New York Times anonymous source notwithstanding, it seems unlikely that North Korea is really responsible for the “Guardians of Peace” hack at SONY. It’s an interesting puzzle who exactly executed the attack, but never mind the facts. Who should we blame?
I say blame the NSA. Here’s why.
The NSA is chartered both to spy on our enemies and to protect ourselves. The offensive* mission traditionally produced espionage operations like ECHELON, while the defensive mission resulted in improved security standards like DES, SHA-1, and SELinux. The defensive mission also produced corporate partnerships to secure our commercial infrastructure.
(Which of these two missions sounds like Security to you?)
The problem is, these two missions are sometimes in conflict with each other. For example, companies around the world use the same networking equipment, so fixing flaws in that equipment helps make the US more secure, but it also makes it harder to spy on companies in enemy countries. Before 9/11, the balance seems to have been relatively stable, but in the Bush administration it shifted radically, as the NSA’s mission shifted from foreign espionage to domestic surveillance, presumably motivated by a desire to discover and monitor all the world’s angry young men. When your mission is to break into American companies’ computer systems inside the USA, there’s not much sense claiming to care about domestic security.
The result was a breakdown of the NSA’s traditional defensive role. Most pointedly, in 2004, the NSA invented and promoted the Dual_EC_DRBG standard, which was later discovered to have a mathematical “back door” that made systems that use it less secure, a stark contrast to the NSA’s previous standards proposals, which improved security.
More broadly, it seems that the NSA has been collecting exploits for widely used computer systems, and not informing the users or manufacturers. It’s like discovering a way to crack your hotel room’s safe, and not telling the hotel or the maker because if they fix the safes, you won’t be able to rob the other guests. This seems like a great strategy until someone else figures out the flaw, and robs you.
That’s what happened to SONY.
The NSA’s annual budget is estimated to be about $11 billion. Try, if you can, to imagine what it would be like if half of that budget were spent on making the computer security of all companies and citizens of the US and our allies better … the other half were not spent on making that security worse.
Half the NSA’s budget is close to the entire budget of the National Science Foundation, which funds about 10,000 different scientific initiatives in the US every year. If that half of the NSA were wholeheartedly devoted to defense, I imagine we would see military-scale red-team efforts to find (and report, and fix!) holes in corporate infrastructure, deep funding of efforts to produce and invent suitable, secure consumer software and hardware, and thousands more things to strengthen our society’s digital infrastructure.
In that world, I don’t think SONY would be getting hacked so easily.
And I think to myself:
“What a wonderful world”
* I think this qualifies as a pun.