Wednesday, October 4, 2017

Remove Cybersecurity from national spy agencies for everyone's sake. Weaving public safety responsibility into a secret and secretive operation causes conflicts of interest. 2017 NSA leaks show even best intelligence agencies aren't invulnerable-Emily Taylor, Chathamhouse.org

.
National intel organizations shouldn't be tasked with national cyber security. Aside from leaks, it's not in NSA's interest, for example, to make public everything it knows: "Had the NSA chosen to inform Microsoft of the vulnerability, there would have been no Eternal Blue, and no WannaCry."

9/18/17, "Take Cybersecurity Away From Spies-For Everyone's Sake," chathamhouse.org, Emily Taylor. "Emily Taylor is CEO of Oxford Information Labs and editor of the Journal of Cyber Policy."

"One of the core roles of intelligence agencies is covert operations. Weaving public-safety responsibility into a secret and secretive operation is always likely to cause conflicts of interest.

WannaCry was an example of a state-developed cyber weapon turned against its creators. The core exploit, Eternal Blue, is believed to have been created by the US National Security Agency (NSA), who presumably intended to keep it secret. Then, in April 2017, it was leaked, along with a suite of hacking tools targeting Windows PCs. The same leak contains powerful exploits that could be weaponised by state adversaries, organised crime or by anyone possessing basic technical knowledge - as we saw with the Petya ransomware attack in Eastern Europe. 

Had the NSA chosen to inform Microsoft of the vulnerability, there would have been no Eternal Blue, and no WannaCry. But intelligence agencies have a different motivation: they want to keep such "zero-day" vulnerabilities secret for potential development into a cyber weapon....

If security services could keep their secrets safe, perhaps none of this would be a problem. But the NSA's leaks show that even the best intelligence agencies are not invulnerable to hacking. Eternal Blue was published online by the mysterious group of hackers known as the Shadow Brokers, which began releasing secrets in 2015. Their drop followed a release by WikiLeaks of nearly 9,000 documents exposing hacks developed by the CIA.... 

Within intelligence agencies such as GCHQ, [British signals intelligence agency] it can be difficult to raise concerns internally, increasing the potential security threat from insiders. If an employee's legitimate worries aren't being heard, it could lead to whistle-blowing - with a disastrous impact on national security. 

Loading responsibility for public cyber-safety on to the intelligence services is bad for both public safety and national security. It also risks diverting resources and energies away from national security and covert operations. The WannaCry attack should provide an opportunity to separate two key roles: clandestine signals intelligence and the cyber security of...critical national infrastructure....The best way to start: make the National Cyber Security Centre (UK) independent from GCHQ (UK)." 

"This article was originally published by Wired Magazine" (UK)

...........................

Added:

"Presumably not even our cyber-security experts at the CIA and FBI know what the CIA and NSA’s cyber-warriors are up to....The intelligence community’s whispered “trust us, we’re the experts” simply isn’t good enough. If we don’t demand hard evidence, then we’re following the same path we took in 1898, 1915, 1950, 1964, and 2003. Let’s not go there."

9/29/17, "Russia-gate’s Shaky Foundation," Daniel Herman, Consortium News 

"We are handing over power to unelected technocrats and shutting down dissenting speech."

"It seems to me that we are in uncharted waters....We put enormous powers into the hands of unelected technocrats with their own biases and agendas. As others have noted, moreover, the cyber-war community is at odds with the cyber-security community....

I cannot say this loudly enough. this whole episode isn't about Hillary Clinton losing the election, or Russian hacking of the DNC, or Deep State bias and boss-pleasing. The upshot is that we are entering a cyber-arms race that is going to become ever more byzantine, hidden, and dangerous to democracy, not just because elections can be stolen, but because in guarding against that, we are handing over power to unelected technocrats and shutting down dissenting speech. We are entering a new era; this won’t be the last time that hacking enters political discourse....

Presumably not even our cyber-security experts at the CIA and FBI know what the CIA and NSA’s cyber-warriors are up to. Thus Russian hacking becomes “Pearl Harbor” rather than an unsurprising reciprocal response. Both the State Department and the CIA, after all, have been in the foreign propaganda business for decades; the American public, however, has not the vaguest idea of what they do....

The intelligence community’s whispered “trust us, we’re the experts” simply isn’t good enough. If we don’t demand hard evidence, then we’re following the same path we took in 1898, 1915, 1950, 1964, and 2003. Let’s not go there." (subhead, "Where we stand")




..........................


No comments: