[fixermark]

No surprises there.

I get deeply frustrated (though I understand where they are coming from) when governments make the argument that they can't take advantage of this or that cloud service because the service's security isn't vetted. Clearly, the security in the backing systems owned by the government isn't sufficiently vetted either, so they're sacrificing velocity for non-security.

I know, it's a flippant attitude. Blame a lousy day. ;)

[comrade1]

There's quite a bit of u.s. government on amazon cloud. Using a cloud service doesn't magically give you better security.

This is more an indication of the NSA focusing too strongly on offensive/monitoring operations and not on information security, which is their job as well.

[bhauer]

> This is more an indication of the NSA focusing too strongly on offensive/monitoring operations and not on information security, which is their job as well.

This is precisely how I feel about this kind of thing.

To my mind, the NSA should be working to make the security technologies used by American individuals, American companies, and the American government as strong and as free of vulnerabilities as possible. The necessary degree of transparency would, of course, mean any such improvements would be available to anyone in other countries, but I think that situation is far superior to our current climate where we suspect (and not as wild conspiracy theory) that our vulnerabilities were as likely created by the NSA as not.

Many American individuals—and presumably companies—consider the NSA an adversary simply because these individuals value their privacy and the NSA has shown only hostility toward Americans concerning their privacy. In some alternate universe, my own opinion of the NSA could have been positive had they been an agency focused on decreasing the risk of individuals' privacy being compromised.

At the very least, that they are not (apparently) presently sufficiently charged with assisting other branches of the government maintain security is a misallocation of talent.

[irishcoffee]

> To my mind, the NSA should be working to make the security technologies used by American individuals, American companies, and the American government as strong and as free of vulnerabilities as possible.

Didn't NSA develop SELinux?

Edit: Heh, lets all avoid the fact that NSA created something insanely useful for the entire world. Nobody likes to think about these things. Hating is so much easier.

[bhauer]

Yes, and for a time that was great. That and more is what they should be doing!

Instead, they have thrown away any trust and respect they had earned. Now they are feared.

[scott_s]

fixermark was not claiming that cloud services would give better security, but that it's probably no worse.

[mpyne]

Network security is not NSA's job. Nor is information security. Communications security is, but only for "national security information" (i.e. classified) and military communications.

Defense against "cyber attack" isn't even NSA's job, and where NSA participates in such endeavors that's on .mil, not .gov

DHS does have responsibility for cyber security on .gov however. But what is DHS supposed to do if OPM decides to throw open the keys to the kingdom to any random "authenticated" contractor handling background checks?

P.S. NSA might somehow have caught this despite everything I mentioned if they were engaged in better "monitoring operations" on other government networks and international communications relays... is that really what you want?

[irishcoffee]

> NSA might somehow have caught this despite everything I mentioned if they were engaged in better "monitoring operations" on other government networks and international communications relays... is that really what you want?

I can think of a few million people who might have, yeah.

[mpyne]

Don't get me wrong, I'd sign up for it if the alternative is 20+ million records of private data in the hands of an unfriendly state. But then I don't think that NSA is Literally Satan™ either.

[irishcoffee]

Apologizes if I came off as snarky, I was in a bad mood. People want their privacy, and they also seem to "deserve" a reason why Victoria was fired from reddit. This un-acknowledged dichotomous ideology confuses me.

[comrade1]

It's part of their information assurance program. https://www.nsa.gov/ia/index.shtml

[mpyne]

Did you read the page you linked?

Try clicking on the "About IA at NSA" link and you'll find out what NSA means by "Information Assurance":

> NSA's Information Assurance Directorate (IAD) protects and defends National Security Information and Information Systems, in accordance with National Security Directive 42. National Security Systems are defined as systems that handle classified information or information otherwise critical to military or intelligence activities.

Or in other words, what I just said...

[arh68]

> information security, which is their job as well.

Is that really their job? It seems there might be a dozen other agencies responsible, ones less interested in foreign computer networks. Is that DISA's bailiwick? Perhaps NIST? Homeland Security? et cetera

[comrade1]

https://www.nsa.gov/ia/index.shtml

Information assurance. Products and services for government and businesses.

[mpyne]

Which if you click further around in that section of the NSA website, you'll find that NSA is only talking about information assurance of classified and sensitive military information, not any information handled anywhere in the government.

[speeder]

NSA name is National SECURITY Agency.

The agency that deals with intelligence (espionage) is the CIA, and the CIA do have their own cyber espionage systems, NSA not only is not doing their actual job, but they are being redundant.

[mpyne]

You have no understanding of how work is dispersed within the U.S. intelligence community.

Which is fine, of course, but why are you trying to speak as if you have authoritative knowledge?

You say that NSA is responsible for cybersecurity within an HR agency because their name has "SECURITY" in it, and as far as I can tell this is meant completely seriously. So should NSA also be responsible for the military defense of the nation since their name has "SECURITY" in it? Should they regulate financial markets because their name has "SECURITY" in it?

In case you wish to know, NSA is responsible for (among other things) 'SIGINT' and 'ELINT'. CIA is responsible for 'HUMINT', 'OSINT', and many other fun things.

Both the NSA and CIA are foreign intelligence agencies, mostly due to historical accident. And of course there's an entirely separate DIA, which also exists mostly due to historical accident, but focuses mainly on military intelligence matters.

[ebel]

I submitted this a couple days ago... government slowing moving. http://www.logicworks.net/blog/2015/06/government-cloud-publ...

[cpr]

Yes, there's a whole portion of the Amazon Cloud that's run entirely for government (a family member is a higher-up at AWS Gov), and I have to assume they're also running private clouds with physical security, but I have no idea.

[toomuchtodo]

It's the GovCloud AWS region.

http://aws.amazon.com/govcloud-us/

[emidln]

IIRC, GovCloud is available for general purpose usage by private companies, it's just expensive and not as flexible.

[MichaelCrawford]

The goverment has known how to vet their systems since well before 1989, when I attended a class taught by a security consultant for the DoD.

For example, your aged grandfather used to run ethernet through pressurized conduit. If that pressure ever dropped some heavily armed men would turn up.

The IP packet header has fields for security classification as well as compartment. If I design warheads and you design rocket engines, our computers are in different compartments so the router between us will drop packets if you and I attempt to discuss our work. However I could invite you to lunch.

What Bradley Manning did was simply not possible. Or rather it would not have been without the Congressional COTS mandate: Common Off-The-Shelf Computers. Rather than design special hardware or write special software for military computing the avionics for the F-35 Joint Strike Fighter were purchased online from Alibaba.

[engi_nerd]

Then why does Lockheed have hundreds of people involved with writing and testing avionics software for this aircraft? Why does Northrop Grumman have hundreds of engineers working on avionics hardware? Why does Lockheed Martin have an entire B737 that it heavily customized to test all of this hardware and software? https://en.wikipedia.org/wiki/Lockheed_Martin_CATBird

[MichaelCrawford]

You have a wooden head.

[engi_nerd]

...No need to be insulting and condescending. I understand that you were making a joke. But the fact is, your joke example was poorly chosen.

[MichaelCrawford]

I can see your point.

However a problem we really do have is that we have lost our expertise. The COTS mandate lead to less demand for the kinds of engineers who could have prevented this breach.

My friend Murray Sims is a naval civil service coder. He rang me up once to beg me to work for the navy:

"People are dying because of software bugs."

Id love to but I get a little loopy sometimes so have no hope of getting a clearance, instead I write technical articles.

http://www.warplife.com/tips/

[engi_nerd]

I admit I was a little saddened to be insulted by someone whose work I admire.

Your friend definitely has a point. People are dying because of software bugs. And process bugs. And outdated hardware.

I agree with you that we have lost our expertise. I think the defense industry in general has a demographics problem. There's a lot of old guys who are about to retire. A lot of young, inexperienced people. And not enough of the mid-career engineers.

[comrade1]

Humor is not allowed on HN. It's for our own protection - most of the people here are so autistic a simple ironic statement could lead to the end of the internet as the HN readers spaz out all at once.

[oldmanjay]

Government is full of cargo-cult policymaking. I assume it's a combination of no real qualifications to get a job making policy combined with that seductive feeling of giving orders.