Intelligence Agencies Are Not Here to Defend Your Enterprise

If there is a potentially dangerous side-effect to the discovery of a set of 0-days allegedly belonging to the NSA it is the dissemination of the idea, and credulous belief of same, that intelligence agencies should place the security of the Internet — and commercial concerns that use it — above their actual missions. It displays an all-too familiar ignorance of why intelligence agencies exist and how they operate. Before you get back to rending your hair and gnashing your teeth, let’s keep a few things in mind.

  1. Intelligence agencies exist to gather information, analyze it, and deliver their findings to policymakers so that they can make decisions about how to deal with threats to the nation. Period. You can, and agencies often do, dress this up and expand on it in order to motivate the workforce, or more likely grab more money and authority, but when it comes down to it, stealing and making sense of other people’s information is the job. Doing code reviews and QA for Cisco is not the mission.
  2. The one element in the intelligence community that was charged with supporting defense is no more. I didn’t like it then, and it seems pretty damn foolish now, but there you are, all in the name of “agility.” NSA’s IAD had the potential to do the things that all the security and privacy pundits imagine should be done for the private sector, but their job was still keeping Uncle Sam secure, not Wal-Mart.
  3. The VEP is an exercise in optics. “Of course we’ll cooperate with your vulnerability release program,” says every inter-agency representative. “As long as it doesn’t interfere with our mission,” they whisper up their sleeve. Remember in every spy movie you ever saw, how the spooks briefed Congress on all the things, but not really? That.
  4. 0-days are only 0-days as far as you know. What one can make another can undo — and so can someone else. The idea that someone, somewhere, working for someone else’s intelligence agency might not also be doing vulnerability research, uncovering exploitable conditions in popular networking products, and using same in the furtherance of their national security goals is a special kind of hubris.
  5. Cyber security simply is not the issue we think it is. That we do any of this cyber stuff is only (largely) to support more traditional instruments and exercises of national power. Cyber doesn’t kill. Airstrikes kill. Snipers kill. Mortars kill. Policymakers are still far and away concerned with things that go ‘boom’ not bytes. In case you haven’t been paying attention for the past 15 years, we’ve had actual, shooting wars to deal with, not cyber war.

I have spent most of my career being a defender (in and out of several different intelligence agencies). I understand the frustration, but blaming intelligence agencies for doing their job is not helpful. If you like living in the land of the free its important to note that rules that would preclude the NSA from doing what it does merely handicaps us; no one we consider a threat is going to stop looking for and exploiting holes. The SVR or MSS do not care about your amicus brief. The Internet is an important part of our world, and we should all be concerned about its operational well-being, but the way to reduce the chance that someone can crack your computer code is to write better code, and test it faster than the spooks can.

/* Thanks to friends and connections spreading the word about this post, which originally appeared in LinkedIn, I got a lot of feedback. Some of it was actually reasonable. Herewith is a little expansion on my original points. */

It is true that intelligence agencies do more than attack computers. It does not take long to find source material that documents how we spied on diplomatic conversations in order to give ourselves a leg-up on the other side, even and especially for economic issues. This is not, however, the same as spying for private concerns or defending commercial enterprises. There is a difference between negotiating a treaty that makes good economic sense for the country writ large, and stealing the secret formula for General Tsao’s Chicken (presumably, one grade more finger-licking good than chicken from a Colonel). That an intelligence agencies would do such things does not preclude it from doing other things that could in some way jeopardize the security or even the economic viability of any discrete enterprise. Any given agency has missions that are mostly complementary, but occasionally contradictory. This is why we don’t let people use the networking products made by country X, but we’ll pwn the products of a ‘merican company and do what we can to make sure those products are installed more or less universally. The price we pay for free enterprise is risk, in all things.

Specifically to issues of things-cyber, if you’re not looking for 0-day you’re ceding capability to your adversaries. Assume for a moment four vulnerability researchers of uniform size and density; one American, one Russian, one Chinese and one of unknown ethnicity working for a criminal syndicate. Each is effectively equal when it comes to education, training, curiosity and tenaciousness. Each has effectively the same level of resources and the same tools. Each is given the job of finding an exploitable vulnerability in Product X, which is in use in the vast majority of enterprises worldwide. What is the probability that more than one of them finds the same condition at more or less the same time? Well, it certainly isn’t 0. If I were a betting man I’d say it was north of .5. Now, expand or amplify this situation by several orders of magnitude. That is the landscape that some would have us declare a modern Henry Stimson moment.

For those not familiar with the American way of doing business: federal agencies work for the President. They get their budgets approved by Congress, and are obliged to report to Congress their goings-on (oversight), but the President is their boss. The President reserves the right to do any number of things without asking permission or otherwise involving third parties — including Congress — depending on the situation. I want strong oversight of the intelligence community (see COINTELPRO) but I also appreciate that sometimes, asking 535 people what they think about a situation is only going to make that situation worse. First by making the situation public and second by losing the opportunity to act in a fashion that would have the least negative consequences and in a timely manner. If you cannot appreciate that there is a pretty good chance you’ve never had the weight of the world (or a goodly part of it) on your shoulders.

Intelligence agencies are not the most efficient organizations in the world. Both internally and as members of a nominal ‘community’ they are big, slow, duplicative and wasteful. That translates into a lot of money that isn’t spent as well as it could be. The answer to that situation is to demand more efficiency, not a policy of scorched earth. I don’t like it that kids go hungry or that not everyone has a roof over their heads, but you know what else I don’t like? Ethnic cleansing. I’ve seen what happens when you give people who don’t like other people free reign. Coca Cola ads notwithstanding, the world is a pretty ugly place. Even in pretty, civilized places it can get real ugly real fast if conditions are right. There is a reason why every nation that can afford it — and many who cannot — spy on each other: at any given moment the guy shaking your hand could use his other hand to plunge a shank into your liver. “Trust but verify.” “Nations have allies, not friends.” You’ve heard these lines before? They exist for a reason: that’s how the world works. Wishing it were sunshine and lollipops is not a sound policy if you want you and your loved ones to see tomorrow. I wish it were otherwise.