NSA Tasked With 'Policing' Government Networks

Novus Ordo Seclorum writes "The NSA has a new assignment. No longer merely responsible for signals intelligence, the NSA now has the task of defending against cyber attacks on government and private networks. 'The plan calls for the NSA to work with the Department of Homeland Security and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the 'Cyber Initiative.' Details of the project are highly classified. Director of National Intelligence Mike McConnell, a former NSA chief, is coordinating the initiative. It will be run by the Department of Homeland Security, which has primary responsibility for protecting domestic infrastructure, including the Internet, current and former officials said. At the outset, up to 2,000 people -- from the Department of Homeland Security, the NSA and other agencies -- could be assigned to the initiative, said a senior intelligence official who spoke on condition of anonymity.'"

Bound to make the next issue of the 360is quartery

[Anonymous Coward]

This story is bound to make the next issue of the 360is [360is.com] quaterly bulletin "Executive Intelligence" [360is.com]. AG

Re:Bound to make the next issue of the 360is quart

[crmartin]

Can we say "traffic whoring", children? I knew we could.

Government Networks

[mastershake_phd]

I would hope important government networks would not be on their own network and thus not susceptible to "cyber" attacks.

Re:

[moderatorrater]

My guess is that the NSA isn't in fact of the firewalls, etc, but that their style of attack will be making anyone attacking government networks spend a week or so with Gene Hackman. That'll learn em.

Re:Government Networks

[Walt Dismal]

I'm sure they will be just as competent as the TSA. Every packet will be strip-searched, cavity-probed, and required to drink its own breast milk. All packets will have to take their shoes off. And all packets named Ted Kennedy will be put on a "No Fly" - oops I mean "No Route" - list. All in the name of protecting the purity of your ones and zeros. We don't want any Muslim data sullying our clean Baptist data bits.

Re:

[crmartin]

No, NSA's pretty good. See, when they find someone competent at CIA, they make them transfer to NSA.

Seriously, most of the things you now think of as common computer security were either invented at or with funding from, the NSA.

Re:

[Catmoves]

Let's hope you're right. Our ecofriendly buddy, China, has been probing (sometimes successfully) varous American government sites for some years. In fact, I can't think of any truly armed nation that isn't trying to probe American Government sites.

Re:

[crmartin]

Not to mention a million script kiddies doing it just for grins.

Re:

[MollyB]

That would be my hope, too, but the gummint always seems to be a step or seven behind current threats. We're probably already toast...

Re:

[blueg3]

The important government networks are on their own network, though there's some evidence that there are a few improper bridges between the two networks. The NSA has, in the past, been tasked with guarding these private networks.

This new program is tasking the NSA to also guard important public networks.

My suspicion is that this is providing funding and regulations for a task the NSA was already falling into doing. There have been some rumors going around about the NSA dropping support for SELinux because th

Re:

[rs79]

"This new program is tasking the NSA to also guard important public networks" "

Let me translate from Washington-ese for you:

"we now have 2000 poeple to make sure all government windows servers are patched".

If they even do that much I'll be impressed.

Re:

[blueg3]

I can invent translations as viably as you can. They already have people tasked with software updates.

You won't be impressed, though. You probably will not find out what it is they end up doing. This is the NSA, after all.

Re:

[Martin Blank]

Actually, there's a good chance that you will. I suspect that we'll see a resurgence of the NSA Security Configuration Guides [nsa.gov] (which already have seen a little bit of a spike in the last couple of months) as this spreads out, including information on how to pick firewalls and IDS, additional information about securing a DMZ and even when to use them, and further recommendations on how to lock down clients. Microsoft has picked up some of the heavy lifting when it comes to the major portions, as its securi

Re:

[crmartin]

There's definitely more work being done along these lines.

Re:

[crmartin]

Well, some of them. I know of networks that are not only not connected to public networks, they're using isolated power and they run inside a Faraday cage.

But there are a lot of things where you need access to the outside world, one way or another. (Think about trying to work nowadays without access to Google.) Going the other direction, there are applications for government systems that need to be public: think about, for example, Social Security stuff. But if the Social Security networks were hacked,

All I'm saying is..

[wamerocity]

If some guy walks into the meeting and turns off your Surface-to-Air missiles in the middle of a joint chief of staff meeting using just his laptop and an internet connection, like in "Live Free or Die Hard", you make sure you listen to him, and don't just blow him off.

After all, you know the saying, "Those who do not learn from the history presented in movies, are bound to repeat it."

DHS,FBI,NSA...

[timmarhy]

How many freaking police departments does america need? all 3 of them seem to be falling over each other in one big orgy of mission statments and juristiction battles.

not to mention the litteny of local and state police departments.

Depends on what you mean

[Sycraft-fu]

The FBI is the only police department, at least at this point. The FBI is the federal government's police. Most policing is done at the city or county level, some at the state level. However for crimes that span states, crimes on federal land/property, crimes against the federal government and so on there is the federal police, the FBI. The NSA and CIA are not police agencies, they are spy agencies. The CIA is human intelligence, the NSA is signals intelligence. What that means is the CIA is all about getting information from people, be it by attempting to place spys or turning other agents or whatever. The NSA is all about getting information electronically, by wiretapping, listening in on radio waves, and so on.

The reason to have these separate is in part because it is very different kind of jobs, but also to try and prevent abuses. In theory (though we've seen that it isn't obeyed) the CIA and NSA don't do domestic operations. They are for spying on foreign powers, not US citizens. By maintaining an organizational divide it helps keep abuses down.

The DHS is a good idea at the high levels in an amazingly fucked up and retarded implementation. The idea is that the NSA and CIA often know things that the FBI doesn't, and vice versa. This is not to mention other intelligence agencies and so on. So often, everyone has a piece of the picture, but nobody can see the whole thing. This was the case with the time leading up to 9/11. Various groups knew pieces, but nothing solid. So the idea is DHS helps get the information collected and formed in to a solid picture. They get facts from all groups, NSA, CIA, FBI, customs, state and local cops and so on, and to then be able to coordinate action.

In reality they are a big waste of time and money that does nothing useful.

But really we want intelligence and police to be separate and we also want the police broken down in terms of power. Having one big federal police force would be problematic. At least with local policing voters can, in theory, hold their police more accountable. They have a say in how local issues are handled. Also, laws differ from state to state. What is true in one state is not true in all of them. Law enforcement needs to be segmented to take that in to account.

As a comparison look to Europe. There you are talking about an area of similar size and population (similar as in the same basic level, not as in equality). While there are European wide things like Interpol, each nation has it's own police, and often subdivisions below that. Also those police forces are usually separate from intelligence forces.

The US really isn't different in that regard, it is just a very large nation. A great many nations are smaller than a number of US states.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[crmartin]

Bamford's not bad, although you have to watch for his biases. But he gets the information right enough that it's a little nerve wracking.

Re:

[ScrewMaster]

Hell, even Tom Clancy got his information right often enough that it resulted in multiple visits from the Feds. But he put it all together using publicly-available information.

Doesn't mean they weren't a wee bit distressed.

Re:

[crmartin]

Clancy also got information fed to him on purpose, sometimes not particularly public ... until the book came out.

That's the problem with doing intelligence stuff --- not much glory. Not much publicity. Hard to let people know about successes, and too often your failures get exposed in leaks that are part of internal bureaucratic battles.

The interested student might usefully consider this in relation to, eg, Valerie Plame.

Re:

[ScrewMaster]

That's the problem with doing intelligence stuff --- not much glory.

Kinda like the average network administrator.

Re:

[crmartin]

Absolutely true --- I was just arguing this with someone: they were suggesting "number of trouble tickets processed" as a measure of how productive an admin is. I was noting that having no trouble tickets at all would be even better, but wouldn't look "productive".

CIA ends up in the unenviable position, in general, that only their failures get publicity, just as only admin problems get trouble tickets.

Re:

[rtb61]

The NSA was also meant to specifically target foreign signals intelligence and is already implicated in US warrant less domestic wire taping. Hmm, securing domestic government and private networks, I suppose against everybody except themselves, built in warrant less wire taping, after all how else can you secure a network but by monitoring all the data flowing across it, they wont peek, promise ;).

Re:

[vtcodger]

***The FBI is the only police department, at least at this point.***

Except of course when the ATF (Treasury Department), Secret Service(DHS), DEA (Justice Department), etc, etc, etc is the federal police department.

***What that means is the CIA is all about getting information from people, be it by attempting to place spys or turning other agents or whatever***

Not really. That's part of their job, but mostly they are supposed to integrate public information (e.g what they read in foreign newspapers a

Re:

[MikeBabcock]

You missed out on the Secret Service, which also have a long history of varied responsibility. From currency monitoring to protecting the president, to others.

Re:

[Sycraft-fu]

That's not the only one I left out. The federal government has a ton of investigative agencies, and a ton of intelligence agencies. However the FBI is the federal police force. They are tasked with general policing when it comes to federal issues. The Secret Service is the treasury department's force for financial crimes, and also do things like presidential and some diplomatic security. However not all, the DSS handles many other diplomats for security. Also the SS only does direct financial crimes, tax re

Re:

[jmauro]

Actually, the FBI, Bureau of Alcohol Tobacco and Firearms (ATF), the Secret Service, Park Police, Border Patrol, Drug Enforcement Agency (DEA), DC Metro Police, US Coast Guard, Environmental Protection Agency (EPA) and Customs all have differing responsibilities as the police of the Federal Government. There are probably more agencies, but those are all the ones I can think of at the moment. It all depends on what you're doing it and where you're doing it at. There has never been one "Federal Police Se

They all need one wiretap. Re:DHS,FBI,NSA...

[Erris]

DHS is going to "monitor" your local government network. Bin Laden is a bogeyman, the goal is Total Information Awareness. They already have taps on domestic phone and internet, now they will get their taps into local networks. This is just another turn of the collection and enlargement of federal power. No real information security will be gained as they add yet another channel to leak information.

"on government and private networks. "

[rts008]

Does this mean that DHS and the NSA will 'police' my private network?...Cool!!

But I have to ask, does it run on Linux...natively?

Re:

[klingens]

Of course. It will come with a government approved WINNE installation so you can run it

Depends

[Opportunist]

If you're considered a valuable corporation, they'll defend you, no worries. Against you, if necessary.

Re:

[BiggerIsBetter]

But I have to ask, does it run on Linux...natively?

Yes, but only on SELinux [nsa.gov].

Re:

[rts008]

LOL!!

Thanks for the link, I have been batting around the idea of trying SELinux for a while after chatting with my little brother. He does network security and forensics for the State Dept. and we were talking about SELinux and he got me intrigued. Guess I should check it out finally.

One agency?

[Xiroth]

Well, all I can say is: good luck. That's one hell of a job to give to a single agency and still allow for the flexibility that the individual departments and agencies require. Should we be expecting a massive, wasteful consultancy project, then?

Re:

[El Torico]

I suppose it'll be efficient to scan packets I send to make sure I'm not doing something evil and packets I receive to make sure nothing evil is being done to me.

Sure it will be efficient; just use an RFC 3514 Network IDS.

ohh yeah

[User 956]

...according to those with knowledge of what is known internally as the "Cyber Initiative." Details of the project are highly classified.

Well, if it's highly classified, then we can ount on the fact that it's money well spent

(/sarcasm)

As long as the scope is minimal...

[mind21_98]

It seems like its primary mission is to protect against attacks on government networks, not spy on individuals. But, considering the bad record the US government has held as of late, I don't quite trust them.

Sigh. I wish for better days.

Re:

[whistlingtony]

There never were any. Ever. I doubt they're coming either. :D

Re:

[symbolic]

I PRspeak, its primary mission is to "protect against attacks on government networks". God only knows what will happen when reality hits the fan. I'd like to think we've learned at least something from the illegal spying via secret backbone routers, and the sellout that is AT&T.

NSA hardened Linux...

[Joce640k]

The NSA has their own Linux distro [nsa.gov], specially hardened for security.

Let's hope they start deploying it more widely... :-)

Re:NSA hardened Linux...

[Wyzard]

SELinux is not a distribution, it's a security module in the kernel. These days it's part of the standard kernel.org tree, and some distributions (such as Fedora/RHEL) enable it by default.

Re:

[crmartin]

Well, no. At first, SELinux was a full disty because you needed kernel hacks. Now, the kernel hacksfeatures are in the standard kernel, but you still need additional userland components to use them.

Or, better yet, you can get Solaris 10, add in Trusted Extensions, and get all the power of SELinux and a multilevel X server, with Common Criteria and FIPS certifications.

Re:

[crmartin]

You're making an amateur mistake: you think "secure" means "can't possibly allow violations." What it really means, technically, is "makes clear what things you can trust, and to what extent."

In Solaris10/TX, you can set it up so you don't have a root account at all; there's a much more complicated, and much more capable, permissions system. There's still a limit to how much trust you can put in it.

MULTICS was evaluated to Orange Book A1 at one point; that meant you could have even more trust in it. You

Re:

[crmartin]

Yeah, and? You mean you've discovered that technical people use words in more precise ways than they're used generally?

Who'd'a thunk it?

Setec Astronomy

[Wowsers]

... Details of the project are highly classified.

But not secret enough to issue a press release about it?

Re:

[crmartin]

But not secret enough to issue a press release about it?

See, you're confusing NSA and CIA again.

Which is worse?

[Stochastism]

I've been pondering which of these is worse for some time:
- The UK's overt population surveillance through CCTV monitoring,
- or the US's covert population surveillance through electronic eavsdropping.

So take your pick, pixels or all other forms of bits!
(Wait, I think I just answered my own question)

Re:

[JamesRose]

I live in england, my school monitors my internet use, has over 30 surveillance cameras, including in our study area, has finger print activated doors and has my finger prints on file.

America's got nothing on us, don't worry, I'm leaving my school ASAP, insisting they delete all the information and if they don't provide me with satisfactory use they have I'll sue them.

Re:

[Stochastism]

Okay, wow. Does using /. put you on the subversives list?

Re:

[Anonymous Coward]

I can only think of one reason for a school to have such extensive monitoring systems... not to keep the children safe... but rather to train them to think such monitoring systems are normal right from the beginning of their lives.

Think about this for a moment please! Am I really overlooking another possible reason?

Hrmmm...

[VE3OGG]

Why do the words "Stazi", "SS", "Gestapo", and "Praetorian Guard" jump to mind?

It seems that this has happened before in history -- where you give one (or more) "secret police" power over everyone with no true checks and balances. From my understanding (which admittedly may be very flawed), the Department of Homeland Security answers exclusively to the executive branch, and now it also seems to control a (fairly large) group of intelligence officers. Do the words "consolidation of power" mean anything? No?

W

Re:

[crmartin]

Why do the words "Stazi", "SS", "Gestapo", and "Praetorian Guard" jump to mind?

Because you're an idiot?

Re:

[c6gunner]

Why do the words "Stazi", "SS", "Gestapo", and "Praetorian Guard" jump to mind?

Because you're retarded?

Ok, maybe not retarded, but deffinitely brainwashed past the point of logical thought when it comes to anything government related. You've now got an automated twitch-reflex. I'll bet every time a cop walks by, you throw yourself on the ground and scream "DON'T TASE ME, BRO!".

Re:

[crmartin]

Yeah, what you said.

Ha ha

[DogDude]

Ha ha. I got a good chuckle over this. Government employees tend to be government employees because nobody will hire them in the private sector. The best and brightest certainly don't work for any branch of the US gov't. Hell, this is the same government that couldn't even help hundreds of thousands of people in our own country after Katrina. Good luck NSA. You're gonna need it!

Re:

[blueg3]

In many of the more specialized jobs, people work in the private sector either because they don't want to work for the government or because they couldn't get hired by the government. Most of the NSA and much of the FBI is like this.

Re:

[rosesuchak]

My thoughts exactly. What are we going to get? Some kind of New Orleans dike-like firewall? DHS Don't Hablo Sh-t!

How this Will Be Implemented

[Jah-Wren Ryel]

2008 PRNewsWire - Today Symantec and the NSA announce a merger. The NSA will become a wholly owned subsidiary of Symantec Corp. In exchange, Symantec will issue 100,000 shares of common stock to each member of Congress.

Coming soon to a network near you - NortonNSA!

Is this really news?

[Anonymous Coward]

I know NSA is the bad guy of the week, but this doesn't really sound like a "new responsibility" to me. NSA has, almost from the beginning, been composed of the Signals Intelligence and the Information Assurance Directorate, which does exactly what this article is talking about, and has for quite some time now.

Not a chance

[JustNiz]

this will be what it claims ot be on the surface.

It will actually turn out be yet another way of snooping in on citizens without needing to get judicial permission first. I'm sure the RIAA will get involved too so the whole thing will be mostly twisted into blocking or reporting on copyrighted media sharing etc.

And, as ever, all conducted under the guise of anti-terrorism.

At least they're using their tech to better use

[Bananatree3]

I personally like this turn of events, as the US govn'ts tech security score card has rarely risen above "D". I just wish they would transfer their effort from monitoring some average joe's cellphone/email/blackberry/web surfing to this.

On second thought...

[Bananatree3]

as per typical slashdot style, I didn't RTFA. After reading it though, this sounds fairly invasive. The "infrastructure" monitoring covers most everything now that the vast majority of America's systems are controled through computers. As long as they're just putting up more firewalls and stopping hacker attacks, fine. I fear however with this administration that information gathered may find its way into some metadatabase where ID'ing people is standard.

Re:

[Plugh]

Quoth the poster:
I fear however with this administration that information gathered may find its way into some metadatabase where ID'ing people is standard.

Fears about this administration means you haven't studied US history too much.
As Thomas Jefferson said, "It is the natural progress of things for Government to grow, and Liberty to yield"

Guess what? Republicans will sell your freedoms up the river "to keep you safe". Democrats will sell your freedoms up the river "to help the disadvantaged". Liber

This might actually work.

[Animats]

This actually makes some sense. NSA has two main divisions - Signals Intelligence, which collects information, and Information Assurance, which tries to protect US information. Traditionally, these were the codebreaking and codemaking sides of the agency.

It's a boost for NSA Secure Linux. The real intent of NSA Secure Linux, by the way, was not to plug holes in Linux. It was to get something that enforced mandatory security out into the community, so that that applications would be converted to run under stricter rules. For example, a browser should be running as several components, some of which are secure but dumb and some of which are insecure but untrusted. Few application developers picked up on this. That part didn't get enough community attention.

NSA takes a quite different view of computer security than the "security industry". They're less concerned about annoying high volume attacks, and more concerned about quiet, focused attacks aimed at specific targets. They're also very interested in who's behind the attack, and will devote collection resources to finding out more about the attackers.

This last may give some attackers something to worry about.

In other news from 1952, Eisenhower Elected

[crmartin]

Sorry, kids, but this has been part of the NSA's duties since is was chartered on Nov 4 1952. Don't believe everything you read in the funny papers.

Re:

[c6gunner]

They had the Interweb in 1952?

Re:

[crmartin]

No, but they had signals intelligence and defense against signals intelligence.

Wrong

[pal3f]

Sorry, kids, but this has been part of the NSA's duties since is was chartered on Nov 4 1952.

No it hasn't.

From TFA:
In a major shift, the National Security Agency is drawing up plans for a new domestic assignment: helping protect government and private communications networks... [emphasis added]

This is such a "major shift" that (once again, from TFA):
The NSA's new domestic role would require a revision of the agency's charter, the senior intelligence official said.

Re:

[crmartin]

Oh, you don't have to quote back the article to me: I read the article. I'm saying it's wrong. It's not a radical change, and it's not a statement that NSA is doing something radically new. It is, at most, formal recognition of something that's been true in practice since, oh, at least the early 80's that I know of personally. Probably driven by the FISA stuff, since that is in itself a formalization of something NSA has been doing forever.

So let me see if I've got this right...

[PingXao]

The most secretive agency in the United States government is getting involved in law enforcement and the nature of their involvement is highly classified. Nope, nothing to worry about there.

Re:

[crmartin]

Dude, you know the name "National Security Agency". It's not the most secretive agency within the US government.

besides, NRO [nro.gov] is more secretive and it's still known by name.

Send them after the zombie networks

[sjames]

Those networks are easily capable of DDOSing important government servers and whole networks. Furthermore, when they're not busy flooding Estonia off the net, they're used to spam the world pushing illegal copies of 0ff1ce and Acr0bat (probably to fund terrorist training camps in Nigeria), phishing scams (probably also to fund terrorists) or exposing children to porno ads. Why not have the NSA track down the ringleaders and then have the CIA make them quietly disappear?

That would do at the very least as m

Re:

[Chili-71]

...have the CIA make them quietly disappear...

While we are discussing government agencies, the correct term is "terminate with extreme prejudice". :)