It began with Edward Snowden releasing details of the NSA's classified and all encompassing monitoring program. As more and more details of this program continue to be revealed, I find it impossible to believe that any part of the government, in aggregate or individually, maintains oversight of the NSA's activities. If they are operating in any way, shape, or form, outside of the oversight of the government, they are, by definition, breaking the law. Even if they are simply lying by omission.
Having done many security assessments of organizations much smaller than the NSA, it is routine to find volumes of surprising details that few, if anyone, knew were going on prior to the assessment. Rules that were assumed to be in place and protecting the organization, but are not. Commonplace. So why would it be any different in government? They routinely operate within more pressing budgetary constraints than normal business. You could likely successfully argue that they waste much more of that money as well, so whether it is never there or wasted away, the effect is the same. However, with less budget comes less people available to do the work that should be done.
Time management meets IT process
Time management theory maintains that a task that can be done at any time shall be done at no time. Thus you can extend this logical precept to IT jobs and their related tasks. If it isn't someone's specific job to do, it will not get done. Further, good security practice, including the practice of granting and renewing security clearances, mandates that no one who is a requester of a security method can be the approver of the request. No self-approval.
"NSA, are you doing things that are on the up and up?"
"Yes, we are."
"NSA, do I want to know what you are doing?"
"No, you don't."
That's self-approval and it is a fundamentally flawed security concept. Any security practitioner will tell you that when you break common security best practices, bad things happen. If transparent, repeatable, auditable, and, most important, sensible security processes are not in place, you have no security. You may sleep well at night because someone told you things are fine, but consider this question:
"NSA, that evidence in your database says Joe did something wrong. Are you sure?"
"Can I see the evidence?"
"No, just trust us. It's true."
You'll forgive me if I wish to see the proof *couMADOFFgh*, and the chain of custody (audit trail) that shows how the database entry got there. Having recently touched on the topic of 'trust but verify' in a previous blog. I've spoken of that subject elsewhere in blogs, but I'll not cite the source for personal reasons.
Five billion mobile device records
One of the hot stories today is more information being released from the Snowden data that says the NSA is absorbing five billion mobile device records of geolocation data and call correlations daily. Having worked in a security operations center and monitoring far less than hundreds of millions of end points of data, I can attest that when we determined that an incident was occurring or a change in the rules that monitor all that data was made, we made sure our logic was sound. We used peer review in the open-source meaning of the word, so that our own viewpoint of one possible way to filter the facts didn't cloud what we were trying to see. Others would and could weigh in on whether or not our solution would likely deliver an accurate view. The NSA sees what they want and are true believers, a notably dangerous psyche to employ for logical analysis when used as your only measure. Many times in security we find curious things. It is far better to maintain an open mind than to instantly 'know' the answer before you have all the facts.
“The most elementary and valuable statement in science, the beginning of wisdom is ‘I do not know’. I do not know what that is.” Mr. Data, ST:TNG
This is something true believers cannot do. Without oversight (peer-review), we'll never know if their conclusions are correct. ...And for the record, we should not trust that they are deleting the records that have no value. A good security practitioner would have audit records to prove it and not simply say 'trust me.'
In the Merchant of Venice, Shylock was so burned because he was so focused on proving a specific point, he lost track of the big picture.
It worked before...
The NSA continues to argue that their methods work in catching the bad guys, but also make such claims without proof. "Trust us, we caught them before they did something bad." Can you prove it? "We can't comment on existing legal cases..."
In closing, I'll leave with two of my favorite quotes (both from the same paper):
“The argument that the same risk was flown before without failure is often accepted as an argument for the safety of accepting it again. Because of this, obvious weaknesses are accepted again and again, sometimes without a sufficiently serious attempt to remedy them, or to delay a flight because of their continued presence.” – R. P. Feynman