US National Security Agency (NSA) badly crippled

[William Knowles <wk () C4I ORG>]

http://www.theregister.co.uk/content/6/14170.html

By: Thomas C Greene in Washington
Posted: 23/10/2000 at 14:37 GMT

Those accustomed to imagine the US National Security Agency (NSA) as
some guild of omniscient, malevolent hermits effortlessly deciphering
all the electromagnetic noise enveloping the modern world will be
bitterly disappointed to learn that its basic, functional competence
is in doubt.

While the Agency has been credited with miraculous achievements such
as monitoring every communication made by electronic means worldwide
with its famous Echelon system, there's reason to wonder if it will
even exist a decade from now.

Whistleblowers urgently needed

The NSA has got severe internal problems, long suspected but only
recently confirmed. Conspiracy paranoiacs will of course insist that
the Agency is leaking the bad news as part of a subtle plot to throw
us all off the scent of their shocking capabilities. But those who
understand the frailties of human nature will find it easier to
suspend disbelief, and even sympathise a bit.

Far from the perfectly-tuned "Mission Impossible" team of popular
myth, the NSA is in fact "an organisation ripe for divestiture; its
individual capabilities are of greater value than the organisation as
a whole. [Its] lack of leadership is responsible for... the complete
breakdown of the NSA governance process," according to an internal NSA
report dated 1 October 1999 and released on 17 October 2000 under a
Freedom of Information Act (FOIA) request by the journal Inside
Defense.

Meanwhile, an external audit summary dated 22 October 1999 and
released 17 October 2000 reaches much the same conclusion, noting, for
example, that the Agency's "leadership culture... appears most
interested in their positions and protecting their people's jobs at
the expense of accomplishing the mission."

The second study finds a veritable shopping-list of faults, among them
a "broken decision-making process; poor financial management; a broken
personnel system; inadequate business management, program management,
and system engineering; poor stakeholder relations, particularly with
Congress; and an inward-looking culture," all of which, the authors
warn, foreshadows "technology obsolescence, [a] gap with commercial
practice."

Low morale within the ranks brought on by an irrational system of pay
raises and promotions combines with general budgetary madness to make
the NSA appear "to operate like an entitlement program."

The Agency has got to integrate itself into the wider intelligence and
security community, which encompasses both government and private
business interests, in order to stay relevant - in order to survive.
But a legendary culture of secrecy and isolation make that its single
most difficult challenge.

The "No Such Agency" culture appears to be the consequence of an
established environment of back-stabbing and cover-your-ass
indifference. The report found that "the present mindset fostered a
society where people were afraid to express their own thoughts. Even
though people spoke to us with true candour, they always wanted to
avoid attribution because of the perception that the information was
going to be used against them."

And of course, if these guys can't trust each other, there's little
reason for us on the outside to trust them either.

Both reports suggest images of a sinking ship on which no one dares
lower a lifeboat, or even mention the painfully obvious. The Agency
has created "a culture that discourages sending bad news up the chain
of command. [Yet] the staff knows NSA is falling behind and is not
properly addressing the inherent problems of the emerging global
network."

And if that wasn't enough, to top it off the House Permanent Select
Committee on Intelligence stated bluntly in a recent report that "Each
type of communication - radio, satellite, microwave, cellular, cable -
is becoming connected to all the others. Unfortunately, as the global
network has become more integrated, NSA's culture has evolved so that
it is seemingly incapable of responding in an integrated fashion."

It has fallen to the NSA's Director, Lieutenant General Michael
Hayden, USAF, to address these shortcomings as the Agency struggles
for relevance in the digital real world. During a recent NIST security
conference, Hayden outlined some of the changes he's already
implemented, chief among them a new merit-based pay system to attract
and hold talented employees, which the agency often loses in droves to
corporate head-hunters.

What did you do in the cyberwar, Daddy?

The General also spoke of NSA's role in cyber-defence, a seemingly
natural area of expertise. But the timing is unfortunate. As the
Hermit Agency struggles to recover from a crisis of mismanagement and
navel-gazing, other government bureaux are pressing it to take both
defensive and offensive roles in the anticipated cyber conflicts of
the near future. It ought to have made ready to do just that, but
clearly has not found the time.

"Many personalities in the [Department of Defence] would like NSA,
since it understands the technology, to become a combat element in
cyberspace. NSA is resisting this because it can lead to a series of
terrible legal quagmires and even more intense scrutiny than it
already gets from Congress," a senior US intelligence official told
The Register.

"Such roles would bring enormous legal, publicity, and other problems
that Hayden doesn't need right now. Thus, Hayden and NSA are
contemplating expanded offensive roles, but only insofar as they have
to study the issues in order to avoid being stuck with them," he
added.

But if the NSA is preoccupied with its own restructuring efforts, we
have to wonder who is going to respond if the US or its allies were to
sustain a serious information attack.

"The possibility exists that the offensive arm would solely be some
government element designated by the President to carry out a covert
action. Executive Order 12333 [signed by Ronald Reagan in late 1981]
allows the President to pick whoever he determines is capable of
fulfilling the task," the official told us.

While there is a working agreement to organise US cyber-defences by
the US Critical Infrastructure Coordination Group, chaired by National
Coordinator for Security, Infrastructure Protection, and
Counter-Terrorism Richard Clarke of the White House National Security
Council (NSC), one has to wonder if the spirit of cooperation might
not get lost in the sort of inter-agency rivalries one finds
throughout the US government.

"Yeah, this field has it also," the official told us, and "with a
strange 'religious' overtone -- many agencies are acting like they are
fighting to control the future."

The rapid growth and multiplication of interested parties in
cyber-defence - military, intelligence and law enforcement - provides
an excellent opportunity for empire-building, which could easily take
precedence over coordination and integration.

"We have a 'systems-integration' problem," the official observed. "Not
enough folks are involved; but much worse is the fact that what we are
doing is not well tied together due to the complexity of the technical
and organisational interrelationships."

So what we have is something of a paradox, with too many agencies
marching to their own drummers, and too few getting to the heart of
the problem, which is to exploit what each one does best, and then
integrate the parts into a rational cyber-defence strategy. Otherwise,
as the NSA's paralysing troubles illustrate, each player's individual
preoccupations are really just that.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".