I’ve been in too many meetings where popular articles led to a string of false - and intensely problematic - baseline ‘truths’ that subsequently led to damaging policy proposals. One of the worst recent articles was by Marc Ambinder, who wrote a piece for Foreign Policy about why the NSA has to support Deep Packet Inspection (DPI) appliances in businesses network. The general premise is that NSA assistance is critical if American companies are to effectively filter out foreign nations’ espionage behaviour. This ‘support’ is supposedly driven by the most recent revelations concerning Chinese attacks against predominantly American business interests.
So, in what follows I’ll pull out offending paragraphs and explain what’s factually problematic and, then, the significance of the false or misleading claims.
[The NSA] has some pretty nifty tools to use in terms of protecting cyberspace. In theory, it could probe devices at critical Internet hubs and inspect the patterns of data packets coming into the United States for signs of coordinated attacks. The recently declassified Comprehensive National Cyberspace Initiative describes the government’s plan, informally known as Einstein 3, to address the threats to government data that run through private computer networks — an admission that the NSA will have to perform deep packet inspection on private networks at some point. But, currently, the NSA only does this for a select group of companies that work with the Department of Defense. It is legally prohibited from setting up filters around all of the traffic entry points.
The issue is that Einstein, even if it is working (which remains unclear, at best), is invasive and isn’t a panacea. It might identify some traffic, but the core kind of data analysis that is required today isn’t so much inbound network traffic as outbound; what is leaving the network, why is it leaving, and do characteristics of the data exiting the network correspond with the authorized users’ normal network behaviours? To be blunt, there is no DPI appliance on the market that is genuinely capable of this kind of user- and network-centric surveillance. There are lots of companies that sell things claiming to perform these actions, but the sales language has not yet met the hype. Moreover, if you’re dealing with state-level actors it isn’t clear why, with their immense resources, they can’t simply purchase the DPI appliances and figure out how they work, and how to subvert their analytics protocols.
Why does this quoted section matter? Because it preps an audience for a magic (networked) bullet, and one that to-date doesn’t exist. And because it convinces an audience that if we just brought NSA-grade Einstein surveillance to bear that we’re figure out how to stop the evil hackers.
The next step may be letting the NSA conduct deep-packet monitoring of private networks. It’s undeniable that Congress and the public probably wouldn’t be comfortable knowing that the NSA has its hardware at the gateways to the Internet. And yet there may be no other workable way to detect and defeat major attacks. Thanks to powerful technology lobbies, Congress is debating a bill that would give the private sector the tools to defend itself, and it has been slowly peeling back the degree of necessary government intervention. As it stands, DHS lacks the resources to secure the dot-com top-level domain even if it wanted to. It competes for engineering minds with the NSA and with private industry; the former has more cachet and the latter has better pay.
The NSA already has it’s hardware at the core choke points of the American Internet infrastructure. This deployment led the Congress to retroactively grant immunity to American ISPs for participating in the NSA’s warrantless wiretapping. It’s what’s led a host of whistleblowers to come forward and disclose the extent of the NSA’s surveillance on Americans. The Agency is already using DPI appliances at Internet choke points: what is being proposed is extending the surveillance to the networks of corporations that are not Internet companies. This means that, rather than just filtering at AT&T’s network, The NSA will also filter at Ford’s network.
The author also asserts that it’s important to leave this to NSA on the basis that DHS cannot presently fulfil this defensive task. NSA knows this. DHS knows this. And, on the mutual basis of this knowledge, NSA is already permitted to assist DHS in securing American companies’ networks so long as DHS takes the lead. What is really changing here is that a foreign intelligence body would be given authority to act independently of DHS. Such a move would be intensely problematic on the basis that NSA is highly secretive, even more than DHS, and is routinely involved in bypassing or finding ways around American’s existing legal protections. The notion that the institution’s ongoing bad behaviour should lend credence and authority to its missions is absurd.
Some private-sector companies are good corporate citizens and spend money and time to secure their networks. But many don’t. It’s costly, both in terms of buying the protection systems necessary to make sure critical systems don’t fail and also in terms of the interaction between the average employee and the software. Security and efficiency diverge, at least in the short run.
While this is true, to an extend, it fails to account for the magnitude of scale. Most large-sized businesses have security staff and dedicated network administrators; there is some defence taking place. It’s the mid-sized businesses that tend to be disastrously under protected. Is the proposal that pretty well all businesses with under, say, 1,000 people will get the benefit of NSA-grade security and surveillance? If so, that’s an awful lot of NSA-compliant gear.
If the NSA were simply to share with the private sector en masse the signatures its intelligence collection obtains about potential cyber-attacks, cybersecurity could measurably improve in the near term. But outside the companies who regularly do business with the intelligence community and the military, few firms have people with the clearances required by the NSA to distribute threat information. (Under the new initiative, the NSA’s intelligence will be filtered through the FBI and DHS.)
It’s important to recognize the DPI equipment isn’t cheap. In addition to NSA signatures you’d likely need an ongoing service contract with the appliance manufacturer. Moreover, to actually run the appliance you’ll either need in house staff or contract out the job; in either case, businesses will see an increase in the cost of business. They may not see a return. Moreover, DPI signatures are not foolproof, and they are often particular to specific appliance vendors. So…will your appliance be ‘compatible’ with NSA intelligence? Moreover, how do you check the NSA’s own signatures to ensure that the Agency isn’t doing something sneaky?
By the end of the article what we’re really missing is critical any analysis of the security properties of the DPI appliances themselves or of the NSA in general. DPI devices exploit the vulnerability of data packets to run analyses/modifications of data either in real-time or, if offloaded to a temporary storage device, offline. In either case, when and if these devices are compromised all of the network traffic coursing through the appliances becomes compromised. So, you can in effect move from dealing with significantly placed compromised devices in your network or dealing with that plus having your sophisticated routers turned against you. And the author’s final lines in the article - yeah, NSA’s been bad in the past, but hey: they’re really on ‘our’ side now! - doesn’t exactly fill a reader with much confidence.
Data security and communicative privacy matters. The boons of the contemporary computer era has led to people across the world using common services for security, for data processing, and for communications generally despite users’ radically different risk profiles. Few users are savvy enough to engage in code-level audits, fewer to ascertain the validity of improperly issued security certificates, and likely even fewer to guarantee that programs’ and operating systems’ updates are from the actual developers. These are problems - important problems - that need to be directly addressed by developers.
It’s always been morally wrong to be cavalier about your software’s security profile, and to just discount the potential vulnerabilities or bugs linked to your tools. Things aren’t getting better, however, on account of state actors becoming more and more sophisticated in how they target and monitor their citizens’ and residents’ communications. Consequently, the blasé attitude towards security that has (largely) focused on successful engineering over successful security in depth is a larger and larger problem. This attitude, especially when it comes to anti-circumvention and encryption software, is leading to individual users ending up seriously hurt, imprisoned, or dead.
Security is important. Speech is important. And ensuring that secure, private, speech is possible is an increasingly critical issue for parties throughout the world. Developers and companies and individuals ought to take the severity of the consequences of their actions to heart, or risk having very real blood on their hands.
Security signs that begin with ‘For your protection…’ essentially end with ‘…we will restrict freedoms & invade privacy’.
You tell em Neil, we need working and relevant services, not to be babied.
This, this is a case of Neil not thinking about the children, right? Right?
I have posted before about the Tibetan attacks, because they offer good insights into this issue in general. But it’s not just the Tibetan activists and other outspoken critics of the Chinese regime that are targeted by this “GhostNet”. I work on Taiwan/China issues in Washington, D.C. Pretty much everyone in that community - be it academics, think tankers, NGO employees, and government officials - are consistently targeted by the kind of “social malware” attacks that are detailed in the two reports. These attacks are very sophisticated, making them really hard to spot, and they show intimate knowledge of what’s going on in the community. Let me give you two recent examples:
On March 26, the Pentagon released their annual report on the Chinese military. On March 27, I received an email ostensibly from one of the people responsible for Taiwan issues at the Pentagon. The email basically said “Hey, here is the expanded version of the report from yesterday, with some additional commentary on Taiwan. I thought you would find it useful”. Attached was a PDF named “China_Military_Power_Report_2009.pdf”, exactly like the official document released by the Pentagon. I work on Taiwan defense issues, so this would be very interesting to me were it real. However, I correspond with this person on a regular basis, and he usually signs his emails to me with his nickname. This email didn’t, which made me suspicious. A Virustotal scan confirmed that the attachment contained malicious software (only detected by 4/38 products, though) and a quick phone call confirmed that the person hadn’t sent an email like that.
In another recent attack, it was the name of the head of my organization that was used to try to trick recipients into opening malicious attachments. He had just returned from a visit to Taiwan, a trip that had been reported on in the Taiwan press. About a week after returning, he received an inquiry from a prominent researcher at a D.C. think tank, asking if he had sent the researcher an email with a trip report from his visit. He had not in fact sent such an email, although it wouldn’t have been unusual for him to do so. I spoke to the IT manager at the think tank, who confirmed that the researcher was indeed tricked into opening the attachment, and that it did contain malware.
And this was just in the last three weeks. I could go on for pages describing various things we have seen over the past two/three years (two more here), but you get the gist. For small NGOs like mine, protecting against infiltration, monitoring our systems for intrusions, and educating our staff to recognize potential hazards has become a huge drain on our already limited resources. The frustrating thing is that there is pretty much nothing we can do about it, except to remain diligent. But at least I’m glad that the issue is continuing to get coverage in the mainstream press.
Gemmy, from a 2009 comment on GhostNet