Cybersecurity: The NSA's Big Budget Action Movie
|by Dave Gonigam|
The exercise had an awesome name, inspired by the movies: "Quantum Dawn 2."
Back on July 18, scads of U.S. banks, stock exchanges and government agencies took part in a digital fire drill — a practice run in the event all of Wall Street came under massive cyberattack.
We've documented before how banks regularly come under attack — the harmless sort in which a bank's servers are bombarded with traffic, shutting down the website for a time. We've also documented the "glitch" that shut down the Nasdaq for three hours one day last summer — an event still unexplained.
But the July 18 drill was something else altogether.
The scope of this exercise was systemwide, full-on meltdown. And to make it as realistic as possible, each participant had only a piece of the puzzle.
"In some cases," reads an account of the exercise from Reuters, "a blue chip stock started to plummet inexplicably. Soon, shocking news about the company hit the market, but unbeknownst to the participant, the news was fake. For others, trading systems were on the fritz, or government websites stopped functioning."
The lessons learned? The story is frustratingly short on detail: "One key lesson from the drill was that the private sector and government authorities must share information more freely and quickly, said Ed Powers, the national managing principal of Deloitte & Touche LLP's security and privacy practice, which was an independent observer of Quantum Dawn 2."
If nothing else, the war game was widespread: "In addition to big banks such as Bank of America Corp. and Goldman Sachs Group Inc., there were 50 participants, including major exchanges, clearinghouses, the U.S. Treasury Department, the Securities and Exchange Commission, the Department of Homeland Security and the Federal Bureau of Investigation."
Gee, where was the NSA? Shut out, evidently.
Which might be why NSA chief Gen. Keith Alexander declared his intent on Oct. 8 for a hostile takeover of Wall Street.
Lost amid the noise of the last shutdown-debt ceiling, Alexander gave a talk hosted by Politico and the defense giant Raytheon. He said at some time — likely during a crisis — "policymakers" will have to decide under what conditions the NSA can act to stop a major cyberattack on a crucial sector of the economy.
Tellingly, the example he used was financial services: "That's where we're going to end up at some point," he said. "You have to have the rules set up so you can defend Wall Street."
Alexander said just as the military can detect an incoming missile with radar, the NSA needs the ability to spot "a cyberpacket that's about to destroy Wall Street."
"The analogy was a stretch," writes Shane Harris at Foreign Policy. "What's a 'cyberpacket'? Presumably, Alexander meant a sophisticated computer worm or virus designed to disrupt a computer or destroy the data inside it. But the idea that a single tiny packet could wipe out Wall Street is laughable. That's like saying a paintball can take out a tank.
"The general is one of the most technologically knowledgeable officials in the intelligence community," Harris continues. "So should we conclude that Wall Street really is at risk of a catastrophic cyberattack? Or that Alexander is engaging in a little old-fashioned fear-mongering to drum up support for his policies?"
Nor was this the first time Alexander made such an attempt. Several years ago, he met with leaders of the financial industry about cyberthreats.
A Washington Post story from last summer describes his proposed solution: "Private companies should give the government access to their networks so it could screen out the harmful software. The NSA chief was offering to serve as an all-knowing virus-protection service, but at the cost, industry officials felt, of an unprecedented intrusion into the financial institutions' databases."
It was a bridge too far: According to one person in the room who spoke to the Post anonymously, "Folks in the room looked at each other like, 'Wow. That's kind of wild.'" And this was years before Edward Snowden made legions of Americans suspicious of the NSA.
"The NSA's aggressive pursuit of Big Data," writes Marcy Wheeler at The Guardian, "has not only invaded our privacy, but also left us more vulnerable to cyberattack."
The problem is that the NSA, like the Federal Reserve, has a contradictory "dual mandate."
NSA headquarters in Fort Meade, Maryland, houses two agencies under one roof, described in a 2010 Wired article: "There's the signals-intelligence directorate, the Big Brothers who, it is said, can tap into any electronic communication. And there's the information-assurance directorate, the cybersecurity nerds who make sure our government's computers and telecommunications systems are hacker- and eavesdropper-free."
Throw in Gen. Alexander's other hat — as chief of the military's Cyber Command — and the objectives become even more muddy.
And so you get results like the NSA colluding with technology companies to purposely degrade the firms' encryption protocols, so the NSA can more easily monitor "secure" Web traffic — including the times you log in to check your bank or brokerage account.
Of course, if it's easier for the U.S. government to crack encryption codes, it's also easier for foreign governments. Or terrorists. Or run-of-the-mill cybercriminals.
"In short," Wheeler writes, "because the NSA has prioritized collecting vast amounts of information… it has taken actions that increase our exposure to network attacks, all while insisting cyberattacks are the biggest threat to the country. And that has enabled it to demand new authorities to protect against the attacks it has made easier."
Ms. Wheeler's suggested remedy is splitting the NSA's competing functions into separate agencies. We, on the other hand, have no faith in reforms. In the end, we're left, as always, to follow the money — billions of which are flooding into the cybersecurity industry.
© 2014 Agora Financial, LLC.