Trust and the NSA Reorganization

By Nicholas Weaver
Wednesday, February 10, 2016, 4:11 PM

Yesterday, Susan defended the NSA21 reorganization based on her experience working for the Agency. Her views regarding the roles and incentives of offense and defense might be entirely accurate. But none of that actually matters, because the problem with the NSA reorganization is one of trust and perception. And merging offensive and defensive capacities does nothing to help—and plenty to hurt—public trust.

Even from the outside, one can recognize the fundamental problems tasked to NSA's Information Assurance Directorate (IAD). I’m oversimplifying a bit, but essentially IAD must defend US government secrets and networks, and also work with others to defend the interests of the United States against electronic attacks.

The first problem is probably the easier of the two. Secrets can be secured largely by "throwing a SCIF at it"—when information is housed only within isolated networks, protected by regulated access, faraday cagesSuite B cryptography, and airgaps that solves a large part of the problem. True, there is always the disgruntled system-administrator (known as the “insider threat”) or those systems that they can’t pull off the net—for example, OPM’s SF86 database. Those cause persistent but hopefully manageable headaches.

But the later job of protecting US interests generally is far harder. This mission requires that the Agency work with industry as an honest broker. It cannot be seen as intent on using information gathered to sabotage industry's customers or general system security. The trust necessary for this job went up in smoke following the Snowden revelations, which revealed both the vastness of the SIGINT mission and at least one explicit betrayal of the core IA mission. NSA has a long, long way to go in rebuilding this trust.

Recently, I had a chance to publically ask Rob Joyce, the head of the NSA's Tailored Access Operation (TAO) group, the leading portion of the NSA's offensive role, how exactly the NSA intended or hoped to reestablish trust. He responded that the NSA would continue to work on regaining trust and that in the NSA world "defense wins." But, recognizing that the trust they need to win is from people like me—not former NSA lawyers—it would seems that removing whatever separations remain between offense and defense is calculated to ensure they’ll never be trusted again.

It doesn't actually matter if, in truth, the NSA is both currently structured such that "defense wins” and will continue to be so after the merger. What matters is that the rest of the world must believe that the IA mission is wholly, entirely, and without compromise committed to defense. Absent this trust, NSA advice is inherently suspect; it cannot be a trusted partner in securing the Commercial-off-the-Shelf (COTS) systems on which the US government, industry, and economy rely.

And just seeing the equities process alone is not sufficient. Reviewing those calculations, I would still hesitate to provide IAD with information about a vulnerability in advance of public disclosure. I don’t want TAO to have it, even temporarily, to use against my foreign colleagues before they are aware a patch is needed. That goes to the trust relationships of my own academic community. And the incentives underlying the equities process rapidly change to favor offensive use when there is knowledge of imminent disclosure.

Put simply, a zero-day is just more powerful than an older exploit. When the offense team knows the value is about to rapid diminish—and the time dimension means IA is more likely to bear a temporary risk—and it’s not difficult to imagine the efforts taken to exploit the vulnerability while it is still unpatchable. It is true that, in this scenario, the damage of early disclosure through offensive use is limited, because another attacker would need time to weaponize the exploit before a patch is released publically, and there is little such an attack could do to change the patch schedule. So if I tell the NSA about a soon-to-be-patched vulnerability, I’m highly skeptical that “defense” always wins the day.

And my fears about disclosing vulnerabilities in advance even extend to communicating with US-CERT before a patch is available, because it is known that they will share with NSA. Whatever the bureaucratic realities of the NSA’s structure, the fact is that the proposed merger only makes me more hesitant. And I am not alone. So already, the mere proposal is working contrary to important information assurance goals of building public trust.

The NSA should abandon the merger plans because—regardless of the technical merits—the offensive-defensive merger is viewed by the world as a substantially untrustworthy act. I recognize that offense is part of practicing good defense. But you don't see me writing botnets or high-speed worms. Or breaking into systems without permission. Or providing information to those who do. I manage to defend systems without offense as a core mission, and my defense is not likely to be improved by giving offense a leg up.

There are exceptions: as a nation state defender, I would like access to what the offense has discovered on my adversaries.  But this represents a mostly one-way flow of information: the offensive people should help my defensive job, but every time I help the offense by providing vulnerability information I run a substantial risk that what I tell the offense gets used against the systems I need to defend.

Furthermore, even the potential for information flows from defense to offense is inherently suspect. NSA supports "data diodes" between systems of various classification. And those same restrictions are necessary between defense and offense; merging the two, by definition, hurts the ability for managing information flows. 

I hope that employees with existing or future multiple roles can maintain an intellectual separation between their offensive and defensive roles.  Whether others outside the NSA would share this optimism is another story: it is far safer to separate offense and defense completely if you want to manage information flows from defense to offense.

And if NSA really wants to build trust, it is time that the fess up to their actions in effectively backdooring the Dual_EC standard. That activity constitutes an explicit betrayal of the IA mission—and the right response is to address it honestly and that might go some ways in restoring a trustworthy reputation.

And if the NSA was willing to openly address the Dual_EC sabotage, they might be able to better explain why—while it was bad—it wasn’t as bad as largely perceived. Unlike most other backdoors, simply knowing of the existence of a backdoor in Dual_EC does not aid an attacker. Rather the attacker would also need to know the private secret used to create the backdoor. So the NSA could both admit its activity, and also note that they use Dual_EC to protect large amounts of unclassified US government communication. Therefore, they must have believed in the ability to protect the secret used to generate the parameter—and therefore the backdoor—and keep the information safe. Furthermore, there’s no evidence any adversary has compromised the secret. So, in actual practice, the agency hopefully did not actually weaken any cryptography from anybody other than the NSA itself.

This kind of an admission would both substantively support the Agency’s position and go a long way in allowing an honest and open public debate. By engaging in this kind of discussion, NSA only acknowledges what everyone already knows to be true and would make significant credibility gains in response. It is this kind of honest accounting, rather than a set of platitudes from Michael Wertheimer, then NSA's Director of Research, that might go far in restoring betrayed trust. But as long as the NSA refuses to even acknowledge its activity, it is difficult to convince anyone that it’s not intent on undermining Internet encryption and therefore basic security for everyone else.

Instead, NSA seems intent on ensuring that they will never be trusted again. The objective reality is this: from the perception of those outside the government, merging the IAD and SIGINT missions is tantamount to eliminating IAD entirely. Trust is a matter of perception as much as reality.  "Defense wins?" Whatever the actual truth, for now, the rest of the world says "HA!"