The NSA And Cybersecurity

Author:Mr Steven Roosa
Profession:Holland & Knight

Steven Roosa is a Partner in our New York office

A December 3rd opinion piece in U.S. News & World Report advocates making the National Security Agency the agency responsible for "assuring" cybersecurity for critical infrastructure.  Before anyone rushes to embrace such a plan, it's important to sit back and reflect on the role of the NSA.

The NSA in the Interior of the Network The mission of the NSA, broadly stated, is to collect signals intelligence on international terrorists, other governments, foreign bad actors, and to provide the resulting intelligence to the U.S. government.  To achieve its mission since 9/11, there are at least two broad categories of Internet traffic that the NSA has positioned itself to intercept: (1) foreign Internet traffic, (network traffic whose origin and destination are outside the U.S., but which often transits networks in the U.S.) and (2) Internet traffic between foreign NSA targets and servers/people located in the U.S.    Because both categories of traffic can be found on networks located in the U.S., the NSA—according to first-hand accounts summarized well by James Bamford in The Shadow Factory (2008) —installed highly specialized splitters and data mining equipment at key exchange points and/or mega-switching facilities in the U.S. in order to intercept the network traffic.  One can argue back and forth regarding the relative value of the information that has been collected, but what isn't up for debate is that the NSA, from an engineering standpoint, has compromised the physical integrity of the network infrastructure to achieve its ends.  Susan Landau, a highly respected mathematician and engineer who has done research at Cornell, Harvard, Yale, and MIT, and who is a 2012 Guggenheim fellow, observes that wiretaps are "risky business" because "they are an architected security breach that can be subverted and put to nefarious use."  One of her books, Surveillance or Security: The Risks Posed by New Wiretapping Technologies (2010) discusses the topic at length, and recounts, at one point, how the Greek government, from 2004-2005, was itself subjected to ten months of wiretapping when bad actors exploited similar built-in wiretapping infrastructure.

The NSA at...

To continue reading