Forgot your password?
typodupeerror
Government Encryption Privacy Security IT

It's Time To Split Up NSA Between Spooks and Geeks 122

Posted by timothy
from the sideline-coaches dept.
Hugh Pickens writes "Noah Shachtman writes in Wired that most of us know the National Security Agency as the supersecret spook shop that allegedly slurped up our email and phone calls after the September 11 attacks, but not so many know that the NSA is actually home to two different agencies under one roof: the signals-intelligence directorate, who can tap into any electronic communication, and the information-assurance directorate, the cybersecurity nerds who make sure our government's computers and telecommunications systems are hacker- and eavesdropper-free. 'The problem is, their goals are often in opposition,' writes Shachtman. 'One team wants to exploit software holes; the other wants to repair them.' Users want to know that Google is safeguarding their data and privacy. The trouble is that when Google calls the NSA, everyone watching sees it as a package deal. Google wants geeks, but it runs the risk of getting spies, too."
This discussion has been archived. No new comments can be posted.

It's Time To Split Up NSA Between Spooks and Geeks

Comments Filter:
  • by Anonymous Coward

    Hats of all colors welcome!

  • by mschuyler (197441) on Saturday March 27, 2010 @02:45PM (#31641532) Homepage Journal

    Aren't they smart enough and rich enough to hire their own geeks? SIGINT is the main job of NSA, period. If you want to hire the wolf to guard the hen house, you take the consequences.

    • by alen (225700)

      NSA has hired most of the smartest math phd's

      • by mschuyler (197441)

        Although I immensely respect math PhDs for their understanding and accomplishments, I'm not sure having a PhD in math grants expertise in computer and network security. My guess is their expertise is used largely in encryption efforts. Insofar as that is useful for network security, fine and great, but there's a lot more to network security than just encryption.

        I really see no evidence that the NSA has scooped up the smartest math PhDs. In fact, the age of Google is making it harder for the NSA to attract m

        • Smarts (Score:3, Insightful)

          by sjbe (173966)

          I'm not sure having a PhD in math grants expertise in computer and network security.

          It doesn't but you're going to find a pretty heavy correlation between the two. Someone good in math is far more likely than average to have or be able to develop expertise in any given use of computers. The skill sets are different but the skills do overlap to a non-trivial degree. I'm sure a PhD is not required to work in computer security at the NSA but I also suspect they have more PhDs in that role than most employers. Just a guess I'll admit but it seems likely.

          My guess is their expertise is used largely in encryption efforts.

          I think you are probably correct.

          I really see no evidence that the NSA has scooped up the smartest math PhDs.

          Cer

          • Re:Smarts (Score:5, Insightful)

            by dgatwood (11270) on Saturday March 27, 2010 @07:47PM (#31643622) Journal

            Someone good in math is far more likely than average to have or be able to develop expertise in any given use of computers.

            Careful there. Being good at math---being capable of learning higher level math concepts---is not the same as having taken the time to do so. A lot of very people don't bother going beyond a certain point simply because their primary interests lie elsewhere. And to some degree, being too analytical can actually hurt your ability to write good software.

            Writing software is not an entirely analytical process. It has some analytical components, particularly in understanding how the parts fit into the whole. However, creating the code itself is also an artistic process in many ways. You must consider all the different ways of doing something and choose the best one, based not just on the current needs, but also on a general feeling about what you might want to do with the code in the future without going overboard.

            • Overly analytical people often over-plan and over-design, resulting in code that is too complex to maintain, is too slow, or takes too long to finish. Getting everything perfect the first time is too important, so nothing ever gets done.
            • Overly artistic people tend to not plan enough, painting themselves into a corner. The result is that the entire project gets thrown out and redesigned every couple of years because they need to add a new feature and the design can't readily accommodate it.

            Thus, good programming requires a very delicate balance between analytical abilities and creative/artistic abilities. Analytical skills are necessary, but not sufficient.

            I would actually argue that programming skills tend to be more strongly correlated with musical ability than math education. Good musicians are generally good at analytical tasks, including math, but also have the artistic ability needed to take that critical step back and pay attention to the system design, the UI, etc.

            I've always found it staggering how many of my coworkers are musicians. In my department alone, it's at least one in three, and many of the people who aren't musicians have kids who are. Whenever we have a department party, we usually get together a group of people and jam. And my previous employer was the same way.

            • Software is engineering. Cryptography is research.

            • Re: (Score:3, Insightful)

              by Listen Up (107011)

              While you make some good points, your arguments are inherently incorrect based upon your misunderstanding of creative problem solving. Here is a link http://en.wikipedia.org/wiki/Creative_problem_solving [wikipedia.org]. Note the second sentence in the second paragraph. Problem solving as a whole is considered the most complex of all intellectual functions. Mathematical problem solving is considered one of the highest, if not the highest, forms of creative problem solving. Also consider for a moment that effectively t

              • Re: (Score:3, Insightful)

                by dgatwood (11270)

                Odd, from what i've seen, most physicists write the worst code of all. Scientists and mathematicians gave us COBOL, BLAS, and LAPACK. They gave us functions with names like xerbla and sgemm. And so on. They tend to create code that is so brilliant that nobody can understand it except the person who wrote it, and after a few weeks, not even that person. That may not be your experience, but the experience is far from uncommon. :-)

                And just to be clear, I didn't say that all musicians would be good program

          • Re: (Score:3, Interesting)

            by inKubus (199753)

            What Google is doing is business intelligence--learning stuff about people, relationships, web pages and then using that information to sell products, in the current case, Advertising. Walmart does the same thing but they collect data about products and people and sell merchandise. There are dozens of other examples. But what they are doing in parallel is forming huge databases of anonymous (hopefully) people data.

            For an agency like the NSA, and what they are tasked to do, this is a huge goldmine of info

    • by jeff4747 (256583) on Saturday March 27, 2010 @05:04PM (#31642580)

      Because besides having the best "hackers" on the planet, the NSA also has the best sysadmins on the planet. Because the aforementioned 'hackers' practice against them.

      This, btw, is why the author's idea is terrible. You want both offense and defense in the same agency so that they can share techniques.

      • Where else is Google going to find someone that understands how to configure SELinux so it can be used in real life.

        Oh, doh! I referenced real life in the same sentence as SELinux and Google in a Slashdot posting on the NSA.

  • How can one side do their job if the other doesn't point out the exploit?

    I feel the same about AV software. If the big AV companies don't have at least a few virus/worm writers on the payroll, how else do they know if their defense software is any good?*

    *Less assume for a moment that AV software is somewhat decent.

  • Nonsensical ... (Score:5, Insightful)

    by krou (1027572) on Saturday March 27, 2010 @02:52PM (#31641596)

    Okay, so TFA is arguing that creating a new agency 'that didn’t include the spooks would' avoid conflict and bring about 'acceptance across the government and the private sector'.

    But right in the beginning, it says '[Google] wants geeks, but it runs the risk of getting spies' when it contacts the NSA.

    If there is no guarantee that Google doesn't end up getting spooks from the NSA, who can say this new agency won't have spooks in there from the NSA?

    Am I missing something here, or is there some magical reason why this new agency won't have spooks embedded there, and it should be trusted any more than the NSA?

  • by bit9 (1702770)

    Google wants geeks, but it runs the risk of getting spies, too.

    How exactly will splitting the NSA fix this? It's a government agency. If the government wants to give you spies, you get spies. Doesn't matter which 3-letter acronym organization they get their paychecks from.

    • Re: (Score:2, Interesting)

      by General Wesc (59919)

      The government is not a monolithic mind. Bureaucratic distance famously hindered information sharing between various agencies pre-9/11, and that was when it was largely in both agencies' interest to cooperate. That wasn't an isolated instance--it's how bureaucracy works. Someone with control over both agencies could force one agency to subjugate its goals to the others', but it's much more complicated, much more controversial, will receive much more resistance, and is over-all much less likely to be attempt

      • Re: (Score:3, Interesting)

        by bit9 (1702770)
        Are you kidding me? First off, I never said the government was a monolithic mind. I said if the government wants to give you spies, you get spies. And by "government" I mean whoever the hell is in charge and responsible for things like getting the telecoms involved in wiretapping, etc, etc. These are not just isolated incidents, and it is pure folly to think that just because bureaucracy sometimes creates organizational barriers, that the government can be controlled and held accountable. The spooks will in
  • Who do you think comes up with the technology to crack encryption of intercept signals?

  • Hell No (Score:5, Insightful)

    by DesScorp (410532) <DesScorp@NOsPAm.Gmail.com> on Saturday March 27, 2010 @03:05PM (#31641706) Homepage Journal

    We do not need yet another federal agency. Splitting them in two will only result in two bigger agencies with an ever ravenous appetite for more tax funds.

    One of the worst things Bush did post 9/11 was creating the spate of new federal agencies. Can anyone say that their flying experience is actually better after TSA was created? Anyone?

    How much good did creating yet another layer of intelligence bureaucracy do us? Did intelligence get any better after we made the Director of Central Intelligence obsolete by creating a Director of National Intelligence? Not one damn whit. It just grew the federal payroll some more, and added more bloat and bureaucracy.

    Vital intelligence work needs to be done, but we need to be trimming down these agencies, not creating new ones.

    • by zill (1690130)

      Can anyone say that their flying experience is actually better after TSA was created? Anyone?

      It's the only way for some of us to actually afford X-ray checkups, you insensitive clod!

    • Re: (Score:3, Insightful)

      by glwtta (532858)
      Can anyone say that their flying experience is actually better after TSA was created?

      The TSA is supposed to make your flying experience better?
      • Re: (Score:2, Informative)

        Not "better".. Safer [aero-news.net]..

      • Re: (Score:3, Interesting)

        by linzeal (197905)

        The TSA is supposed to herd air travelers in ever larger targets for terrorists in front of machines they use to find shampoo bottles in.

        Seriously, how long is it going to take for some terrorist to walk into an airport with a suitcase bomb, sit in line for the TSA till he is in the middle of 100's or even 1000's of people during the holiday season and blow himself up ?

    • by Culture20 (968837)

      One of the worst things Bush did post 9/11 was creating the spate of new federal agencies. Can anyone say that their flying experience is actually better after TSA was created? Anyone?

      To be fair, the only people who have had their planes fly into buildings aren't around to answer. The rest of us have experienced annoyances at the gates, so the boarding experience is worse, but the actual flying experience is just about the same (except the knowledge that just sitting still during a potential hijacking is dumb, so now people are ever slightly more on edge, but that has nothing to do with the TSA).

  • by Daniel Dvorkin (106857) * on Saturday March 27, 2010 @03:19PM (#31641804) Homepage Journal

    Keeping our systems secure, and breaking into the other guys' systems, are damn near the same job. It is a good thing to have the people responsible for both working together, and maybe trading jobs occasionally. There is no American computer security and Russian computer security and Chinese computer security: there is only computer security, and systems which are more or less secure. The NSA has historically been about the only government agency that really seems to get this, and it would be a real mistake to break it up.

    • by budgenator (254554) on Saturday March 27, 2010 @04:21PM (#31642288) Journal

      I've read the article twice and it doesn't support it's own conclusion, if you except as a given that the NSA is bad, a loose cannon in regards to real American's rights it follows logically, if you don't think the NSA is inherently bad the article just panders to the tinfoil hat crowd. Google, an American Corp, and many other Corporations were attacked by an entity that appears was either the Chinese Government, a proxy of the Chinese Government or an entity specifically trying to make it look like the Chinese Government for their own nefarious purposes. Getting the "big guns" involved to help sort out the mess is the only reasonable response, it's what they are supposed to do and what they do.

    • by Etyme (1747182)
      I see two good reasons to split the NSA, neither of which is really discussed by the article: 1.)Computer security is not part of the NSA's mandate. Currently its stated purpose is just spying; it's being pressed into a cybersecurity role because it's the only agency with the talent needed. That means security is secondary to spying. We could change this, but the current system is not optimal from a security point of view. 2.)Perception. The NSA is widely known as a spy agency and that is intimidating. Co
  • by Animats (122034) on Saturday March 27, 2010 @03:50PM (#31642044) Homepage

    This is old info, but NSA used to have a big internal division - the important stuff was at Fort Meade, and the less important stuff was at "FANX", the "Friendship Annex" (out near Friendship Airport, now called Baltimore Washington International). Support functions like personnel were at FANX, and still are.

    Computer security was at FANX. Which was a problem. Being banished to FANX was bad for your career. The top NSA people didn't go to the computer security side of the house. So computer security languished for years.

    All this was back when the USSR was the enemy, and NSA has changed a lot since then. But they still have Fort Meade and FANX, and less important stuff is still at FANX.

    For a while, in the 1980s and 1990s, NSA did do serious computer security evaluations. Industry hated it, because products could fail. The original policy was that a company could submit products for evaluation by NSA. In the first round of evaluation, the NSA people told the company what was wrong, and gave them a chance to fix it. The second round was pass/fail; if NSA could break into it, it failed. There was no third round. Some highly secure systems did pass the tests, but they were not mainstream systems.

    The process is now more "industry friendly". [niap-ccevs.org] Evaluations are made by outside labs, paid by the companies being evaluated. Companies can keep trying over and over until they pass. Failures are not publicized. There are versions of Windows that have passed some level of Common Criteria testing.

    The "geeks and spies" division in the article is bogus. NSA is all geeks. (Mostly the middle-aged federal employee version thereof.) It's buildings full of people working at desks. There are no "NSA agents". The spies and the guys with guns are at CIA, FBI, DIA, and in the intelligence units of the armed services.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      The "geeks and spies" division in the article is bogus. NSA is all geeks. (Mostly the middle-aged federal employee version thereof.) It's buildings full of people working at desks. There are no "NSA agents". The spies and the guys with guns are at CIA, FBI, DIA, and in the intelligence units of the armed services.

      This. I always get a laugh out of people saying "NSA agents"... the classic example was from Sneakers and the "NSA Agents" that were pursuing the decryption box. The only "Agents" that work for the NSA are internal types that manage polygraphs and security clearances. The rest of the people are geeks/nerds... well, actually managers and geeks/nerds. I remember an old joke floating around about the NSA: If the NSA ran a rowing crew it would have 7 people calling out "stroke" (managers) and 1 guy actuall

      • by bhiestand (157373)

        I remember an old joke floating around about the NSA: If the NSA ran a rowing crew it would have 7 people calling out "stroke" (managers) and 1 guy actually rowing (geek/nerd).

        So shouldn't it be 7 people calling out "stroke" while 1 guy fumbles and reaches for his inhaler? :)

    • It all depends (Score:3, Interesting)

      by mikefocke (64233)

      It all depends on what level of Common Criteria evaluation you are talking about. At the higher levels, there is a lab authorized to conduct a product inspection and, once you pass that test, you get a medium level NIAP certificate. If you wish a higher level of CC approval in the US, after this original process NSA itself takes control and does its tests. So the process is still a two step process with NSA involvement...or was about 4 years ago when I was involved in taking an "Orange Book" product through

    • Re: (Score:3, Interesting)

      by Rorschach1 (174480)

      I'd always assumed the idea of "NSA agents" was a myth, too. But if you visit the National Cryptologic Museum, there's a memorial there - apparently a duplicate of the one at Fort Meade - honoring fallen cryptologists. I seem to remember that a bunch of the names were actually just stars, because their identities were still secret. From the museum's website:

      "The Memorial Wall was designed by an NSA employee and is 12 feet wide and eight feet high, centered with a triangle. The words "They Served in Silen

      • Re: (Score:1, Informative)

        by Anonymous Coward

        I have to say that 153 sounds like an awfully high death toll if we're talking about desk workers.

        NSA also includes CSS (Central Security Service) which provides crypto support to military branches. Some of the NSA/CSS personnel wind up on various missions which can be risky... e.g. manning various posts, on board planes/boats, etc.

    • "banishment" was coined since it was a pain to get to the annex and the facilities (back 10yrs ago) we crap. It's changed over the years AND a lot of stuff is done there now since the agency's outsourcing to Eagle Alliance [csc.com]--most of the IT/IA side is heading in that type of arrangement due to budget cuts.
      And a lot of important stuff was done there from time to time. And the real important stuff? Not at the Fort. That was done somewhere else. Though the fort does have the cool (at least to us techies), lowe
  • Moral Responsibility (Score:3, Interesting)

    by HotNeedleOfInquiry (598897) on Saturday March 27, 2010 @04:50PM (#31642496)
    Splitting the two seems like an unfortunate way to let otherwise socially responsible geeks do morally questionable things. Keep the two groups together. Let them be totally aware that they are spies and there is a heavy price for deception and living a lie.
  • Um, sorry to point this out to you, but you run the risk of getting spies by contracting with just a "geek-only" NSA or contracting overseas with other countries.
    • by cpghost (719344)
      With every employee that nurses a grudge against you, and with every employee who thinks he/she needs more than his/her regular salary... heck, with every employee that you hire, your risk of getting spies increases. Sub-contracting NSA or third parties and closely monitoring them is significantly safer than the trusted spies within.
    • by H0D_G (894033)

      that makes 'spies' sound like an infestation. suggestions on a spy repellent?

  • As the wars in Iraq & Afghanistan are winding down the government "especially the republican party" sees the need for a new war. What better way to grease up lucrative contracts between the U.S gov & it's most successful companies than a "cyber" war. The Google breach is clearly an intel/political issue. The technical aspects are minimal & we all knew that great firewall compromised any chance of IT security there yet the story is portrayed as a technical one. Oh my! google was hacked by the chi
  • This is only part of cover story on Chinese vs. Google fiasco.

    Obviously, Chinese used earlier Google "teaming up" with NSA as part of action pretext, and now someone is wrapping up things. That was not so, it is this, and so on. A bit oblique, but it must be...

    Too bad Chinese won't buy it.

    One possibility is - they already "did". And stories like these are to cover tracks when both Google and Chinese pull their moves back.

  • How can you have one side without the other.
    The signals-intelligence directorate to hack every trackable device and the information-assurance directorate to make sure the voice print is correct before the drone is released?
    You can get it killing Dzokhar Dudayev,
    You can get it tracking Abdullah Ocalan,
    you can get it hacking wikileaks - -
    - matter of fact; I've got it now.
    A big predatory ideology in denial needs a big cold agency and the best cold agency is the NSA! No such agency.
  • doesn't mean they won't cooperate (e.g. State Department/CIA).

  • Wouldn't it just be easier to abolish the NSA?

    • by JoshuaZ (1134087)

      Wouldn't it just be easier to abolish the NSA?

      No. First of all, there's a direct public interest in having a government agency which tries to make sure that commercial crypto is secure. That's economically important. It helps businesses and individuals and benefits the general economy. Second, even the spook half of the NSA needs to exist. SIGINT is important. The problem with the NSA rests on overeager SIGINT attempts which violate our rights. But legitimate SIGINT still needs to occur. And if we abolished the NSA the abuses would likely simply migrat

  • Observing this interplay between the two separate groups is the only way to reliably oversee and glean reliable data that either or both are not compromised, or "rooted." It's a brilliant solution. Be glad they implemented it. The next obvious question is, how do they have the oversight mechanisms kept secret and in redundancy? They'd have to be pretty much 100% passive.
  • The NSA has no business existing. Shut down the agency. Secret government agencies have no place operating in an open, free democracy.

    • by cdrguru (88047)

      When all governments are open and democratic, you might have a point. How about the ones that aren't. Should the rest of the world force them to change?

  • We don't know all of what the NSA does, what it spends, how often it succeeds/fails (or even what that means). Nobody is measuring the NSA for cost/effectiveness. One of the few things we _do_ know about the NSA is that some of the shit they pull violates U.S. citizens' constitutional rights.

    What we should do is shitcan the current NSA and start over again. But this time build something that is monitored to ensure that, whatever it does, it does that effectively.

    Of course the same could be said about the CI

    • by gtall (79522)

      Actually, Congress has oversight of NSA. Select committees are briefed on what they do and how the money is being budgeted. What you are complaining about is that you are out of the loop. If Congress wanted you to be in the loop, you'd be in the loop. The same can be said for the CIA, FBI, but I doubt there are hundreds of these other government agencies you apparently believe to exist. But then people believe in UFOs too.

      Shitcanning the NSA and starting over would create....the NSA. Of course, you'd lose a

      • Total utter horse puckey. You're saying that the current NSA is the "best of all possible worlds". Congress doesn't have any idea of what the NSA does. Even the congressmen "overseeing" the NSA have given up. We're coasting on fears left over from WWII and the NSA exploits those fears to keep its budget. Shitcanning the NSA and starting over would:
        1. Save billions of dollars, dollars that could be used for better purposes (e.g., see below),
        2. Clean up some of our government's violations of civil rights,
        3. Prov
  • I don't like Noah Shachtman or his work. I last thought about him when he wrote something about Los Alamos, NM, which I know well. His article was misleading and had a misplaced sense of excitement and drama. At the time, I checked out some of his other work and found that it was similar.

    I put him in with Dvorak. I ignore what he says.

  • by edittard (805475) on Sunday March 28, 2010 @07:44AM (#31646468)

    'The problem is, their goals are often in opposition,' writes Shachtman. 'One team wants to exploit software holes; the other wants to repair them.

    How are they in opposition? Isn't the aim to exploit the ones in their systems, and plug the holes in ours.

  • It looks like the Americans want to split up The NSA to make the Google-NSA relationship look less evil.

Some programming languages manage to absorb change, but withstand progress. -- Epigrams in Programming, ACM SIGPLAN Sept. 1982

Working...