Mounting backlash against National Security Agency spying practices is now coming from sources as varied as security expert Bruce Schneier, former Reagan-era budget director David Stockman and high-level representatives of European countries.
Fallout from Edward Snowden's bombshell accusations about spying and cyber-attacks carried out by the NSA sent agency director Gen. Keith Alexander to defend the outfit's surveillance practices before the House Intelligence Committee Tuesday.
[QUICK LOOK:The NSA Security Quagmire]
Gen. Alexander was accompanied by high-level officials from the NSA, the U.S. Department of Justice and Office of the Director of National Intelligence who also answered questions from Congressional lawmakers who were mainly worried about how NSA mining of data on phone records collected and held by the NSA might impact the privacy of American citizens. Gen. Alexander staunchly defended NSA surveillance, saying it's focused on catching terrorists abroad and that 50 terrorist attacks had been foiled with NSA-collected information. He added that any concerns about terrorism arising from associated domestic phone-call records is handed over as tips for the FBI to handle.
Regardless of such claims, vocal critics in recent days include former Reagan-era budget director David Stockman, who yesterday called Snowden's revelations a "wake-up call" to repeal the Patriot Act that allows the NSA data collection. Among other voices heard, security expert Bruce Schneier, in an opinion piece on CNN.com, pointed to Snowden's accusations that the NSA has conducted tens of thousands of secret cyberattacks on "foreign networks." Schneier wrote the NSA had ushered in a "cyberwar arms race, an arms race that will define the Internet in the 21st century."
With Gen. Alexander seated before them to testify at yesterday's hearing in Congress, lawmakers expressed worry about the NSA holding a vast trove of information related to telephone call records on Americans. Alexander said the NSA is open to alternatives that might involve not holding phone records handed over from the major carriers but instead perhaps going into carrier systems to get it when needed. Alexander also acknowledged that Snowden, the leaker of the secrets who worked as a NSA contractor supplied by technology consulting firm Booz Allen Hamilton, had inflicted huge damage on national security.
Responding to a question from Rep. Terri Sewall (D-Ala.) during the hearing -- "How did a relatively low-level systems administrator have this classified information?" Gen. Alexander said that's still being investigated.
The 29-year-old Snowden had been working in a systems administrator role in Hawaii for three months as a NSA contract employee supplied by Booz Allen. Snowden this month began leaking NSA secrets through the Guardian and Washington Post, and then went public, saying he was in Hong Kong and wanted to defend himself in court there against any U.S. criminal prosecution. Booz Allen fired him on June 10.
Yesterday, Gen. Alexander said as an administrator, Snowden had access to web forums the NSA uses which rely on use of digital certificates for security and had obtained some information he leaked publicly that way. The NSA is examining an audit trail to try and find out exactly what Snowden did. In the future, the NSA appears likely to adopt a two-person control approach toward any sysadmin tasks as a security measure to prevent the rogue admin problem that Snowden represents.
There are about 1,000 systems administrators at the NSA working in similar capacity and "the majority are contractors," said Gen. Alexander. He suggested this outsourcing had occurred as part of cost reduction, but added that "the mistake of one contractor should not tarnish all the contractors" and that in addressing the problems, be "careful not to throw everyone under the bus."
Snowden's sysadmin job and his data-spilling actions are prompting many security vendors to see it all as a cautionary tale. Eric Chiu, president and founder of Hytrust, said sysadmins often have the "keys to the kingdom." And whether you think of Snowden as hero or villain, "the truth is that, by his own admission, his technical authorities' gave him enormous power," Chiu notes. The security company chief says the lesson for business is to recognize that what happened to the NSA can happen to any organization -- adding Booz Allen, which does a lot of work for the government, may face long-term damage to its reputation.
Snowden has claimed he had access to the rosters of everyone working at the NSA, the entire intelligence community and undercover assets all over the world. Yesterday, Snowden said that NSA analysts can gain access to the content of U.S. targets' phone calls and email messages without court orders.
The NSA's woes are also becoming the woes of U.S. industry, with Facebook, Yahoo and Google, for example, trying to provide assurances to their customers about how much data they give the NSA based on legal requests they get. As more is learned about the NSA's role in demanding information from U.S.-based companies and service providers, it could result in a growing aversion toward using U.S.-based service providers. And it could eventually be assumed that others countries with known surveillance efforts, such as China, may have similar data-sharing relationships with local companies. It's all leading to a sense of increased nationalization of the Internet and high-tech companies.
NSA's role in leading the U.S. Cyber Command
The Ft. Meade, Md.-based NSA does not only undertake surveillance based on collection of phone records and the data collection program called Prism, which involves making requests for customer multi-media data from Google, Apple, Microsoft, Yahoo, Facebook and other U.S.-based service providers. The spy agency is also the center for America's cyberwar defense and offense in running the U.S. Cyber Command.
Snowden last week accused the NSA, somewhat vaguely, of conducting 61,000 cyber operations globally to penetrate foreign government, university and business networks. Snowden has also said, "We hack huge Internet backbones -- like huge Internet routers, basically -- that give us access to the communications of hundreds of thousands of computers without having to hack a single one."
Security expert Bruce Schneier, who finds Snowden's stance and leaked documents credible so far, yesterday expressed outrage against what it appears the NSA and its Cyber Command is doing. "The NSA and the U.S. Cyber Command are basically the same thing. They're both at Ft. Meade, Maryland, and they're both led by Gen. Keith Alexander. The same people who hack network backbones are also building weapons to destroy both backbones."
Schneier noted that last March in a Senate briefing, Gen. Alexander had alluded to creating more than a dozen offensive cyber units. Schneier pointed out that author James Bamford recently described an NSA system and applications that can display where NSA has penetrated into networks worldwide, and custom-design exploits that can be used against them.
Is this all laying the ground for acts of war or even an act of undeclared war? "That's the key question: How much of what the United States is currently doing is an act of war by international definitions? Already we're accusing China of penetrating our systems to map military capabilities that could be exploited during a crisis." Schneier writes in his opinion piece on CNN.com.
"All this mapping of vulnerabilities and keeping them secret for offensive use makes the Internet less secure, and these pre-targeted, ready-to-unleash cyberweapons are destabilizing forces on international relationships," Schneier concludes. "Rooting around in other countries' networks, analyzing vulnerabilities, creating back doors, and leaving logic bombs could easily be construed as an act of war. And all it takes is one over-achieving national leader for this all to tumble into actual war."
Schneier adds: "It's time to stop the madness." Though the military needs to invest in cyberwar capabilities, there needs to be some kind of international rules of cyberwar and more transparency from the U.S., he concluded.
In an interview with Network World in April before the Snowden scandal erupted, Booz Allen Vice President Dr. Ron Sanders, former associate director of national intelligence for the U.S. government, said Gen. Alexander's efforts to hire 4,000 or so cyber-specialists for the U.S. Cyber Command is likely to involve a training effort that could run three years or more. In April, he said the challenge for the U.S. is that the Cyber Command will be competing against private industry which is also hiring security specialists.Former Booz Allen employee Snowden's public disclosures about the NSA, which violated his oath of secrecy, have split public opinion. Some consider Snowden's actions a betrayal of national security with no redeeming value, while others regard Snowden as something of a hero for exposing the U.S. role in cyber-espionage and cyberattacks.
It's provoking strong sentiments, as when David Stockman, former Congressman and later director of the White House budget under President Ronald Reagan, yesterday said publicly he thinks Snowden's revelations about the NSA make him "heroic."
"He's done a great service to this country," said Stockman. He said it all constitutes a "wake-up call" to repeal the Patriot Act, passed after the 9/11 terrorist attacks, that allow this data collection and compel U.S.-based industry to comply. Stockman said he had his own fights in the past over budget with the military and industry supporting them. He said the current data-collection practices of the NSA are "an absurdity" and excessive in terms of both cost and loss of privacy, representing a "danger" to the country.
The revelations about the NSA are having an impact around the world, with the most forceful objections coming from European countries such as Germany which have strict data-privacy laws. But one source familiar with intelligence collection practices who wishes to remain unidentified said what the NSA is doing in terms of surveillance and network infiltrations is also practiced by the governments of Russia, China, Great Britain, France and Israel if not several others. The U.S. public, he notes, is upset when terrorists slip through the net because law enforcement "failed to connect the dots." But he points out, it's tools the NSA uses, like the collection of phone records, that make "connecting the dots" possible.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: [email protected].
Read more about wide area network in Network World's Wide Area Network section.