[pdkl95]

The NSA isn't interested in defensive work these days. As Dan Geer explained[1]:

    I suggest that the cybersecurity tool-set favors offense these days.
    Chris Inglis, recently retired NSA Deputy Director, remarked that
    if we were to score cyber the way we score soccer, the tally would
    be 462-456 twenty minutes into the game, i.e., all offense.  I will
    take his comment as confirming at the highest level not only the
    dual use nature of cybersecurity but also confirming that offense
    is where the innovations that only States can afford is going on.

This is a serious problem, not only from the problems intelligence angies with many powers and poor oversight; ignoring defense is going to bite a lot of people in bad ways. We are already seeing the beginnings of this with the escalating impact computer-based attacks are having on their victims.

I also recommend considering Jacob Appelbaum's response to this question[2] from the audience - from someone currently working for the NSA. The summary is that we need people doing NSA-style work, but on the defense side, and we need it now. If the NSA isn't doing that, then maybe people that want to actually protect their country should find somewhere else to work that is actually working on defense.

[1] https://www.youtube.com/watch?v=nT-TGvYOBpI#t=478

[2] https://www.youtube.com/watch?v=n9Xw3z-8oP4#t=4027

[newjersey]

I assume part of the problem is that it is hard to quantify successes or wins in defense.

What is a good way to protect against ransomware? Symantec buries the lede with the answers (possibly because of conflicting business interests) which are

1. Limit end user access to mapped drives

2. Deploy and maintain a comprehensive backup solution

http://www.symantec.com/connect/blogs/ransomware-dos-and-don...

But really, how do we justify spending thousands of dollars on hardware? I hate myself for saying this but there are real risks of doing too much as well. We could have our own mini tyrannical regime of secure computing a la the TSA security theater.

Effective user education is challenging. Even developers are prone to use elevated user permissions where none is strictly required just for the sake of convenience. I know I've found myself right-clicking visual studio and clicking "Run as administrator" reflexively after just a few months of working on ASP.NET and IIS.

This is a little off-topic but I imagine the whole funding offense vs defense might be a little more "natural" than we like to admit. Imagine you're a defense manager and there's this other guy who is an offense manager. Just as a football analogy, how do you justify your team's worth when the other team says that there is no good way to quantify the worth of the work you're doing and there is a good way to quantify their team's work? I guess what I'm asking is how do we put a dollar and cent value to defensive cyber security? Can we just ask "How much does the business stand to lose if we lost all our data to ransom ware or worse to a competitor?" or would business think that is overreaching?

[purpled_haze]

> The NSA isn't interested in defensive work these days.

Hasn't "a great offense is always the best defense" always been the name of the game? We've gone from fists, to stick and rocks, to spears, to swords, to Greek Fire, to gunpowder, to nuclear weapons. Why not now be the ones to own the power to take down any computer or network?

Great efforts in defense aren't necessarily successful or rewarded either, e.g. Reagan's "Star Wars"/SDI https://en.wikipedia.org/wiki/Strategic_Defense_Initiative which was widely criticized and failed miserably.

While cyberdefense is not in the same unrealistic realm as SDI was in the 80s, the ways that most people think about security- firewall on the perimeter and/or securing each node, pen testing, patches, and locking down what can be installed/used- don't really solve the problem of having a wide attack vector. Imagine if you could shoot a single soldier out in the field and it would kill his/her whole battalion, the base in which he/she was stationed, and perhaps destroy or weaken the entire army or even armed forces to which he/she belonged? That is the situation now.

Playing ultimate defense requires much more isolation. We shouldn't be on the same network, we shouldn't always be connected, and we should really limit how the outside world can affect each node. That isn't often the case with the networks we have currently.

[michaelt]

  Hasn't "a great offense is always the best defense"
  always been the name of the game?

An air offence against an airfield can put a billion dollars worth of planes out of operation permanently.

There's no cyberattack equivalent of that - it's not like bricking a few $1000 PCs would disable foreign cyberattack capabilities.

[jblow]

Only a billion? This is the USA in 2015 we are talking about. A single F-35C costs a third of a billion dollars. So you are talking about 3 planes.

[vermontdevil]

Exactly my thoughts. NSA was supposed to provide measures to protect the network of the government. But see the OPM's breach as one example.

Seems NSA is obsessed with penetrating everywhere using 'terrorism' as a means to ensure continued funding. Thus the 'defense' nature is quite boring and sadly ignored.

[hiq]

This talk by Dan Geer is really great. Worth watching, or reading [1].

[1] http://geer.tinho.net/geer.blackhat.6viii14.txt

[ENOTTY]

SELinunx and SE for Android are two examples of NSA doing defensive work recently. Also NSA's Information Assurance Directorate puts out guidance[1]. But as to the level of investment in offense versus defense, you'll have to draw your own conclusions.

[1] https://github.com/iadgov

[simoncion]

SELinux made its public debut seventeen years ago, so it's not the best example of "recent" defensive work done by the NSA. ;)

To speak about SE for Android: I'm not sure how much weight I would lend to a few NSA employees helping Google/AOSP create SELinux profiles for Android. (It is recent work, though!)

I'm fairly certain that I would lend a lot of weight to public efforts to harden systems against the kinds of attacks that their TAO division launches.