It is really damaging, but that's from a perspective that, as a superpower, they were benefiting from control and domination. The same perspective implies that the target was being damaged by these actions. Targets that are not always adversaries. Targets that could contribute if not being controlled, dominated, and damaged.
It's not easy to see, but damaging others denies them the contributions they could bring, ultimately damaging themselves.
Right, and I hope nobody thinks Russia or China are saints, because they use their technical abilities to suppress dissent in frightening ways.
While there's definitely a cyber war going on, you have to ask, why isn't the NSA actively disseminating knowledge to Americans on how to secure themselves? Why are they instead actively weakening encryption standards? America companies have the most to lose from weak encryption. It just doesn't add up, and the American people have enough confidence to call their government out, unlike countries who have allowed themselves to become pretty enslaved by their government, like China and Russia.
In summary, the NSA should participate in the global cyber intelligence war by educating the American public, instead of weakening them.
> why isn't the NSA actively disseminating knowledge to Americans on how to secure themselves?
In fact, the NSA is disseminating such knowledge. You can find guides to secure operating systems (Windows, Linux, and OS X) and commonly used applications (Chrome, Adobe Reader). To what I assume is the chagrin of the FBI, you can even find guidance on full-disk encryption.
>While there's definitely a cyber war going on, you have to ask, why isn't the NSA actively disseminating knowledge to Americans on how to secure themselves?
> they use their technical abilities to suppress dissent in frightening ways
I'm just going to mention so called "Fusion Centers", which have been used to investigate and disrupt the organization of The Tea Party movement and Occupy Wall Street but spare my usual rant. No it does not compare to Russia or China.
> NSA threatening domestic jobs, companies, individuals, and most of all innocents, that leads to an upset.
The NSA's view, and in fact several of the last presidential offices, is that these programs and capabilities are important for the country because they give American companies and domestic jobs a leg up.
"The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances." - NSA Mission Statement
> While there's definitely a cyber war going on, you have to ask, why isn't the NSA actively disseminating knowledge to Americans on how to secure themselves?
Because it is essentially impossible to secure yourself on the internet. This isn't a fine point. It's a blanket fact.
> Why are they instead actively weakening encryption standards?
They have a concept called "NOBUS" which means that the weaknesses they introduce should only be exploitable by them. DUAL_EC_DRBG, the goto example of an NSA backdoor, is a perfect example of NOBUS.
> In summary, the NSA should participate in the global cyber intelligence war by educating the American public, instead of weakening them.
Oh I agree. Actually if you look back Clinton and first term Bush era they kept proclaiming that there was a cyber intelligence war but it never really caught on. So they made it about 'cyber terrorists'. Nobody caught on. They made it about actual terrorists. Now we listen. I do hope that investments are made in defensive capabilities rather than offensive. The Obama administration released a series of strategic documents funding longer term research into the protection of domestic computer networks, programs and technologies. But right now you can't play the game of cyber intelligence war without attacking. When it comes to hacking, the attacker always wins. Just playing defense is a losing game.
> The NSA's actions since 9/11 have been more consistent with a power grab than any authentic desire to empower & protect Americans.
This has been going on much longer than since 9/11. PREDATOR and MAINWAY are examples of programs that existed years before the 9/11 attacks.
Thanks for the response. Sorry for editing mine while you were writing yours.
> Oh I agree. Actually if you look back Clinton and first term Bush era they kept proclaiming that there was a cyber intelligence war but it never really caught on.
Interesting point. Now, in the 90s, wasn't the government trying to prevent encryption from being used by the public though?
> When it comes to hacking, the attacker always wins. Just playing defense is a losing game.
Still, there are a lot of defensive measures the public can take from hackers. For instance, using OTR, Tor/VPNs, and moving sites to HTTPS whenever possible.
Bruce Schneier has an interesting metaphor for this period in human evolution. He compares the information revolution to the industrial revolution. At first, people didn't realize how bad pollution could be, amongst other things like food safety. Books like "The Jungle" helped prompt people to stand up for themselves and demand better, and healthier ways of conduct. Overall, humanity evolved to handle the new technologies and their side effects. Snowden's revelations are like "The Jungle" of our time.
> Now, in the 90s, wasn't the government trying to prevent encryption from being used by the public though?
Oh yeah. They did before the 90s, during the 90s and are also doing it now. We won some serious ground in the 90s, allowing us to use stronger algorithms. But companies are still required to keep copies of all of your encryption keys at the ready if they want access to your data. If you haven't seen it the FOIA requested document from the CIA posted here a week or so ago has a pretty good history.
> Still, there are a lot of defensive measures the public can take from hackers. For instance, using OTR, Tor/VPNs, and moving sites to HTTPS whenever possible.
These things do help, but minimally. OTR is good if you want some privacy on your chats. Tor is good if you want a little anonymity. Some baseline level of encryption should be standard everywhere. If you look at the extensiveness of the backdoors though these don't really matter. For example take the FBI mass exploitation of Tor this year. In many instances (Apple iPhone/Microsoft Skydrive/etc with PRISM), copies of data are stored directy from a partner's product for inspection, whether it was originally encrypted during transit or no. And computer exploits that target operating systems are able to see everything on your computer that you see.
> When it comes to hacking, the attacker always wins. Just playing defense is a losing game.
Firstly, why only hacking? What is true for a cyber-attack is true for a physical attack as well. Both sides lose resources in both types of attacks.
Secondly, the reason for defending something is because something is worth defending. If it has been defended in an unsuccessful attack, that is a win.
And thirdly, the thing being defended often includes a higher-moral-ground. Resorting to attack is a definite loss for the defending party.
> why only hacking? What is true for a cyber-attack is true for a physical attack as well.
A couple reasons. One is that 0day vulnerabilities have no defense. There is no way to defend against certain vulnerabilities.
The second is that there are no international rules of conduct that apply to cyber warfare. After the Georgia/Russia event there was an effort to pass agreements in NATO but AFAIK nothing came of it.
The third is that that a successful attack usually means the victim remains in a compromised state for months or years (look up advanced persistent threat).
Finally, it's also usually the case that cyber attacks go completely undetected.
> the reason for defending something is because something is worth defending
Right, well the NSA does engage in defense as well. There's just less that can be done. There are hundreds of millions of devices in America with an extremely long tail of software/update state and configuration, saying nothing of networks. There's a ton to protect and even protecting small amounts is costly. This is one of the main reasons companies (and governments) are looking to the cloud - you can consolidate your threat area if you concentrate operations and run broadly the same configuration/state across many systems.
> thing being defended often includes a higher-moral-ground
But this is espionage and sabotage. It's dirty business. I don't think it's a good thing. I don't really advocate for it. I'm just here explaining the broader context of the Snowden disclosures and this article. If you missed it there was a link containing 37 other countries that have cyberwar programs (the list is not exhaustive).
I actually condone a lot of the NSA's activities, but I take serious issue with:
-Warantless surveillance of US citizens (this is bad whether it's by law enforcement, intelligence agencies, or anyone).
-Infiltration of foreign companies in allied or neutral nations purely for economic or geopolitical insight, not for military purposes (Brazil's Petrobras oil company, all sorts of spying in Germany and Norway and other places).
Personally I'm all for the kind of operations they're conducting in Iran and China, as these countries have been doing the same to us and to others for a long time. But they've become far too greedy in their desire for information domination and power, to the point where there is clearly no line that shouldn't be crossed. To them, if anything anywhere in the world is open for exploitation or surveillance, then they feel like they have a right to use it.
> Warantless surveillance of US citizens (this is bad whether it's by law enforcement, intelligence agencies, or anyone).
Agreed very strongly.
> Infiltration of foreign companies in allied or neutral nations purely for economic or geopolitical insight, not for military purposes (Brazil's Petrobras oil company, all sorts of spying in Germany and Norway and other places).
See this is where the NSA really shines. We (The US) delayed Iran's nuclear program by THREE YEARS with Stuxnet! Three! And after they finally figured out it was sabotage the US and Israel had the director assassinated for further delays.
Having Merkle's cell phone? During the Eurozone crisis? It would have been awful (financially) for the United States not to have that information. It's fun to look back and read the confused reports during the time "European Union suffering considerably from Eurozone crisis; America sees only limited effects."
PETROBRAS? We won offshore oil drilling locations because we had that information. Energy security for the country going forward decades.
Unfortunately geopolitics are important and you can't just not participate. Hacking is (one important way) that modern espionage, surveillance and sabotage are done.
It seems you've decided that US hegemony is a "good thing" regardless of the moral implications for ourselves and the world. However, some find actions like the following to be dangerous, immoral, unnecessary:
* "the US and Israel had the director assassinated"
* "we won offshore drilling"
* the blase assertion that a nuclear Iran is any worse than the existing nuclear powers (especially Israel!!!)
"Energy security" is oil company nonsense, hilarious considering their tireless efforts to block any kind of clean alternative. The OPEC crisis saved us from gas guzzlers, and now we're back to having SUV's everywhere. We could use some "energy insecurity" but with fracking we're now an exporter. Oil forever!! Climate be damned.
I disagree also with attempts to close off the discussion by saying "geopolitics are important." The US does not have to subvert governments, install dictators across the globe, prop up Saudi Arabia, blindly support Israel, be the muscle for Big Oil (and assassinate and imprison folks at home, too).
The moral hazards that have created this situation are to blame, but it doesn't help that our leaders are as a group paranoid and uncreative, all too willing to let militaristic fascists (accurate, not name-calling here) drive their decision-making.
Edward Snowden is a hero, full stop. You can't do enough damage to the NSA, these types must be resisted at all times.
I'm trying to explain broader context. The US is not hacking in a vacuum. It has to make strategic decisions. We can arm chair the US strategic command all we want.
There seems to be a presumption that the US is doing these things 'just because'. What I believe is that the US is making decisions based on incentives, costs, benefits and other tradeoffs. I believe that if we don't participate in cyber intelligence warfare, we'll lose.
There are certain principles I don't want to give up in the process for sure - civil liberties of all people everyone is #1.
Presumably, I could better my negotiation position on pretty much any deal by spying or sabotaging the other party. Say I am negotiating a salary offer from a company, having access to the CEO email and that of other key decision makers (even just the prospective team and the HR reps) would presumably give me information I can use to secure a higher comp package, no? Without disrupting their operations in general, if I don't make a mistake in the process.
Is the previous an ethically valid way of conducting business? Should I not expect to be scrutinized if/when I got caught doing that, because it might imperil my interests? If I do the same, not for me but for a collective (a company, a union), would that be any less unethical? If not, why would it be different if I did it for my country?
Why is it that we consider that sort of behavior pathological for individuals, criminal for organizations and "just the way things are" when talking about (advanced, inter-dependent, presumably-friendly) nations?
These are all really good questions and I don't have answers other than to say there's a 'prisoner's dilemma'/'tragedy at the commons'/'cold war' situation. If you do no espionage and no sabotage, even though it is a higher moral ground, you don't exist for very long as a country.
Except I suspect many countries actually do without effective espionage or sabotage, if only because they lack the capability.
I guess you can argue that many of these countries rely on allies who perform espionage and sabotage, thus benefiting from those activities despite not doing them themselves. But that still means that closely-aligned countries can survive without spying on each other. I might not have all the facts, but it seems unlikely that Germany or Brazil would be considered an existential threat to the US in the foreseeable future, so why spy on those countries? Slight economic advantages don't seem to justify the breach of ethics.
I guess I can see what you are saying and I don't think we can have a world without spying any time soon. But that doesn't mean all international spying is justified.
Having Merkle's cell phone? During the Eurozone crisis? It would have been awful (financially) for the United States not to have that information.
The cost of this sort of machiavellian policy is of course the opprobrium of former allies and friends, and a loss of moral standing.
The US loses a lot of soft power if it chooses this route, and the consequences will be felt for decades in mistrust and distance from her allies. A dangerous course both for the US and for the world.
I fluxuate with how I feel about it (it = 'machiavellian policy'). I'm not going to defend US policy in this case, nor claim to understand all of the nuances required to make global strategic geopolitical decisions.
But I will say that the NSA's perspective is that: it is only because of the Snowden leaks if we have lost face with allies. To the NSA, the secrets were kept well enough until Snowden and friends disclosed them.
This is my basic issue with this article. America and the NSA ate mud pie for the actions disclosed in the leaks. This article has the very real possibility of doing a lot more damage. One could say it is good because justice has been served, but one could also suggest that it is bad because similar disclosures of German surveillance programs (a touchy subject given the history), Chinese capabilities, Russian objectives etc haven't been disclosed by a Snowden-like actor.
Really the whole situation is bad. I don't like being at war, cyber or otherwise.
This is my basic issue with this article. America and the NSA ate mud pie for the actions disclosed in the leaks. This article has the very real possibility of doing a lot more damage.
Not because of the leaks, but because of their actions. That's an important distinction.
If you take actions like this, you should be prepared for them to be exposed, and if you use the argument the NSA and you yourself have made here (it would be ok if we were evil and no-one knew about it), you should expect no one to trust you. You've just declared yourself untrustworthy and a bad ally in perpetuity, because you think this is ok as long as no-one knew about it.
> Not because of the leaks, but because of their actions. That's an important distinction.
Right. I agree with that. There's actually sort of a boolean AND. Because we did them AND we got caught.
My guess is that all major players are doing the same stuff and that if the US doesn't participate it loses. I doubt the US hacked Germany on a whim - I bet it was a pretty labored decision with cost-benefit analysis (one being chance of getting caught).
>But I will say that the NSA's perspective is that: it is only because of the Snowden leaks if we have lost face with allies. To the NSA, the secrets were kept well enough until Snowden and friends disclosed them.
Of course that's their perspective, as is the perspective of anyone committing an embarrassing or morally unscrupulous act.
"The thing I regret most is getting caught."
Secrets of this nature have a tendency to leak. If it wasn't Snowden, it could've been anyone else.
I don't think all of the NSA's capabilities or actions should be leaked, but reporting of confirmed infiltrations of US and allied companies and systems is fine by my book. All's fair in love and war, but we are not at war with Germany or Brazil or, hopefully, ourselves.
Could you provide direct citations or quotes of allied countries infiltrating our government or private infrastructure? Excluding Israel, because they have the same mindset as the NSA/CIA (in which case I also don't take issue with us hacking Israel).
If your excuse for doing plainly immoral things is 'geopolitics is important', where do you draw the line? Your excuse can be used to justify pretty much any form of self-serving barbarity. How about if we just don't do evil shit and deal with the lack of an ill-gotten advantage? Works well enough in everyday life (assuming you aren't a mafioso). Why hold people who work for government agencies to such a pitifully lower standard of decency?
>See this is where the NSA really shines. We (The US) delayed Iran's nuclear program by THREE YEARS with Stuxnet! Three! And after they finally figured out it was sabotage the US and Israel had the director assassinated for further delays.
I'm honestly okay with this (except for the assassination part, though it was speculated that was Mossad and not US).
The other things though are simply to gain an unfair advantage in political and economic situations, even against countries that are supposedly our allies. Realistically, these things happen all around the world and have been forever, but ethically I don't think it's a good thing for the NSA or CIA to be doing.
It is on the face of it ridiculous to say "everybody has a blue-water navy." It is equally ridiculous to say "everybody runs surveillance comparable to the NSA."
Page 123 of the documents released in Glenn Greenwald's "No Place To Hide" lists at least 37 countries (that the United States has cyber partnerships with).
Of those 37 countries, only a minor fraction have the budget to operate the way NSA does. That leaves approximately 160 other sovereign entities. Let's say half of them are despotic and don't count. That leaves 80. Out of those I'd wager that more than half are have governments too under-resourced to have the ability to put their people in the kind of panopticon Americans live in. In other words there may be hundreds of milllions of people who are more free than Americans. Who are not fearful Hobbeseans suckling at NSA'a teat. Somehow, those people have not yet succumbed to "terrorism" of whatever the scare du jour is.
>Of those 37 countries, only a minor fraction have the budget to operate the way NSA does.
There will be differences in cost and budget for each nation. The United States has 25% of the world GDP (compared to 4%) of the population. That we can afford to fund the Lamborghini of intelligence operations isn't to discount other states that have less well funded capabilities.
You'll see plenty of parallels with traditional warfare: like that countries with smaller budgets ally themselves with countries that have more capabilities.
> Let's say half of them are despotic and don't count
Let's not. Those are some awfully large numbers for one. But more fundamentally why don't the armies and intelligence capabilities of tyrannies count?
> Out of those I'd wager that more than half are have governments too under-resourced to have the ability to put their people in the kind of panopticon Americans live
The nice thing is that surveillance, if done right, is reasonably cheap. Many other countries, especially in the ones you 'don't count' have laws preventing citizen use of any reasonable encryption whatsoever.
I'm not saying it's retribution, I'm saying it's shortsighted to consider it damaging to themselves and be okay with the damage that was detailed in the leaks.
I'm not okay with either, but being blind to others' "suffering" doesn't get my sympathy. In this order of events, your sympathy gets mine. In this case, you pointing the finger at others hacking innocents as a justification for hacking innocents makes me entirely unsympathetic to your "damage". See how that works?
It's not easy to see, but damaging others denies them the contributions they could bring, ultimately damaging themselves.