[comrade1]

There's quite a bit of u.s. government on amazon cloud. Using a cloud service doesn't magically give you better security.

This is more an indication of the NSA focusing too strongly on offensive/monitoring operations and not on information security, which is their job as well.

[bhauer]

> This is more an indication of the NSA focusing too strongly on offensive/monitoring operations and not on information security, which is their job as well.

This is precisely how I feel about this kind of thing.

To my mind, the NSA should be working to make the security technologies used by American individuals, American companies, and the American government as strong and as free of vulnerabilities as possible. The necessary degree of transparency would, of course, mean any such improvements would be available to anyone in other countries, but I think that situation is far superior to our current climate where we suspect (and not as wild conspiracy theory) that our vulnerabilities were as likely created by the NSA as not.

Many American individuals—and presumably companies—consider the NSA an adversary simply because these individuals value their privacy and the NSA has shown only hostility toward Americans concerning their privacy. In some alternate universe, my own opinion of the NSA could have been positive had they been an agency focused on decreasing the risk of individuals' privacy being compromised.

At the very least, that they are not (apparently) presently sufficiently charged with assisting other branches of the government maintain security is a misallocation of talent.

[irishcoffee]

> To my mind, the NSA should be working to make the security technologies used by American individuals, American companies, and the American government as strong and as free of vulnerabilities as possible.

Didn't NSA develop SELinux?

Edit: Heh, lets all avoid the fact that NSA created something insanely useful for the entire world. Nobody likes to think about these things. Hating is so much easier.

[bhauer]

Yes, and for a time that was great. That and more is what they should be doing!

Instead, they have thrown away any trust and respect they had earned. Now they are feared.

[scott_s]

fixermark was not claiming that cloud services would give better security, but that it's probably no worse.

[mpyne]

Network security is not NSA's job. Nor is information security. Communications security is, but only for "national security information" (i.e. classified) and military communications.

Defense against "cyber attack" isn't even NSA's job, and where NSA participates in such endeavors that's on .mil, not .gov

DHS does have responsibility for cyber security on .gov however. But what is DHS supposed to do if OPM decides to throw open the keys to the kingdom to any random "authenticated" contractor handling background checks?

P.S. NSA might somehow have caught this despite everything I mentioned if they were engaged in better "monitoring operations" on other government networks and international communications relays... is that really what you want?

[irishcoffee]

> NSA might somehow have caught this despite everything I mentioned if they were engaged in better "monitoring operations" on other government networks and international communications relays... is that really what you want?

I can think of a few million people who might have, yeah.

[mpyne]

Don't get me wrong, I'd sign up for it if the alternative is 20+ million records of private data in the hands of an unfriendly state. But then I don't think that NSA is Literally Satan™ either.

[irishcoffee]

Apologizes if I came off as snarky, I was in a bad mood. People want their privacy, and they also seem to "deserve" a reason why Victoria was fired from reddit. This un-acknowledged dichotomous ideology confuses me.

[comrade1]

It's part of their information assurance program. https://www.nsa.gov/ia/index.shtml

[mpyne]

Did you read the page you linked?

Try clicking on the "About IA at NSA" link and you'll find out what NSA means by "Information Assurance":

> NSA's Information Assurance Directorate (IAD) protects and defends National Security Information and Information Systems, in accordance with National Security Directive 42. National Security Systems are defined as systems that handle classified information or information otherwise critical to military or intelligence activities.

Or in other words, what I just said...

[arh68]

> information security, which is their job as well.

Is that really their job? It seems there might be a dozen other agencies responsible, ones less interested in foreign computer networks. Is that DISA's bailiwick? Perhaps NIST? Homeland Security? et cetera

[comrade1]

https://www.nsa.gov/ia/index.shtml

Information assurance. Products and services for government and businesses.

[mpyne]

Which if you click further around in that section of the NSA website, you'll find that NSA is only talking about information assurance of classified and sensitive military information, not any information handled anywhere in the government.

[speeder]

NSA name is National SECURITY Agency.

The agency that deals with intelligence (espionage) is the CIA, and the CIA do have their own cyber espionage systems, NSA not only is not doing their actual job, but they are being redundant.

[mpyne]

You have no understanding of how work is dispersed within the U.S. intelligence community.

Which is fine, of course, but why are you trying to speak as if you have authoritative knowledge?

You say that NSA is responsible for cybersecurity within an HR agency because their name has "SECURITY" in it, and as far as I can tell this is meant completely seriously. So should NSA also be responsible for the military defense of the nation since their name has "SECURITY" in it? Should they regulate financial markets because their name has "SECURITY" in it?

In case you wish to know, NSA is responsible for (among other things) 'SIGINT' and 'ELINT'. CIA is responsible for 'HUMINT', 'OSINT', and many other fun things.

Both the NSA and CIA are foreign intelligence agencies, mostly due to historical accident. And of course there's an entirely separate DIA, which also exists mostly due to historical accident, but focuses mainly on military intelligence matters.

[ebel]

I submitted this a couple days ago... government slowing moving. http://www.logicworks.net/blog/2015/06/government-cloud-publ...

[cpr]

Yes, there's a whole portion of the Amazon Cloud that's run entirely for government (a family member is a higher-up at AWS Gov), and I have to assume they're also running private clouds with physical security, but I have no idea.

[toomuchtodo]

It's the GovCloud AWS region.

http://aws.amazon.com/govcloud-us/

[emidln]

IIRC, GovCloud is available for general purpose usage by private companies, it's just expensive and not as flexible.