20 November 2017

Russian Hackers Aren’t NSA’s Biggest Problem


It’s hard to say which is more disturbing: Reports that hackers have obtained some of the National Security Agency’s most classified cybertools and are auctioning them off on the internet – or that, 15 months into its investigation, the agency still doesn’t know if it’s dealing with an outside hack, a leak or both.

In short, the agency is reeling. What the NSA needs most of all – aside from finding out how the hackers, suspected to be a Russian group known as the Shadow Brokers, got the material – is a change in culture. Fortunately, there are precedents for a security agency seeking to restore its reputation and credibility: the actions taken by the FBI and CIA after the moles Robert Hanssen and Aldrich Ames, respectively, were exposed in 2001 and 1994.

The Federal Bureau of Investigation brought in a former director to lead an investigation of the bureau’s security procedures, and the Justice Department eventually issued an unclassified report with 21 concrete reform suggestions (most of which, a review later found, the bureau actually followed). The Central Intelligence Agency brought in the FBI to investigate, and the Senate Intelligence Committee and the CIA itself issued reports with reform suggestions.

In both cases, the reforms were more practical than profound. The FBI created an “anti-penetration unit” to find moles, for example, while it was recommended that the CIA reinstitute random searches of exiting personnel. Nevertheless, over time and with new leadership, both institutions were able to recover from the damage.

So how might this history inform efforts to fix the NSA? One concrete suggestion is to look into whether the huge number of contractors the agency hires presents a security risk. Edward Snowden, who eventually fled to Russia with his stolen secrets, is not alone; two contractors have been arrested in recent years, one of whom was able to take home more than 50 terabytes of data, some of it highly classified. Part of the problem here is that government employees can easily be lured to the private sector for bigger paychecks. The NSA has to find a way to compete and retain its workers.

In addition to protecting government servers, the agency is charged with helping to protect the private sector. It should re-examine its rules about sharing weaknesses it discovers in commercial products to their manufacturers.

More broadly, the agency needs to be far more vigilant about protecting its cyberweapons. According to former officials, it spends 90 percent of its budget on offensive operations and a relative pittance on defense. That balance seems way out of whack. In addition, it may have made an error recently when it eliminated its primary cyberdefense unit, folding it into a new operations directorate that will be dominated by its vast signals intelligence corps.

Last, President Donald Trump announced in August that the U.S. Cyber Command, which has been under the NSA’s control since it was created in 2009, would be elevated to a full combatant command within the military. This transition, which makes sense, is proceeding too slowly.

The NSA’s most urgent task is to find out how the Shadow Brokers got their hands on its cybertools. But it’s just as important that the agency get to the root of the problem behind this embarrassment.

No comments: