US National Security Agency (NSA) badly crippled

Too busy not dying for any cyber-defence stuff

Those accustomed to imagine the US National Security Agency (NSA) as some guild of omniscient, malevolent hermits effortlessly deciphering all the electromagnetic noise enveloping the modern world will be bitterly disappointed to learn that its basic, functional competence is in doubt.

While the Agency has been credited with miraculous achievements such as monitoring every communication made by electronic means worldwide with its famous Echelon system, there's reason to wonder if it will even exist a decade from now.

Whistleblowers urgently needed

The NSA has got severe internal problems, long suspected but only recently confirmed. Conspiracy paranoiacs will of course insist that the Agency is leaking the bad news as part of a subtle plot to throw us all off the scent of their shocking capabilities. But those who understand the frailties of human nature will find it easier to suspend disbelief, and even sympathise a bit.

Far from the perfectly-tuned "Mission Impossible" team of popular myth, the NSA is in fact "an organisation ripe for divestiture; its individual capabilities are of greater value than the organisation as a whole. [Its] lack of leadership is responsible for... the complete breakdown of the NSA governance process," according to an internal NSA report dated 1 October 1999 and released on 17 October 2000 under a Freedom of Information Act (FOIA) request by the journal Inside Defense.

Meanwhile, an external audit summary dated 22 October 1999 and released 17 October 2000 reaches much the same conclusion, noting, for example, that the Agency's "leadership culture... appears most interested in their positions and protecting their people's jobs at the expense of accomplishing the mission."

The second study finds a veritable shopping-list of faults, among them a "broken decision-making process; poor financial management; a broken personnel system; inadequate business management, program management, and system engineering; poor stakeholder relations, particularly with Congress; and an inward-looking culture," all of which, the authors warn, foreshadows "technology obsolescence, [a] gap with commercial practice."

Low morale within the ranks brought on by an irrational system of pay raises and promotions combines with general budgetary madness to make the NSA appear "to operate like an entitlement program."

The Agency has got to integrate itself into the wider intelligence and security community, which encompasses both government and private business interests, in order to stay relevant - in order to survive. But a legendary culture of secrecy and isolation make that its single most difficult challenge.

The "No Such Agency" culture appears to be the consequence of an established environment of back-stabbing and cover-your-ass indifference. The report found that "the present mindset fostered a society where people were afraid to express their own thoughts. Even though people spoke to us with true candour, they always wanted to avoid attribution because of the perception that the information was going to be used against them."

And of course, if these guys can't trust each other, there's little reason for us on the outside to trust them either.

Both reports suggest images of a sinking ship on which no one dares lower a lifeboat, or even mention the painfully obvious. The Agency has created "a culture that discourages sending bad news up the chain of command. [Yet] the staff knows NSA is falling behind and is not properly addressing the inherent problems of the emerging global network."

And if that wasn't enough, to top it off the House Permanent Select Committee on Intelligence stated bluntly in a recent report that "Each type of communication - radio, satellite, microwave, cellular, cable - is becoming connected to all the others. Unfortunately, as the global network has become more integrated, NSA's culture has evolved so that it is seemingly incapable of responding in an integrated fashion."

It has fallen to the NSA's Director, Lieutenant General Michael Hayden, USAF, to address these shortcomings as the Agency struggles for relevance in the digital real world. During a recent NIST security conference, Hayden outlined some of the changes he's already implemented, chief among them a new merit-based pay system to attract and hold talented employees, which the agency often loses in droves to corporate head-hunters.

What did you do in the cyberwar, Daddy?
The General also spoke of NSA's role in cyber-defence, a seemingly natural area of expertise. But the timing is unfortunate. As the Hermit Agency struggles to recover from a crisis of mismanagement and navel-gazing, other government bureaux are pressing it to take both defensive and offensive roles in the anticipated cyber conflicts of the near future. It ought to have made ready to do just that, but clearly has not found the time.

"Many personalities in the [Department of Defence] would like NSA, since it understands the technology, to become a combat element in cyberspace. NSA is resisting this because it can lead to a series of terrible legal quagmires and even more intense scrutiny than it already gets from Congress," a senior US intelligence official told The Register.

"Such roles would bring enormous legal, publicity, and other problems that Hayden doesn't need right now. Thus, Hayden and NSA are contemplating expanded offensive roles, but only insofar as they have to study the issues in order to avoid being stuck with them," he added.

But if the NSA is preoccupied with its own restructuring efforts, we have to wonder who is going to respond if the US or its allies were to sustain a serious information attack.

"The possibility exists that the offensive arm would solely be some government element designated by the President to carry out a covert action. Executive Order 12333 [signed by Ronald Reagan in late 1981] allows the President to pick whoever he determines is capable of fulfilling the task," the official told us.

While there is a working agreement to organise US cyber-defences by the US Critical Infrastructure Coordination Group, chaired by National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism Richard Clarke of the White House National Security Council (NSC), one has to wonder if the spirit of cooperation might not get lost in the sort of inter-agency rivalries one finds throughout the US government.

"Yeah, this field has it also," the official told us, and "with a strange 'religious' overtone -- many agencies are acting like they are fighting to control the future."

The rapid growth and multiplication of interested parties in cyber-defence - military, intelligence and law enforcement - provides an excellent opportunity for empire-building, which could easily take precedence over coordination and integration.

"We have a 'systems-integration' problem," the official observed. "Not enough folks are involved; but much worse is the fact that what we are doing is not well tied together due to the complexity of the technical and organisational interrelationships."

So what we have is something of a paradox, with too many agencies marching to their own drummers, and too few getting to the heart of the problem, which is to exploit what each one does best, and then integrate the parts into a rational cyber-defence strategy. Otherwise, as the NSA's paralysing troubles illustrate, each player's individual preoccupations are really just that. ®

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021