[devit]

Looks like free enterprise has introduced a tax on people who fail to secure their systems against untargeted attacks and fail to make backups.

One also wonders what's the point of all NSA's "SIGINT" efforts if they can't or won't use it to catch such usually foreign actors, so maybe they also introduced an argument against mass surveillance.

[pdkl95]

The NSA isn't interested in defensive work these days. As Dan Geer explained[1]:

    I suggest that the cybersecurity tool-set favors offense these days.
    Chris Inglis, recently retired NSA Deputy Director, remarked that
    if we were to score cyber the way we score soccer, the tally would
    be 462-456 twenty minutes into the game, i.e., all offense.  I will
    take his comment as confirming at the highest level not only the
    dual use nature of cybersecurity but also confirming that offense
    is where the innovations that only States can afford is going on.

This is a serious problem, not only from the problems intelligence angies with many powers and poor oversight; ignoring defense is going to bite a lot of people in bad ways. We are already seeing the beginnings of this with the escalating impact computer-based attacks are having on their victims.

I also recommend considering Jacob Appelbaum's response to this question[2] from the audience - from someone currently working for the NSA. The summary is that we need people doing NSA-style work, but on the defense side, and we need it now. If the NSA isn't doing that, then maybe people that want to actually protect their country should find somewhere else to work that is actually working on defense.

[1] https://www.youtube.com/watch?v=nT-TGvYOBpI#t=478

[2] https://www.youtube.com/watch?v=n9Xw3z-8oP4#t=4027

[newjersey]

I assume part of the problem is that it is hard to quantify successes or wins in defense.

What is a good way to protect against ransomware? Symantec buries the lede with the answers (possibly because of conflicting business interests) which are

1. Limit end user access to mapped drives

2. Deploy and maintain a comprehensive backup solution

http://www.symantec.com/connect/blogs/ransomware-dos-and-don...

But really, how do we justify spending thousands of dollars on hardware? I hate myself for saying this but there are real risks of doing too much as well. We could have our own mini tyrannical regime of secure computing a la the TSA security theater.

Effective user education is challenging. Even developers are prone to use elevated user permissions where none is strictly required just for the sake of convenience. I know I've found myself right-clicking visual studio and clicking "Run as administrator" reflexively after just a few months of working on ASP.NET and IIS.

This is a little off-topic but I imagine the whole funding offense vs defense might be a little more "natural" than we like to admit. Imagine you're a defense manager and there's this other guy who is an offense manager. Just as a football analogy, how do you justify your team's worth when the other team says that there is no good way to quantify the worth of the work you're doing and there is a good way to quantify their team's work? I guess what I'm asking is how do we put a dollar and cent value to defensive cyber security? Can we just ask "How much does the business stand to lose if we lost all our data to ransom ware or worse to a competitor?" or would business think that is overreaching?

[purpled_haze]

> The NSA isn't interested in defensive work these days.

Hasn't "a great offense is always the best defense" always been the name of the game? We've gone from fists, to stick and rocks, to spears, to swords, to Greek Fire, to gunpowder, to nuclear weapons. Why not now be the ones to own the power to take down any computer or network?

Great efforts in defense aren't necessarily successful or rewarded either, e.g. Reagan's "Star Wars"/SDI https://en.wikipedia.org/wiki/Strategic_Defense_Initiative which was widely criticized and failed miserably.

While cyberdefense is not in the same unrealistic realm as SDI was in the 80s, the ways that most people think about security- firewall on the perimeter and/or securing each node, pen testing, patches, and locking down what can be installed/used- don't really solve the problem of having a wide attack vector. Imagine if you could shoot a single soldier out in the field and it would kill his/her whole battalion, the base in which he/she was stationed, and perhaps destroy or weaken the entire army or even armed forces to which he/she belonged? That is the situation now.

Playing ultimate defense requires much more isolation. We shouldn't be on the same network, we shouldn't always be connected, and we should really limit how the outside world can affect each node. That isn't often the case with the networks we have currently.

[michaelt]

  Hasn't "a great offense is always the best defense"
  always been the name of the game?

An air offence against an airfield can put a billion dollars worth of planes out of operation permanently.

There's no cyberattack equivalent of that - it's not like bricking a few $1000 PCs would disable foreign cyberattack capabilities.

[jblow]

Only a billion? This is the USA in 2015 we are talking about. A single F-35C costs a third of a billion dollars. So you are talking about 3 planes.

[vermontdevil]

Exactly my thoughts. NSA was supposed to provide measures to protect the network of the government. But see the OPM's breach as one example.

Seems NSA is obsessed with penetrating everywhere using 'terrorism' as a means to ensure continued funding. Thus the 'defense' nature is quite boring and sadly ignored.

[hiq]

This talk by Dan Geer is really great. Worth watching, or reading [1].

[1] http://geer.tinho.net/geer.blackhat.6viii14.txt

[ENOTTY]

SELinunx and SE for Android are two examples of NSA doing defensive work recently. Also NSA's Information Assurance Directorate puts out guidance[1]. But as to the level of investment in offense versus defense, you'll have to draw your own conclusions.

[1] https://github.com/iadgov

[simoncion]

SELinux made its public debut seventeen years ago, so it's not the best example of "recent" defensive work done by the NSA. ;)

To speak about SE for Android: I'm not sure how much weight I would lend to a few NSA employees helping Google/AOSP create SELinux profiles for Android. (It is recent work, though!)

I'm fairly certain that I would lend a lot of weight to public efforts to harden systems against the kinds of attacks that their TAO division launches.

[benevol]

Just like the Brits could have used the cracked Enigma code to stop each and every German operation during the War, they refrained from doing so and used it only for very specific situations (in order to avoid their cover being blown).

Expect the same behavior from the NSA. They will use their power first and foremost whenever it benefits themselves, not to protect all citizens or corporations.

[spacehome]

Um, what?

The Brits acted sparingly using the cracked Enigma code precisely because they were trying to protect as many citizens as they could -- if they acted every time, the Germans would have figured out the code was compromised and switched to a stronger code.

[adrusi]

Except now everyone knows a lot about the capabilities of the NSA, and every serious criminal is already using the strongest encryption available and doesn't have any course of action for when the NSA is onto them.

It would be like if the British "blew their cover" and the Germans could only respond by completely ceasing all encrypted communication. Not the best possible outcome if they do, but still a positive outcome.

It's an even better outcome for cybercrime, since ceasing all communications would mean ceasing everything. If the NSA did this, the criminal would probably just stop operating, which means they might not be brought to justice, but at least the attacks would stop.

[hwstar]

American government agencies put one thing above all else: Self preservation. If a duty to society involves risk which could make them be seen in a bad light, they will avoid it, or try to state it isn't their problem.

[dpierce9]

Free enterprise? This is an embarrassing extension of the idea of enterprise (Since when can enterprises tax anyhow?). This is racketeering 101 plain and simple. I will burn your business down unless you pay me to protect your business. It is a new application of a very old concept.

Can you imagine the FBI saying, just pay the mafia?

[jhayward]

I believe free enterprise requires that all parties to a transaction be free to participate, or decline, according to their own judgement and resources. Clearly absconding with and holding another's property for ransom is not free enterprise.

I hesitate to say something so pedantic, but with the number of people who attribute crazy properties to the concept of "free markets", etc. I think we should just be clear on this one.

[devonkim]

The government is already accused of being in bed with commerce all the time ala fascism comparisons, NSA helping companies directly like this could be viewed as favoritism for big companies and politically dangerous. Also, NSA's offensive mission is historically to attack nation-states aligned to the federal government's needs rather than to attack commercially motivated hackers. This is blurring with national security issues like espionage and economic terrorism coming into play, but this again raises the question of where the dividing line between helping private enterprise with tax dollars should go compared to doing something for everyone's benefit.

There is also a defensive side to NSA's mission that is defense-oriented (IAD), but the most recognizable contributions that most of the HN crowd may be familiar with are SELinux and perhaps a modest body of research involving how to secure your systems (the defense side is much more open than the offensive side). The problems I see there is that these measures are all very much aimed at large corporations, not start-ups (seriously, I can count the number of start-ups outside the intelligence / DoD space I've ever heard of that use SELinux or follow NSA hardening guidelines on two fingers) and there is clearly a huge gap between how much big businesses take security seriously compared to start-ups from both a cultural and business driven set of motivations.

The number of start-ups derailed / completely wiped out by extortion attempts is rather small compared to the number that actually exist but the legions of security consulting companies around the DC beltway wants everyone to think that it's really terrible and that everyone's a target. The truth is that everyone needs to be secure "enough" to not be as vulnerable as the really stupid guys and that while it might sting a lot to be down for a few hours or so and lose revenue / trust from users, diverting your company's resources towards hardening so much is quite costly for smaller companies and it's just more practical to have really fast re-provisioning set as a priority for your devops / ops engineers (most start-ups can do this far better than larger companies).

[jrochkind1]

Heck, with the NSA's budget, maybe they should be working on developing 'cures' for it.

[logicallee]

This is precisely exactly like saying that if in xyzland rape with impunity becomes rampant, "Looks like free enterprise has just introduced a rape tax on not having brothers."

To be blunt, if you think like this and make legal arguments like this, you don't understand western civilization and should go and think for a while about all of society.

Unless of course you're kidding and being cynical.

It's 2015: computing is part of society, and computing free from attacks is little different from walking about in public unharmed. It takes massive contortions of perception to feel otherwise. Everyone is online! (Just as everyone goes out now and then.)

Ransomware is almost literally still just ransom.