So Ellen Nakashima of The Washington Post reported today that Google and the NSA are partnering to ward off cyber attacks. You can
read the article here.
I had missed this story until Richard Bejtlich talked about it on his excellent TaoSecurity blog. I like talking to Richard, he has a view into problems through his real world job that I find valuable and he has contributed much to the security industry, so I tend to keep up with what he is thinking about. I also love when I get to disagree with smart people, because I like to fight outside of my weight class. In that vein, these statements from Richard stood out:
"I expect to see a lot of protest from people who have knee-jerk reactions to anything associated with NSA. However, the article notes that NSA is trying to help defend Google against advanced persistent threat, which benefits Google's users."
and
"NSA can change this perception it will help them better defend American national interests."
He's dead right on both counts. There will be a ton of negative reaction on this announcement and if the NSA could change their rep life would be easier for them. Not that that would be a good thing. The most notable phrase from the article was this:
"But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications."
What this seems to mean is that Google would share information regarding the attacks it has encountered and the NSA would provide remediation advice, information on trends in other APT-style attacks and recommendations on future defensive postures. There is nothing more powerful than data, both on offense and defense, so clearly both entities would benefit.
The nervousness that many Americans would feel was that given the extreme secrecy under which the NSA operates and given the fact that Google is, most likely, the largest store of information on Internet traffic patterns on the planet, there is simply too much risk in providing a venue for increased cooperation between them. Outside of the United States, I'd be even more concerned. The source only said there would be protections for "Americans' online communications". This leaves the rest of the world unprotected and implies that an infrastructure either is or will be implemented where tap and trace capability would be ported to the Google database. (I would be seventeen flavors of shocked if that wasn't already in place)
But there is a problem with information in the public market. There is very little in the way of traditional market forces that would move organizations to share data on the attacks they were experiencing. I talked a little about this when Richard invited me to the SANS IDS What Works conference (do not miss that next year). There is a vast exchange of information and capability between attackers, yet there is too little in the way of active cooperation between organizations and companies that are likely to, or have been, the target of high-capability attackers. Without sharing, both information and capability, organizations stand alone against the threat. That leads to, as Harlan Carvey put it in his blog, "From the perspective of a historical military analogy, this appears to be akin to special operations forces attacking villages defended by farmers and shopkeepers."
So how do we do this? Now that we have realized that the threat that has been described by the research community for many years now is finally (well, we've finally noticed) at our doorstep, how do we harness the expertise of those who have been engaged in cyber warfare for years while still being comfortable that we aren't suffering from another dragnet surveillance program?
The NSA is one of the most powerful tools this country has to defend itself. Every day thousands of dedicated Americans walk across the parking lot on Fort Meade and enter a world of threats we don't see. Every day they bring us "silent victories" that we'll never hear of. There is heroism, sacrifice and dedication both in Maryland and around the world. Very few of us have any idea of how much we need them.
But today is a different world from when the information assurance role was given to the NSA (1981ish). In 1981, very few people understood what could be done and most of that data was generated by the NSA as part of their offensive capability. It only made sense to have those few who were actually versed in the threat and the capability to provide guidance and assistance to organizations critical to America. But today, there is simply too much of a threat with combining access to the information store that Google has with the secrecy and power of the NSA.
Remember, Google is run by the man who said “If you have something you don’t want anyone to know, maybe you shouldn’t be doing it”. So we have that attitude, an agency tasked with one of the most complicated, difficult missions on the planet and a store of information of incalculable data. Why would we worry?
So let’s split that defensive capability from the NSA. The Department of Homeland Security (yeah, I know) has the National Cyber Security Division of the Office of Cyber Security & Communications. This is the organization that is tasked with defending this country. This would provide at least some distance between the sword and the shield.
TL;DR Version:
- We all need to talk more.
- NSA is awesome but scary.
- Google is awesome but scary.
- Let’s not do this.
