The NSA's Credibility Takes Another Hit

Henry Farrell passes along the news that the NSA is merging two of its major divisions into a single directorate:

The NSA has traditionally had two big responsibilities. The first — spying and surveillance — gets the lion's share of public attention (and, it would appear, resources). Yet the second responsibility — protecting U.S. networks from external attack — is also very important....Protecting private U.S. networks and computers from intrusion means creating secure cryptographic standards that make it a lot harder for outsiders to break in. The problem is that other networks in other countries are likely to start using the same standards. This means that the better that the NSA does at securing U.S. computers and networks against foreign intrusion, the harder it is going to be for the NSA to break into foreign computers and networks that use the same standards. If, alternatively, it cheats by promoting weak standards, the security of U.S. networks will be weakened, but it will also be easier for the NSA to break into foreign ones.

As Farrell points out, the Snowden leaks showed that the NSA did cheat: they deliberately tried to introduce weaknesses into crypto standards so they'd be able to break into foreign networks. This makes their merger of offense and defense a big problem:

When the NSA had visibly separate organizational structures, with separate budget lines for offense (attacking other people's systems) and defense (defending one's own systems), it helped reassure outside observers a little that the defense perspective has its internal advocates within the organization, even if those advocates often lost. In a combined structure, that is no longer the case. Outsiders will find it harder to adjudicate whether the organization is prepared to prioritize defense over offense (at least some of the time).

And that has consequences....It may make it less likely that businesses will trust the NSA with information about vulnerabilities....It may further erode the dominance of U.S. security standards (and U.S. firms) in world markets. It will surely make the cryptographic community more skeptical of cooperating with the NSA. Because the NSA is the kind of organization it is, it has great difficulty in communicating its true intentions and getting others to believe them, even when it wants to. Split organizational structures (which are costly because they go along with budget lines, factional fighting and so on) are one of the very few ways that it can credibly communicate its priorities to outsiders, and reassure them, if it wants to reassure them, that it is interested in protecting networks as well as subverting them.

To be honest, I'm surprised the crypto community—especially overseas—is willing to cooperate with the NSA at all, given what we now know. They are plainly pretty obsessed with sneaking backdoors into both crypto standards and network devices. If the Snowden leaks didn't destroy their credibility on this subject forever, I'm not sure what would.

In any case, this is some boring bureaucratic news that might have some real-world consequences. You'll probably never hear about it again, so I figured it might be worth hearing about it at least once.