Category: Computer/online security

U.S. Code-Cracking Agency Works As If Compromised. The U.S. government's main code-making and code-cracking agency now works on the assumption that foes may have pierced even the most sensitive national security computer networks under its guard.

“There's no such thing as ‘secure' any more,” Debora Plunkett of the National Security Agency said on Thursday amid U.S. anger and embarrassment over disclosure of sensitive diplomatic cables by the website WikiLeaks.

“The most sophisticated adversaries are going to go unnoticed on our networks,” she said.

Plunkett heads the NSA's Information Assurance Directorate, which is responsible for protecting national security information and networks from the foxhole to the White House.

“We have to build our systems on the assumption that adversaries will get in,” she told a cyber security forum sponsored by the Atlantic and Government Executive media organizations.

The United States can't put its trust “in different components of the system that might have already been violated,” Plunkett added in a rare public airing of NSA's view on the issue. “We have to, again, assume that all the components of our system are not safe, and make sure we're adjusting accordingly.”

The NSA must constantly fine tune its approach, she said, adding that there was no such thing as a “static state of security.”

More than 100 foreign intelligence organizations are trying to break into U.S. networks, Deputy Defense Secretary William Lynn wrote in the September/October issue of the journal Foreign Affairs. Some already have the capacity to disrupt U.S. information infrastructure, he said. Plunkett declined to comment on WikiLeaks, which has started releasing a cache of 250,000 diplomatic cables, including details of overseas installations that officials regard as vital to U.S. security.

Official have focused publicly on Army Private Bradley Manning, who is being detained at a Marine Corps base in Quantico, Virginia, as the source of the leak.

NSA, a secretive Defense Department arm that also intercepts foreign communications, conceives of the problem as maintaining the availability and assuring the integrity of the systems it guards, rather than their “security,” she said.

NSA – which insiders jokingly used to say referred to “No Such Agency” – also focuses on standardization and auditing to hunt for any intrusions, Plunkett said. She referred to the development of sensors for eventual deployment “in appropriate places within our infrastructure” to detect threats and take action against them.

Mike McConnell, a retired Navy vice admiral who headed the NSA from 1992 to 1996, told the forum he believed no U.S. government network was safe from penetration.

A third-party inspection of major computer systems found there was none of consequence “that is not penetrated by some adversary that allows the adversary, the outsider, to bleed all the information at will,” said McConnell, director of national intelligence from 2007 to 2009 and now leader of the intelligence business for the Booz Allen Hamilton consultancy.[Wolf/Reuters/18December2010]

Phi Beta Iota: In 1992 NSA knew that shrink-wrapped hardware and software coming across its loading dock was pre-compromised with both hardware and software viruses, Trojan Horse backdoors, and so on.  In 1994 the National Information Infrastructure “leadership” refused to address the need for a $1 billion a year national cyber-security program.  Since then it has simply gotten worse, with the latest (in the last four years) being the ability of the Chinese to ride the electrical circuits into any computer (think of your Best Buy ethernet extender that uses the wiring as a pass through).  The good news is that 90% of what we have behind the green and black doors is not really secret or in such obscure minutia as to be immaterial to national security.  What we should be doing, in our view as the proponent for public intelligence, is this:

1.  Default both Whole of Government and Multinational Engagement to unclassified.  Civil Affairs can lead the way with the Joint Civil Affairs Information Management Sytem that feeds the high side everything, but keeps the open system open.

2.  Set a notional limit of 10% of what can be classified secret within any Embassy, roughly 8% for the spies and 2% for everyone else.

3.  Take the most sensitive stuff completely off the electrical grid (the real reason NSA wants its own power station at Fort Meade and in Utah).

4.  Invest one third of the cyber-war budget, whatever it ends up being (probably half), in education & research relevant to all stakeholders, not just the national security community.  It is not possible to have smart safe spies within a dumb unsafe nation.  It's all connected.

Turning away from secrecy is the single best thing we can do as a government, as a military, as a nation.  It will yield productivity and innovation and foreign relations dividends beyond our dreams.

Everybody who's a real practitioner, and I'm sure you're not all naïve in this regard, realizes that there are two uses to which security classification is put: the legitimate desire to protect secrets, and the protection of bureaucratic turf. As a practitioner of the real world, it's about 90 bureaucratic turf; 10 legitimate protection of secrets as far as I am concerned.

Rodney McDaniel, then Executive Secretary of the National Security Council, to a Harvard University seminar, as cited in Thomas P. Croakley (ed), C3I: Issues of Command and Control (National Defense University, 1991). Page 68.