The NSA is one of the most secretive of the US Government’s TLAs (three letter agencies), which makes sense since it is charged with intercepting, decrypting and analyzing communications for the intelligence community. However, in addition to its role in SIGINT, the NSA is also tasked with helping the government and private industry secure systems against cyber attack (information assurance). If you go to the agency’s web site, you’ll find a number of configuration guides which provide security advice for products such as computer operating systems, database servers, and Cisco routers. These guides are a great use of our tax dollars (IMHO) – they help protect government systems from attack and (with some modifications) are helpful to private industry. So why am I telling you this?
This week, we’ve seen some press wondering whether Microsoft’s and the NSA might have cooperated to place secret back doors in Windows 7 to allow the spooks to access all of our computers (as well as those of the bad guys). Hackles were raised when a senior NSA official testified before Congress that the agency had “assisted” Microsoft with security for the new OS release. According to the NSA and Microsoft, the assistance provided was limited to the production of a security configuration guide for the new OS and did not include any special access methods for the agency.
So, is Microsoft helping the NSA get access to millions of computers worldwide? Probably not… Microsoft would be risking its customer base worldwide if news of such a backdoor were to leak. But this incident does reveal a perceptual conflict in the NSA’s information assurance and SIGINT missions. Maybe it is time for the government to separate the jobs of protecting information and gathering information.
One of the issues that the private sector has with taking security advice from the NSA is the perception that the NSA is in the business of protecting (and swiping) state level secrets. After all, widget production figures don’t need the same level of protection as the nuclear launch codes. I think a lot of security professionals pass the NSA documents by because of this perception. What would be really great would be a separate release of private sector versions of these types of documents from a less ominous and more civilian oriented agency. For example, the Windows 7 Security Compliance Management Toolkit (which the NSA assisted in preparing) could be a starting point for much less complicated sets of instructions aimed at:
- Home users
- Educational institutions
- Small and medium sized businesses
- Large enterprises
- Critical Infrastructure Providers
- Financial Institutions
I’ll take this a step further… I would like to see these documents form the basis of a description of the minimum level of due care that any enterprise handling the information owned by others or controlling critical infrastructure must meet. Having some very basic standards (and some teeth to back them up) would do two things:
- Provide incentives to enterprises to secure their systems
- Provide a generally accepted security baseline
- Provide small and medium sized businesses who don’t have a high level of security expertise in house with a clear and concise roadmap (and instructions) as to what they need to do.
I think that there would need to be private sector involvement in developing these documents, of course. It would be a large undertaking, but I think it would also be a large step in the fight against cybercrime and cyberwarfare.