Why the NSA should be considered a hostile agency

When an agency with security in its name chooses to exploit a security exposure rather than fix it, we have a problem, writes columnist Rob Enderle.

This last week we had yet another NSA event. This time it was the leak of advanced tools that could be used to exploit unreported defects in networking gear from U.S. manufacturers. This seems to further enforce a position by a variety of U.S. agencies to focus on breaking into things rather than help secure them. However, given that these break-ins are largely illegal and this practice appears to be doing massive damage to the technology market, not to mention exposing our firms to attack by a variety of nasty players, shouldn’t these agencies be reclassified as hostile?

I think the current mindset of these government agencies is foolish and puts not only our firms and customers at risk, but the nation itself. Let me explain.

[ Related: Snowden: Auction of stolen NSA malware likely political ]

Arrogance

At the core of this appears to be an incredible arrogance that product defects can be discovered only by the NSA. There is nothing I’ve seen that suggests the NSA is substantially more capable than the collective efforts of large hostile or friendly governments, large criminal organizations, or a variety of technology schools -- both domestic and abroad.

This suggests that if the NSA can create tools to exploit these defects so can those who are hostile to the U.S. and it is arrogant to believe otherwise. Of course, even if that wasn’t true, these constant leaks point like neon signs to this approach making it far more likely someone will do the U.S. harm as a result.

Tactical thinking

I think much of this is due to tactical thinking where someone trades off an easier path to do their job for the larger strategic problem of critically damaging the U.S. technology industry and opening the nation to attack.

Let’s use Lockheed as an example. Let’s assume a government agency discovered a problem with Lockheed’s avionics package where a signal could be sent that would cause Lockheed planes to crash, but they kept this secret in case the U.S. were attacked by these planes so they could push a button and stop the attack. But given the U.S. uses more of these planes than anyone else, this defect would wipe out much of the U.S.’s airpower so it would be incredibly stupid not to report it to Lockheed so it could be fixed. This would be doubly true if it became known that the U.S. had this power because foreign governments would stop buying Lockheed jets.

We are already highly networked and are aggressively moving to everything from autonomous cars to smart cities that all rely heavily on U.S. sourced technology to keep them running and the folks that use them safe. Leaving a defect unreported in the hope it could be used for illegal spying in exchange for the potential to bring the nation to its knees would seem to be a stupid tradeoff. In addition, it also appears to be the one that the nation is making, including the part where it is killing sales of U.S. technology products.

Security

At its heart these decisions suggest ineffective oversight in the U.S. government. It isn’t at all unusual for any agency, public or private, to act in ways that enhance its mission. Nor is it unusual for them to prioritize a benefit for them over a larger exposure for the company or nation.

This is why you have things like internal audit and compliance so that, when this happens, the executive in charge can be caught and disciplined for putting his needs over those of the organization he works for, or in the case where an organization misacts, over the needs of the investors, customers, or, in this case, the citizens.

[ Related: Cisco, Fortinet issue patches against NSA malware ]

When do we say enough is enough?

An agency with “security” in its name should have security as a priority. This means such an agency should be working to assure we are secure and that should more important than finding ways to break into things. In short, when given a choice between doing something that fixes a security exposure for the nation and exploiting that exposure the choice should naturally fall to fixing it.

The fact it currently doesn’t suggests there is something seriously wrong in the U.S. with the concept of security, the understanding of technology, and the related oversight in the NSA and for the sake of the nation we need to say enough is enough and get it fixed.

If we don’t and we continue down this path of connecting everything there is a real likelihood that this practice will have national catastrophic consequences. Bottom line: There should never be a case like the one that appears to exist today – one in which a U.S. Agency appears to be a greater security problem than an asset. Fixing this should be a higher priority than it obviously is.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Rob Enderle

CIO (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?