America’s National Security Agency, the nation’s largest intelligence service, has a problem. It has been given two distinct, and in many cases contradictory, missions.
The first is defensive: the NSA is charged with defending America’s networks and infrastructure. The second is offensive: the NSA must gather intelligence in order to prevent terrorist attacks and secure the United States global position.
The recent controversy over the NSA’s spying program, which collects metadata (data such as the time a message is sent, and between whom, but not the content) on millions of Americans, has somewhat overshadowed a potentially greater problem: its actions may have jeopardized US cyber security.
Billions of dollars worth of commerce and critical infrastructure dependent on a secure internet. To start with the most obvious, bank records are largely electronic, and many transactions are processed online. Commercial giants like Amazon and Ebay, as well as more traditional businesses, rely heavily on e-commerce. Corporate America has become increasingly dependent on computers, and billions of dollars have been lost to hackers who steal intellectual property. The most successful group is probably China’s Unit 61398, a unit of the People’s Liberation Army charged by computer security firm Mandiant with hacking into American companies.
Critical infrastructure systems, from gas lines to power plants to traffic lights, as well as government systems, military organizations, defense contractors and security companies are also prime targets (many have already been attacked, including Lockheed Martin, RSA, Coca-Cola, the United Nations and the Departments of State and Defense).
To be fair, no single flaw is likely to give an attacker unfettered access to all of these systems. Computer systems vary so widely that in the past damage has generally been more localized to one business or system at a time, rather than the total catastrophe imagined in games like Watch Dogs or movies like Live Free or Die Hard. But experts (including big names like former Secretary of Homeland Security Janet Napolitano and former Defense Secretary Leon Panetta) have been predicting a “cyber 9/11” for years, and these warnings have become increasingly prophetic.
In its zeal to gather intelligence and prevent terrorism, the NSA has undercut its first mission: to defend America’s cyber infrastructure. Often, the NSA’s data gathering is done through “backdoors,” flaws in computer systems that can be exploited. The trouble is that these flaws aren’t localized to the system that is targeted: they exist in all or most copies of the software. Terrorists use most of the same software the rest of us do, so a flaw in Windows 8, that the NSA uses to gather information on a target in Afghanistan, is also present in every other copy of Windows 8 in use worldwide. This flaw is also accessible to anyone else in the world who can find it, and there are plenty of people looking, from governments (particularly China’s and Russia’s) to third party groups like Anonymous.
Here in lies the problem. In order to defend America’s cyber infrastructure, the NSA must work with industry groups to fix the problems it finds. But the zealous hunt for terrorists post-9/11 has led the NSA’s second mission to generally be prioritized. The issue was demonstrated most clearly by the recent Heartbleed computer bug. A massive flaw in the nearly ubiquitous openSSL protocol, Heartbleed has been called the worst security failure in the internet’s history by many experts. The NSA has been said to have had knowledge of the bug (and used it for intelligence gathering) for at least two years.
To make matters worse, when it cannot find flaws in software, the NSA intentionally introduces them. While many of the exact details remain classified, it has become fairly clear that the NSA knowingly and intentionally inserts flaws into commercial software.
In the 1990’s, the NSA tried to mandate that all encryption have a government-accessible backdoor. They failed, but now appear to achieve with espionage what they couldn’t in Congress. The NSA is widely believed to have used its clout to introduce a backdoor into a cryptographic standard created by the National Institute of Standards and Technology, the standards body for cryptographers, which was then implemented in hundreds of programs used on millions of systems. This is a potential problem in and of itself, but unintended effects magnify the issue.
As part of its mission to protect American cyber infrastructure, the NSA often works with American companies to secure their systems. But the threat of the NSA introducing backdoors has made many companies wary of accepting such help, further weakening their systems.
Alan Davidson, former head of public policy at Google and a researcher at MIT, notes that, “[As an internet or telecommunications provider] you’d be crazy to ask the NSA for help now.”
The hardest part of this debate is finding a solution. Weakening our ability to combat terrorism and other global threats appears an unacceptable solution to many. But the risks, both constitutional and practical, are impossible to ignore.
Many have criticized the conflicting missions of the NSA, but separating these roles into distinct organizations may simply put them at war with each other, creating an offensive organization which doesn’t consider the consequences of its actions and a defensive one that is not fully up-to-date on the latest flaws.
With the full extent of the NSA’s operations (understandably) kept under lock-and-key, the NSA’s defense that it can and does make a cost-benefit analysis in this process makes sense. But such an analysis cannot simply be left to a handful of insiders. Additional Congressional oversight may remedy the problem. While the future of the internet is traditionally unpredictable, the world looks set to face increasing threats to its cyber-security.