US National Security Agency (NSA) badly crippled

Too busy not dying for any cyber-defence stuff

Those accustomed to imagine the US National Security Agency (NSA) as some guild of omniscient, malevolent hermits effortlessly deciphering all the electromagnetic noise enveloping the modern world will be bitterly disappointed to learn that its basic, functional competence is in doubt.

While the Agency has been credited with miraculous achievements such as monitoring every communication made by electronic means worldwide with its famous Echelon system, there's reason to wonder if it will even exist a decade from now.

Whistleblowers urgently needed

The NSA has got severe internal problems, long suspected but only recently confirmed. Conspiracy paranoiacs will of course insist that the Agency is leaking the bad news as part of a subtle plot to throw us all off the scent of their shocking capabilities. But those who understand the frailties of human nature will find it easier to suspend disbelief, and even sympathise a bit.

Far from the perfectly-tuned "Mission Impossible" team of popular myth, the NSA is in fact "an organisation ripe for divestiture; its individual capabilities are of greater value than the organisation as a whole. [Its] lack of leadership is responsible for... the complete breakdown of the NSA governance process," according to an internal NSA report dated 1 October 1999 and released on 17 October 2000 under a Freedom of Information Act (FOIA) request by the journal Inside Defense.

Meanwhile, an external audit summary dated 22 October 1999 and released 17 October 2000 reaches much the same conclusion, noting, for example, that the Agency's "leadership culture... appears most interested in their positions and protecting their people's jobs at the expense of accomplishing the mission."

The second study finds a veritable shopping-list of faults, among them a "broken decision-making process; poor financial management; a broken personnel system; inadequate business management, program management, and system engineering; poor stakeholder relations, particularly with Congress; and an inward-looking culture," all of which, the authors warn, foreshadows "technology obsolescence, [a] gap with commercial practice."

Low morale within the ranks brought on by an irrational system of pay raises and promotions combines with general budgetary madness to make the NSA appear "to operate like an entitlement program."

The Agency has got to integrate itself into the wider intelligence and security community, which encompasses both government and private business interests, in order to stay relevant - in order to survive. But a legendary culture of secrecy and isolation make that its single most difficult challenge.

The "No Such Agency" culture appears to be the consequence of an established environment of back-stabbing and cover-your-ass indifference. The report found that "the present mindset fostered a society where people were afraid to express their own thoughts. Even though people spoke to us with true candour, they always wanted to avoid attribution because of the perception that the information was going to be used against them."

And of course, if these guys can't trust each other, there's little reason for us on the outside to trust them either.

Both reports suggest images of a sinking ship on which no one dares lower a lifeboat, or even mention the painfully obvious. The Agency has created "a culture that discourages sending bad news up the chain of command. [Yet] the staff knows NSA is falling behind and is not properly addressing the inherent problems of the emerging global network."

And if that wasn't enough, to top it off the House Permanent Select Committee on Intelligence stated bluntly in a recent report that "Each type of communication - radio, satellite, microwave, cellular, cable - is becoming connected to all the others. Unfortunately, as the global network has become more integrated, NSA's culture has evolved so that it is seemingly incapable of responding in an integrated fashion."

It has fallen to the NSA's Director, Lieutenant General Michael Hayden, USAF, to address these shortcomings as the Agency struggles for relevance in the digital real world. During a recent NIST security conference, Hayden outlined some of the changes he's already implemented, chief among them a new merit-based pay system to attract and hold talented employees, which the agency often loses in droves to corporate head-hunters.

What did you do in the cyberwar, Daddy?
The General also spoke of NSA's role in cyber-defence, a seemingly natural area of expertise. But the timing is unfortunate. As the Hermit Agency struggles to recover from a crisis of mismanagement and navel-gazing, other government bureaux are pressing it to take both defensive and offensive roles in the anticipated cyber conflicts of the near future. It ought to have made ready to do just that, but clearly has not found the time.

"Many personalities in the [Department of Defence] would like NSA, since it understands the technology, to become a combat element in cyberspace. NSA is resisting this because it can lead to a series of terrible legal quagmires and even more intense scrutiny than it already gets from Congress," a senior US intelligence official told The Register.

"Such roles would bring enormous legal, publicity, and other problems that Hayden doesn't need right now. Thus, Hayden and NSA are contemplating expanded offensive roles, but only insofar as they have to study the issues in order to avoid being stuck with them," he added.

But if the NSA is preoccupied with its own restructuring efforts, we have to wonder who is going to respond if the US or its allies were to sustain a serious information attack.

"The possibility exists that the offensive arm would solely be some government element designated by the President to carry out a covert action. Executive Order 12333 [signed by Ronald Reagan in late 1981] allows the President to pick whoever he determines is capable of fulfilling the task," the official told us.

While there is a working agreement to organise US cyber-defences by the US Critical Infrastructure Coordination Group, chaired by National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism Richard Clarke of the White House National Security Council (NSC), one has to wonder if the spirit of cooperation might not get lost in the sort of inter-agency rivalries one finds throughout the US government.

"Yeah, this field has it also," the official told us, and "with a strange 'religious' overtone -- many agencies are acting like they are fighting to control the future."

The rapid growth and multiplication of interested parties in cyber-defence - military, intelligence and law enforcement - provides an excellent opportunity for empire-building, which could easily take precedence over coordination and integration.

"We have a 'systems-integration' problem," the official observed. "Not enough folks are involved; but much worse is the fact that what we are doing is not well tied together due to the complexity of the technical and organisational interrelationships."

So what we have is something of a paradox, with too many agencies marching to their own drummers, and too few getting to the heart of the problem, which is to exploit what each one does best, and then integrate the parts into a rational cyber-defence strategy. Otherwise, as the NSA's paralysing troubles illustrate, each player's individual preoccupations are really just that. ®

Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022