soh.am  does c.s. research, builds robots, codes, does stand-up, has a podcast & writes.

You are reading something Soham Sankaran wrote. Return to the writing index.
Feel free to find him on twitter @sohamsankaran or email him at soham@(this website).

Nobody's Securing America

The NSA is ludicrously bad at protecting the U.S. from enemy hackers, and it's about to get worse

Published February 14, 2016

NSA headquarters at Fort Meade, Maryland

When people I know who aren’t involved in information security think of the National Security Agency (NSA), they usually think of a secretive organization whose mandate is to spy on digital communication within and outside of the U.S. in the name of national security. The Snowden leaks, Glenn Greenwald’s obsessive reporting and wall-to-wall coverage by (though sometimes reluctant) mainstream media organizations have resulted in a mostly uncontested shared picture of the NSA’s work, though opinions on the legality, morality and efficacy of its efforts remain divided, to say the least.

This common picture of the NSA as the warden of the digital Panopticon is, however, woefully incomplete. Like a poor, single mother abandoned by the United States’ broken social security system, the NSA works two jobs. Unfortunately, unlike our hypothetical parent, the NSA does not put a good-faith, conscientious effort into both its jobs to the material detriment of other organs of the U.S. government, private corporations and, ultimately, the American people.

Most people don’t know that until as recently as two weeks ago, the NSA was divided into two parts — the Signals Intelligence (SIGINT) directorate (SID) and the Information Assurance directorate (IAD). The SIGINT directorate does all of the spying that people expect the NSA to be doing. The Information Assurance Directorate has a much less well-known mission — it aims to improve the security of digital information and networks controlled by U.S. entities, both public and private, from adversaries at home and abroad. Through its relationship with the National Institute of Standards and Technology, the IAD is tasked with providing assistance on the establishment of cryptographic standards for this purpose — indeed, the NIST is required to consult with the NSA on any new cryptographic standard being considered.

So how’s the NSA’s IAD doing on this front? Incredibly badly. Ludicrously, unconscionably badly. If the U.S. government was a basketball team, the NSA would be some sort of horrific amalgam of notorious free-throw bricking basketball players Andre Drummond and DeAndre Jordan — incredibly bad at a core part of what they’re paid stratospheric amounts of money to do.

How bad is DeAndre at shooting free throws?

DeAndre Jordan attempting to throw a ball in the vague direction of a hoop

That bad. The man gets paid ~20 million a year — you’d think he’d eventually decide to practice this essential component of the game for a couple hours each week. Maybe even, I don’t know, switch up his form a little? Do some meditation, perhaps. But no — he’s been quoted on numerous occasions saying that he isn’t open to changing his free throw form or doing anything different.

Pretty bad, right? Can the NSA really be anywhere close to this irresponsible? As it turns out, yes.

In the past three years alone, the networks of the US Post Office (USPS), the National Oceanic and Atmospheric Administration (NOAA), the Office of Personnel Management (OPM), the Army Corps of Engineers (CoE), the Department of Energy (DOE), the State Department, the White House, Department of Justice (DOJ), the Department of Homeland Security (DHS), the Department of Defense (DOD), and the FBI have all been breached, some multiple times, with sensitive information either leaked online or worse, unaccounted for. I will go through the circumstances and implications of each of these incidents in brief.

According to the FBI, the November 2014 USPS hack compromised the names, birth dates, addresses and social security numbers of 800,000 USPS employees. The FBI suggested that China was behind the attack, but they tend to say that whenever they detect a sophisticated attack they can’t trace. Why should you care about this if you aren’t a USPS employee? The USPS takes photographs of every letter and package mailed in or to the United States, storing these photographs digitally for 30 days. A breach of the USPS’ network could, if it hasn’t already, give data about every letter in the U.S. to a foreign government or some other dangerous entity. In addition, access to information about the identity and physical location of every mail carrier in the U.S. could allow the entity behind the breach to threaten, blackmail and otherwise coerce their way to physical access to sensitive communications.

The NOAA hack, which occurred in October 2014, could have given the entity behind it (again, China is suspected) the ability to cripple the U.S. weather forecasting network before or during a natural disaster, which would be disastrous on an epic scale. Moreover, the NOAA controls several high-definition imaging satellites which, if compromised, could provide imagery of sensitive military and civilian targets to domestic and international adversaries. Perhaps most scarily, the NOAA tried to cover up the hack — this suggests that there may be a large number of undisclosed breaches of government organizations just waiting to scare the shit out of us.

The mid-2013 Army Corps of Engineers hack compromised details of vulnerabilities in 79,000 U.S. dams as well as, among other things, estimates of the damage and loss of life in case of dam breaches for each site. This information could act as a roadmap for both digital and physical attacks on the U.S., resulting in the loss of billions of dollars in property and hundreds of thousands of lives.

The Department of Energy has been successfully breached at least 159 times in the last half-decade, most recently in 2013 when hackers compromised 14,000 employee personnel files. Access to DOE systems would allow intruders to, among other things, shut down power systems, overload power systems, shut down oil pipelines and, through access to the National Nuclear Security Administration, a semi-autonomous agency within the Energy Department, mess with the U.S.’s nuclear weapons stash. The Nuclear Security Administration experienced 19 successful attacks in the last four years. That’s right — hackers were able to penetrate the network of the organization responsible for the U.S.’s Nuclear Weapons 19 times. That isn’t to say they had the ability to launch weapons — indeed, exactly how deeply they were able to compromise the system is not publicly known — but the fact that it happened at all is alarming. Even the personnel file hack opens up people in charge of incredibly sensitive facilities to potential physical threats and blackmail.

In late 2014, sophisticated hackers thought to be affiliated with the Russian government broke into the White House’s unclassified email system and got access to some of President Obama’s email. Though this is not the considerably more secure internal email system used to disseminate classified information, communications sent through this system can often be quite sensitive — they may relate to exchanges with diplomats, policy discussions and the President’s schedule.

This intrusion was accomplished via an earlier hack, by the same actors, of the State Department’s email systems. It is suspected that these actors had access to the State Department’s unclassified email system for up to a year in what has been called the “worst ever” government hack by sources close to the State Department. The government took pains to clarify that this attack only affected the ‘unclassified’ email systems, but the White House’s 2015 report to Congress on Information Security reveals that zero percent of the State Department’s email systems, classified or otherwise, were configured to send encrypted messageszero. The information sent and received through these systems is incredibly sensitive — it deals with treaty negotiations, foreign intelligence, diplomatic reports and terrorist activity. A 2015 funding request to Congress for $10 million to re-architect these systems suggests that the State Department hadn’t allocated or been allocated a budget to fix known vulnerabilities in this already terrible system. Known vulnerabilities in an unencrypted communications system for classified information were ignored for budgetary reasons. When they shut down those email systems to try and fix those issues, officials at the Iran Nuclear Deal talks were giving out personal emails to their Iranian counterparts so that they could stay in contact. And people wonder why Hilary Clinton used a personal email account (note: let’s be clear — that was a shitty decision too).

In 2015, U.S. Secretary of Defense Ash Carter revealed that hackers suspected to be connected to those who breached the White House and State Department networks broke into the Department of Defense’s unclassified email systems. The extent of this hack is unclear, but obviously a Russian breach of the Pentagon could have severe consequences for national security, to say nothing of the implications for military operations in Ukraine, Crimea and Syria.

Finally, we have the hack to end all hacks, the biggest, baddest fish in a sea of nasty critters: the Office of Personnel Management data breach, an event so infamous and far-reaching in its consequences that it has its own Wikipedia page. The OPM hack, which was detected in April 2014 but had been going on undetected for at least a year, compromised the personnel files of as many as 21 million current and former U.S. Government employees, as well as anyone who has ever undergone a background check. What does the OPM do? Well, among other things, it stores all the information gathered from every single federal background check since 2000. This information includes but is not limited to interviews with friends and family, health and insurance information, financial details and biometric data such as fingerprints. If you’ve gone through a background check, this database contains the information about that STD you have that no-one knows about, the insane amount of debt you’ve accumulated, the school your kid goes to, that weird porn you watch. This is the exact data that a foreign government or evil corporation needs in order to blackmail or threaten high-ranking government officials gift wrapped and tied in a neat bow for, you guessed it, the Chinese. If you think I’m exaggerating, listen to Art Bowker (@Computerpo), one of the victims of the OPM hack. In an article for Fusion, he characterizes the OPM as

the agency that asks people who know you, “What do you know about this person that could be used to blackmail them?”

Not only does the OPM hack put federal employees at risk, it puts people close to federal employees who may not even know they were investigated as part of someone else’s security clearance at risk. Some back of the envelope math (~5 people affected for each personnel file compromised) puts the number of people affected overall at just above 100 million, about a third of the U.S. population. That is a staggering amount of people who can now be attacked in very personal ways by unknown enemies of the state.

This already sounds pretty terrible, right? Well, prepare yourself, because last week it got a lot worse. In late 2015, a hacker group called Crackas with Attitude (CWA) broke into the personal email account of CIA director John Brennan, which contained a significant amount of sensitive information, including his security clearance application. Earlier this year, a group called DotGovs broke into the Department of Justice network and released the names and contact information of 30,000 DOJ, FBI and DHS employees during the Super Bowl. This week, the U.K.’s South East Regional Organised Crime Unit (SEROCU), a law-enforcement organization affiliated with the U.K.’s version of the FBI, arrested someone in the British Midlands whom they suspect of being the leader of both CWA and DotGovs. This suspect is a sixteen-year old boy.

These hacks are just the tip of the iceberg. Beyond the ones listed here and others I’ve neglected to mention, there have almost certainly been a large number of undisclosed or, worse, undetected breaches that span the length and breadth of the U.S. government.

So, to recap, the NSA has, over the course of the past three years (to our limited knowledge) been unable to prevent breaches of the USPS, NOAA, OPM, Army CoE, DOE, State Department, White House, DOJ, DHS, DOD, FBI and CIA perpetrated by China, Iran, Anonymous, and, in at least two cases (though there were almost certainly more), a sixteen year-old boy in the British Midlands.

Take a bow, DeAndre — despite the futility of your efforts to put a ball into a hoop from more than a foot away, I don’t think there’s a sixteen year-old boy who can beat you one-on-one.

If I were the IAD, this wouldn’t seem like a good time to be getting cocky. This string of failures clearly requires a radical rethink of the IAD’s strategy and tactics. Fortunately, the NSA agrees with me on that front and has announced a massive restructuring of the whole organization. Not quite so fortunately, the NSA’s restructuring involves removing the division between the IAD and the SID and reorganizing both into a single Directorate of Operations.

The results of the SID’s work are classified, so there’s no way to know whether the billions of dollars spent on breaking into Facebook and Snapchat accounts has had much effect, though President Obama's own NSA Review Group came to the conclusion that much of the NSA’s SIGINT work is “not essential to preventing attacks”.

But one thing is indisputable — the SID’s mandate is at odds with that of the IAD. Clearly, if U.S. domestic networks, in particular the networks of private corporations like Facebook, Google and Twitter, get harder to breach, the SID has a tougher job getting the information it claims it needs. This is not a problem unique to the SID — various law-enforcement organizations in the U.S., most notably the FBI, are currently making the argument that the government should mandate the weakening of corporate encryption through backdoors in order to allow said organizations access to everybody’s information. The NSA, to its credit, has not made this argument, publicly staking out a pro-encryption position. In private however, things are very different.

Late last year, the world got a preview of what a more integrated NSA will look like with the discovery of a backdoor in various networking products sold by Juniper Networks, a company whose products are used by the U.S. government for the communication of classified data. This remotely-installed backdoor, likely inserted in 2012 and undetected for three years, allowed an unknown adversary to read all data passing through networks containing Juniper Networks devices. How’d they get in? With a little help from the good old NSA.

That’s right — the hack was accomplished by exploiting a flaw in a NIST-endorsed encryption system based on a pseudo-random number generator, DUAL_EC_DRBG, which was created by the NSA. This encryption standard was created by the NSA to be broken on purpose in such a way that, in theory, only they could access the backdoor cleverly placed inside. Matthew Green at Johns Hopkins has a great post on the technical details if you’re into that sort of thing — it’s really quite fascinating. In this case, the NSA let the SID’s mandate override the IAD’s on the assumption that they were right about nobody else being able to use their backdoor. Unfortunately for the NSA, they were wrong, and a sophisticated nation-state affiliated actor, probably China again, got access to a large amount of sensitive government information. Oops!

This is the equivalent of DeAndre Jordan, one of the worst free-throw shooters in the world, deciding that instead of trying to make his free-throws legitimately, he was going to try and aim the rebound so that it got to the hands of another player on his team, only to have the terribly aimed ball (go figure) bounce off the backboard straight into the hands of a player from the opposing team. If DeAndre Jordan ever did this, he would be benched by any competent coach, 20 million in wasted salary regardless. Luckily for the NSA, the Obama and Bush administrations have proven to be as terrible at disciplining it as DeAndre’s coach Doc Rivers is at judging the basketball talent of his son, human lowlight reel Austin Rivers, who is also a terrible free-throw shooter.

DUAL_EC_DRBG can best be understood as an extreme example of the NSA’s Nobody But Us (NOBUS) policy — if it finds, or in this case creates, a vulnerability that only it can exploit, it doesn’t believe it has an obligation to inform the affected company or organization of it, let alone reveal it publicly. As the Juniper Networks hack clearly demonstrates, the NSA is bad at deciding what kinds of vulnerabilities are really NOBUS. There’s a good reason for this — no vulnerability can be truly said to be NOBUS without incredibly detailed information about the capabilities every possible adversary that it would be practically impossible to have. To suggest otherwise is contemptible hubris which puts the U.S. at risk.

Unfortunately, this NOBUS attitude from the SID will likely overwhelm the IAD, if it hasn’t already, sacrificing the U.S.’s information security protection apparatus considerably at the altar of marginally improved offensive capabilities. This is obviously bad news for the U.S. government for obvious reasons — if your already ineffective drunken security guard decides to try and catch intruders by breaking into the houses of suspected burglars at night to figure out their plans, nobody’s watching your house, and your shit gets stolen. It’s also bad news for the U.S. economy, for reasons I’ll explain in a second.

The NIST’s job as the standards-setting body for information security is to recommend expert-verified techniques to U.S. corporations and private citizens. Hacks of U.S. entities may cost 200,00 jobs and upto 0.2% of the U.S.’s GDP annually. The Sony hack of 2014 cost the company at least $15 million alone. Data breaches of U.S. companies in the defense, pharmaceutical and technology industries, often by suspected Chinese actors (both state and corporate), have become par for the course, resulting in the theft of intellectual property worth billions of dollars.

If the NSA continues to compromise NIST standards before publication, it is likely that the vulnerabilities they create and cover up will help foreign and domestic adversaries exploit the systems of U.S corporations and individuals. More generally, if the NSA stops disclosing vulnerabilities that they find in existing systems, U.S. corporations will suffer huge economic and intellectual losses because of exploits which could have been prevented.

Moreover, customers that want their data stored securely or fear espionage of trade secrets will move their data out of the United States, with cloud technology companies potentially losing billions of dollars in business.

This is only the beginning — the coming wave of data breaches will have social and economic consequences we cannot even begin to fathom. The current state of affairs cannot stand. The U.S. Congress must act to create a organization solely tasked with the defense of information security in the United States which is independent of the NSA, does not take its orders from the Director of National Intelligence, and cannot be compelled to stay silent about any and all vulnerabilities that it finds. Most importantly, this organization cannot have offensive capabilities of any kind — no divided loyalties will be tolerated. The NIST, if freed from its obligation to consult with the NSA and granted significant additional funding earmarked for this purpose, could become this organization.

My native India can and should create such an organization as well. Indeed, in a world full of diverse and sophisticated technological adversaries, shifting national loyalties and tense geopolitical confrontations, it must be the duty of every nation to protect its citizens’ information, not leave that information more vulnerable for some marginal, temporary and ill-defined gain in intelligence gathering.

What the United States is doing now is akin to an NFL team throwing a huge amount of money at their quarterback, running backs and receivers but intentionally trotting out a defense composed of 12-year old quadriplegics. This attitude is both mind-bendingly backward and completely wrong — as Super Bowl 50 so vividly illustrated, defense wins championships.

Tweet
. . .

Soham Sankaran is not dead yet, much to the disappointment of incompetent government officials and that pizza guy he never tips.

Soham can be contacted at (his first name) [at] soh.am.

You can read more of his writing at soh.am/writes, follow him on twitter @sohamsankaran, and get new writing via email by subscribing below.