Took me a while to clear up time and read Dave Aitel’s post on his experience with the NSA as compared to the interview that Edward Snowden did with James Bamford of Wired. Make sure you do too, and then come back here for a quick reality adjustment.
So, just to set things straight: I agree with the first point that talk about how working at the NSA consists of abiding with a metric ton of rules, regulations and bureaucratic nightmares. It’s also true for most modern western intelligence agencies (your mileage may vary of course, and this is based on personal subjective observations of course).
However, the NSA (and other agencies in other countries) know very well how to bypass these restrictions, and are very happy to use 3rd party resources to do the dirty work for them. That’s exactly how shady (again – my opinion) companies work in the market of intelligence collections, “lawful interception”, exploit research and development, etc.
This also enables overcoming the difficulties posed by the second point in the article, which pertains to the US’s ability to spy on China (and other countries). In order to provide a more cohesive intelligence landscape, you can’t just focus collection efforts on military and government, as civilian infrastructure is always part of the play for both sides (hey – we just talked about using 3rd parties for intelligence. Guess what? The same thing happens with other countries). As such, “crossing the line” is a needed practice that is often outsourced in terms of liability, legality and ethics, to entities that are willing to take said liability/legality/ethics upon themselves.
And just to steal the closing soundbite: “Every country in the world is engaged in cyber espionage to the full extent of its capabilities. The US just happens to be the one that got caught. This time.“
I’m actually going to go out on a limb here and present my (again – MY) opinion, which might pass as complicated by people with very deterministic views (or are being spoon-fed said views through the media of their choice).
So you are back? Great! That being said, I do think that spy agencies should continue spying. BLAM! And yes, it makes total sense to me. Because I do think that spy agencies should keep spying in order to keep their corresponding nations safe. It’s all about the tradecraft and trying to keep a step ahead of your potential enemies.
Yes, that WILL entail walking (and falling over) a very fine line between legal implications and privacy. It means that as always – agencies will spy on foreign nationals AND citizens. Because yes – terrorists and adversaries do not have boundaries that are defined by the color of your passport. And opposed Jake’s claim in his CCC talk, “carpet bombing” is a totally legitimate way to collect and analyze data. I’m not saying that it’s nice, or legal, or ethical, but it’s effective. It’s up to the agency using this technique to justify and qualify what they do. And yes – keep it quiet – just because of this delicate nature of collection.
Now, back to the data. Yes – agencies (and I’m not picking on the NSA here, these kinds of capabilities exist with lots of other agencies), have these kinds of capabilities to wiretap, modify, exploit and persist on a lot of kinds of accounts and systems. It’s what they are tasked with doing. That’s not even news. But I think that the fact that this comes up again is critical because of something completely different: OPSEC. Operational Security.
The NSA has fallen (again) to the oldest sin of spying – getting cocky. You can see the same behavior from anyone who’s picking up a new capability – be it a script kiddie picking up Metasploit for the first time, someone getting to be decent at martial arts, or any other skill. They get cocky. And think they are unbeatable. And that’s when mistakes start to show up. Basic OPSEC. And I believe that this is an important lesson to learn. Again. Because OPSEC is not a compliance thing that you check off once and forget about it. It’s a basic practice that (should be) taught to everyone that participates in tradecraft. And practiced. And apparently the NSA isn’t that great at it (surprise!). Hence their powerpoint slides are all over the Internet now.
So that’s my little 2c on the topic. Yes – I support spy agencies continued practice, and yes – I support anonymity and privacy, and yes – I support the law and the need to keep improving it. I support the creation of free and open source software designed to enhance your anonymity and privacy. I have actually met Jacob a couple of times (and found it funny that he’s freaking out every time we do meet), and actually think he’s a great guy. Same for Moxie. Complicated? I mentioned it at the beginning. So there you have it. Deal with it.
Now go watch Jake’s talk from CCC. You have to. Because I said so. And for crying out loud – get your OPSEC together.
It’s been a long time since my last post, but trust me for all the good reasons (i.e. work). This one is long due, and has been recently fueled after I had a chance to attend RAND’s Martin Libicki’s brief at the Tel-Aviv University.
Martin is a great source for debate and thought exercises as he is fluent in many realms of the subject at hand, and has been trained as an economist which makes it much easier to broaden the debate into politics and diplomacy.
I’ll address a few key elements of the brief – at least the ones that speak to me the most in terms of research and ongoing work that we are engaged in on a national, international and local levels.
First – the ever provoking “there is no CyberWar” statement. Immediately followed by “this is the definition of CyberWar as I see it”… Obviously, with a definition that closely resembles war as defined in other domains (land, sea, air, space), it’s hard to see how one can state that CyberWar was ever engaged (or ever will be for that matter). But the key here is not to treat the Cyber domain as “another” domain and try to use the template of the traditional domains when defining it. Cyber is a game-changer, it’s not a domain like any other, it has its own rules, territorial issues are mute here, jurisdiction is a mess, and accessibility is even worst. It’s almost impossible to define what a conflict is in Cyber, what an engagement is in terms of forces colliding and how is aggression defined. Nevertheless, all the issues mentioned in the last sentence have risen many times over the last decade, and yet some refuse to realize that in several occasions it was indeed a state or form of warfare.
The second issue is deterrence. On this one I almost completely agree with Martin’s approach which speculates whether real deterrence can be subjected into the domain. Nevertheless, I do believe that sustained and proven threat over the opponent’s critical infrastructure, financial and base production facilities can be used as a deterrence factor. You do not need missile silo counts to prove deterrence in the Cyber domain, you need sustainable access to critical systems, and a prove that you can retain such access in light of some vulnerabilities and key access elements being taken off the table by the defensive strategy. For that – enter espionage… With a combination of cyber-domain capabilities, and a solid intelligence practice (i.e. both gathering as well as proactive), one side can create a situation where such access to critical elements in the other side’s Cyber domain are kept consistently under surveillance and accessible to modification/sabotage.
Which leads to the last issue, which has surprisingly raised a lot of eyebrows lately – even from people who I consider proficient in the “Art” of international relationships and diplomacy: the “legality” of espionage. Face it – espionage has been and will always be a fully acceptable part of a nation strategy. It is accepted at all level of diplomacy, and by every nation. Everyone knows that everyone else is engaged in it, and is putting a lot of resources to make sure that their efforts are successful while trying to minimize everyone else’ efforts in their own territory. The same applies for the Cyber domain. It’s no big surprise that the US finds itself dealing with a major espionage case (on the commercial level) almost every year, and just think about all the cases that are not made public in the government, and military sectors… But have no fear – the other side is being spied on just as well with skills that do not fall short (and usually surpass) of what the US is subjected to. It’s a fact of life, so stop whining about it (and excuse the burn notice cameo).
To conclude – I truly think that dealing with such a young and ever evolving domain is a great challenge – both technologically, as well as from the diplomacy / international relationship aspects of it. And until we’ll have some shape or form of formalized discourse on this domain (such as the efforts put in by NATO, the UN and a few of the world’s largest nations), it’s a free-for-all playground that is going to keep providing us with moral, technological and sociological challenges. BRING IT ON!