The NSA’s Credibility Takes Another Hit


Henry Farrell passes along the news that the NSA is merging two of its major divisions into a single directorate:

The NSA has traditionally had two big responsibilities. The first — spying and surveillance — gets the lion’s share of public attention (and, it would appear, resources). Yet the second responsibility — protecting U.S. networks from external attack — is also very important….Protecting private U.S. networks and computers from intrusion means creating secure cryptographic standards that make it a lot harder for outsiders to break in. The problem is that other networks in other countries are likely to start using the same standards. This means that the better that the NSA does at securing U.S. computers and networks against foreign intrusion, the harder it is going to be for the NSA to break into foreign computers and networks that use the same standards. If, alternatively, it cheats by promoting weak standards, the security of U.S. networks will be weakened, but it will also be easier for the NSA to break into foreign ones.

As Farrell points out, the Snowden leaks showed that the NSA did cheat: they deliberately tried to introduce weaknesses into crypto standards so they’d be able to break into foreign networks. This makes their merger of offense and defense a big problem:

When the NSA had visibly separate organizational structures, with separate budget lines for offense (attacking other people’s systems) and defense (defending one’s own systems), it helped reassure outside observers a little that the defense perspective has its internal advocates within the organization, even if those advocates often lost. In a combined structure, that is no longer the case. Outsiders will find it harder to adjudicate whether the organization is prepared to prioritize defense over offense (at least some of the time).

And that has consequences….It may make it less likely that businesses will trust the NSA with information about vulnerabilities….It may further erode the dominance of U.S. security standards (and U.S. firms) in world markets. It will surely make the cryptographic community more skeptical of cooperating with the NSA. Because the NSA is the kind of organization it is, it has great difficulty in communicating its true intentions and getting others to believe them, even when it wants to. Split organizational structures (which are costly because they go along with budget lines, factional fighting and so on) are one of the very few ways that it can credibly communicate its priorities to outsiders, and reassure them, if it wants to reassure them, that it is interested in protecting networks as well as subverting them.

To be honest, I’m surprised the crypto community—especially overseas—is willing to cooperate with the NSA at all, given what we now know. They are plainly pretty obsessed with sneaking backdoors into both crypto standards and network devices. If the Snowden leaks didn’t destroy their credibility on this subject forever, I’m not sure what would.

In any case, this is some boring bureaucratic news that might have some real-world consequences. You’ll probably never hear about it again, so I figured it might be worth hearing about it at least once.

FACT:

Mother Jones was founded as a nonprofit in 1976 because we knew corporations and the wealthy wouldn't fund the type of hard-hitting journalism we set out to do.

Today, reader support makes up about two-thirds of our budget, allows us to dig deep on stories that matter, and lets us keep our reporting free for everyone. If you value what you get from Mother Jones, please join us with a tax-deductible donation today so we can keep on doing the type of journalism 2019 demands.

We Recommend

Latest

Give a Year of the Truth

at our special holiday rate

just $12

Order Now

Sign up for our newsletters

Subscribe and we'll send Mother Jones straight to your inbox.

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate

We have a new comment system! We are now using Coral, from Vox Media, for comments on all new articles. We'd love your feedback.