohibited from setting up filters around all of the traffic entry points.

The issue is that Einstein, even if it is working (which remains unclear, at best), is invasive and isn’t a panacea. It might identify some traffic, but the core kind of data analysis that is required today isn’t so much inbound network traffic as outbound; what is leaving the network, why is it leaving, and do characteristics of the data exiting the network correspond with the authorized users’ normal network behaviours? To be blunt, there is no DPI appliance on the market that is genuinely capable of this kind of user- and network-centric surveillance. There are lots of companies that sell things claiming to perform these actions, but the sales language has not yet met the hype. Moreover, if you’re dealing with state-level actors it isn’t clear why, with their immense resources, they can’t simply purchase the DPI appliances and figure out how they work, and how to subvert their analytics protocols.

Why does this quoted section matter? Because it preps an audience for a magic (networked) bullet, and one that to-date doesn’t exist. And because it convinces an audience that if we just brought NSA-grade Einstein surveillance to bear that we’re figure out how to stop the evil hackers.

The next step may be letting the NSA conduct deep-packet monitoring of private networks. It’s undeniable that Congress and the public probably wouldn’t be comfortable knowing that the NSA has its hardware at the gateways to the Internet. And yet there may be no other workable way to detect and defeat major attacks. Thanks to powerful technology lobbies, Congress is debating a bill that would give the private sector the tools to defend itself, and it has been slowly peeling back the degree of necessary government intervention. As it stands, DHS lacks the resources to secure the dot-com top-level domain even if it wanted to. It competes for engineering minds with the NSA and with private industry; the former has more cachet and the latter has better pay.

The NSA already has it’s hardware at the core choke points of the American Internet infrastructure. This deployment led the Congress to retroactively grant immunity to American ISPs for participating in the NSA’s warrantless wiretapping. It’s what’s led a host of whistleblowers to come forward and disclose the extent of the NSA’s surveillance on Americans. The Agency is already using DPI appliances at Internet choke points: what is being proposed is extending the surveillance to the networks of corporations that are not Internet companies. This means that, rather than just filtering at AT&T’s network, The NSA will also filter at Ford’s network.

The author also asserts that it’s important to leave this to NSA on the basis that DHS cannot presently fulfil this defensive task. NSA knows this. DHS knows this. And, on the mutual basis of this knowledge, NSA is already permitted to assist DHS in securing American companies’ networks so long as DHS takes the lead. What is really changing here is that a foreign intelligence body would be given authority to act independently of DHS. Such a move would be intensely problematic on the basis that NSA is highly secretive, even more than DHS, and is routinely involved in bypassing or finding ways around American’s existing legal protections. The notion that the institution’s ongoing bad behaviour should lend credence and authority to its missions is absurd.

Some private-sector companies are good corporate citizens and spend money and time to secure their networks. But many don’t. It’s costly, both in terms of buying the protection systems necessary to make sure critical systems don’t fail and also in terms of the interaction between the average employee and the software. Security and efficiency diverge, at least in the short run.

While this is true, to an extend, it fails to account for the magnitude of scale. Most large-sized businesses have security staff and dedicated network administrators; there is some defence taking place. It’s the mid-sized businesses that tend to be disastrously under protected. Is the proposal that pretty well all businesses with under, say, 1,000 people will get the benefit of NSA-grade security and surveillance? If so, that’s an awful lot of NSA-compliant gear.

If the NSA were simply to share with the private sector en masse the signatures its intelligence collection obtains about potential cyber-attacks, cybersecurity could measurably improve in the near term. But outside the companies who regularly do business with the intelligence community and the military, few firms have people with the clearances required by the NSA to distribute threat information. (Under the new initiative, the NSA’s intelligence will be filtered through the FBI and DHS.)

It’s important to recognize the DPI equipment isn’t cheap. In addition to NSA signatures you’d likely need an ongoing service contract with the appliance manufacturer. Moreover, to actually run the appliance you’ll either need in house staff or contract out the job; in either case, businesses will see an increase in the cost of business. They may not see a return. Moreover, DPI signatures are not foolproof, and they are often particular to specific appliance vendors. So…will your appliance be ‘compatible’ with NSA intelligence? Moreover, how do you check the NSA’s own signatures to ensure that the Agency isn’t doing something sneaky?

By the end of the article what we’re really missing is critical any analysis of the security properties of the DPI appliances themselves or of the NSA in general. DPI devices exploit the vulnerability of data packets to run analyses/modifications of data either in real-time or, if offloaded to a temporary storage device, offline. In either case, when and if these devices are compromised all of the network traffic coursing through the appliances becomes compromised. So, you can in effect move from dealing with significantly placed compromised devices in your network or dealing with that plus having your sophisticated routers turned against you. And the author’s final lines in the article – yeah, NSA’s been bad in the past, but hey: they’re really on ‘our’ side now! – doesn’t exactly fill a reader with much confidence.