Long-Covert NSA Struggles to Share Information
SAN FRANCISCO -- The historically supersecret National Security Agency is seeking commercial technologies to allow easier and less expensive information transfers to those it works with, an official said. “We realize we have a problem, and it’s a sharing problem,” said Margaret Salter, technical director and senior advisor for cryptographic strategy.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The agency has the cryptographer’s reflex that “sharing is a bad thing,” and at times Salter’s funding of work that runs contrary to the principle has been seen as “insane” because it’s “radical,” she said at the RSA conference on IT security last week in San Francisco. “Interoperability and letting information flow is contrary to my last 20 years in government,” she said.
The NSA has been sharing algorithms for about five years to allow information flows, but the agency’s technology isn’t designed for interoperability, so the challenge has been difficult, Salter said. The agency has been trying a “security sharing suite” called Suite B that including unclassified algorithms “good enough to protect algorithms, but “it has turned out to be a marketing disaster,” she said. “Nobody likes Suite B,” starting with the name, which sounds like an inferior alternative.
The agency is working to get industry to adopt protocols and products under acceptable standards, Salter said. It has gone to the Internet Engineering Task Force and has written requests for comments, she said. The NSA is revising CNSSP-15, the national policy on using the Advanced Encryption Standard to Protect national-security information and systems, “to be clearer what we mean” and “we're also trying to set the policy as an acquisition policy,” Salter said. “I've been talking with vendors.” Salter said she’s applying a rule that all information must be protected by two forms of security, especially in open transmission.
The agency is doing three demonstrations to make sure that going commercial would be workable and save money, Salter said. Proprietary boxes that it has historically provided collaborators for decryption “cost a lot, so I've got a lot to work with,” she said.
One demo is at what’s called a fusion center for statewide collection of information from local and state authorities for the National Counterterrorism Center, Salter said. Another is with the military’s Southern Command, for Central and South America, chosen as a large organization not tied up in a great deal of action, she said.
A wireless demo is being done slightly differently in four unspecified places, so law enforcement and emergency officials can tap into sensitive information when they need it, instead of being required to “keep it in their heads” after visits to collection centers, as now, Salter said. There’s an “unsolved issue” of how to make handsets secure enough, she said. “I just don’t feel good about the client device. That’s why I call this the ‘iffy’ demo. It’s also the demo everybody wants,” because of strong demand to use mobile devices instead of larger machines requiring power sources. “How much confidence do I have to have before I let someone wander around” with a handset carrying very sensitive information, Salter mused. “Who do I let wander around with it? … And how much money do I spend to make sure” that data that should be separated on the device actually is.
A Commercial Solutions Partnership Program is working on putting together sharing and protection “solutions” using technologies out of the “validated piece-parts pile” from the National Information Assurance Partnership between the NSA and the National Institute of Standards and Technology, Salter said. The pieces needed included virtual private networking, USB tokens, disk encryption, firewalls, antivirus protection and an operating system, she said. The government seeks input concerning requirements from the community of private experts, and “we don’t want any one vendor to rule it all” when the change goes commercial, Salter said.
RSA Notebook …
The U.S. Army’s cyberlaw chief supports internationalizing crucial Internet infrastructure to allow faster, safer responses to network attacks. “The main arteries” through which “most cybertraffic flows internationally,” such as Internet exchange and network access points and core routers, would come under the authority of an international body, said David Willson of the Army’s Space and Missile Command. Ownership and control would remain unchanged, he said. Wilson has been promoting the idea in conference presentations and in articles in the Armed Forces Journal and the ISSA Journal. The U.N. probably wouldn’t work as the authority, but some other body might, he said. Willson said the main point is for countries under cybercrime or malware attack to be able to take prompt counter-action against the facilities centrally involved and then report it to the authority. Victims now are held back by international law and fear of retribution, he said. “You may be really pissed off at your neighbor,” but acting on the impulse “may have dire consequences,” Willson said. So victims’ typical response is to “detect, block, fix and smash,” he said. At the start, “they just sit there and take it,” Willson said, putting up with defensive network shutdowns he called “self-imposed denials of service.” Under his proposal Interpol could trace attacks more readily and additional filters could be put on critical gear, Willson said. Roadblocks to carrying out the idea are more likely to be political than technical, he said. The Department of Justice and Verizon officials have been unenthusiastic, Willson said. “If you're the big guy on the block, if you've got most of the control, you're not going to want to give it up.”