US National Security Agency (NSA) badly crippled

Too busy not dying for any cyber-defence stuff

Those accustomed to imagine the US National Security Agency (NSA) as some guild of omniscient, malevolent hermits effortlessly deciphering all the electromagnetic noise enveloping the modern world will be bitterly disappointed to learn that its basic, functional competence is in doubt.

While the Agency has been credited with miraculous achievements such as monitoring every communication made by electronic means worldwide with its famous Echelon system, there's reason to wonder if it will even exist a decade from now.

Whistleblowers urgently needed

The NSA has got severe internal problems, long suspected but only recently confirmed. Conspiracy paranoiacs will of course insist that the Agency is leaking the bad news as part of a subtle plot to throw us all off the scent of their shocking capabilities. But those who understand the frailties of human nature will find it easier to suspend disbelief, and even sympathise a bit.

Far from the perfectly-tuned "Mission Impossible" team of popular myth, the NSA is in fact "an organisation ripe for divestiture; its individual capabilities are of greater value than the organisation as a whole. [Its] lack of leadership is responsible for... the complete breakdown of the NSA governance process," according to an internal NSA report dated 1 October 1999 and released on 17 October 2000 under a Freedom of Information Act (FOIA) request by the journal Inside Defense.

Meanwhile, an external audit summary dated 22 October 1999 and released 17 October 2000 reaches much the same conclusion, noting, for example, that the Agency's "leadership culture... appears most interested in their positions and protecting their people's jobs at the expense of accomplishing the mission."

The second study finds a veritable shopping-list of faults, among them a "broken decision-making process; poor financial management; a broken personnel system; inadequate business management, program management, and system engineering; poor stakeholder relations, particularly with Congress; and an inward-looking culture," all of which, the authors warn, foreshadows "technology obsolescence, [a] gap with commercial practice."

Low morale within the ranks brought on by an irrational system of pay raises and promotions combines with general budgetary madness to make the NSA appear "to operate like an entitlement program."

The Agency has got to integrate itself into the wider intelligence and security community, which encompasses both government and private business interests, in order to stay relevant - in order to survive. But a legendary culture of secrecy and isolation make that its single most difficult challenge.

The "No Such Agency" culture appears to be the consequence of an established environment of back-stabbing and cover-your-ass indifference. The report found that "the present mindset fostered a society where people were afraid to express their own thoughts. Even though people spoke to us with true candour, they always wanted to avoid attribution because of the perception that the information was going to be used against them."

And of course, if these guys can't trust each other, there's little reason for us on the outside to trust them either.

Both reports suggest images of a sinking ship on which no one dares lower a lifeboat, or even mention the painfully obvious. The Agency has created "a culture that discourages sending bad news up the chain of command. [Yet] the staff knows NSA is falling behind and is not properly addressing the inherent problems of the emerging global network."

And if that wasn't enough, to top it off the House Permanent Select Committee on Intelligence stated bluntly in a recent report that "Each type of communication - radio, satellite, microwave, cellular, cable - is becoming connected to all the others. Unfortunately, as the global network has become more integrated, NSA's culture has evolved so that it is seemingly incapable of responding in an integrated fashion."

It has fallen to the NSA's Director, Lieutenant General Michael Hayden, USAF, to address these shortcomings as the Agency struggles for relevance in the digital real world. During a recent NIST security conference, Hayden outlined some of the changes he's already implemented, chief among them a new merit-based pay system to attract and hold talented employees, which the agency often loses in droves to corporate head-hunters.

What did you do in the cyberwar, Daddy?
The General also spoke of NSA's role in cyber-defence, a seemingly natural area of expertise. But the timing is unfortunate. As the Hermit Agency struggles to recover from a crisis of mismanagement and navel-gazing, other government bureaux are pressing it to take both defensive and offensive roles in the anticipated cyber conflicts of the near future. It ought to have made ready to do just that, but clearly has not found the time.

"Many personalities in the [Department of Defence] would like NSA, since it understands the technology, to become a combat element in cyberspace. NSA is resisting this because it can lead to a series of terrible legal quagmires and even more intense scrutiny than it already gets from Congress," a senior US intelligence official told The Register.

"Such roles would bring enormous legal, publicity, and other problems that Hayden doesn't need right now. Thus, Hayden and NSA are contemplating expanded offensive roles, but only insofar as they have to study the issues in order to avoid being stuck with them," he added.

But if the NSA is preoccupied with its own restructuring efforts, we have to wonder who is going to respond if the US or its allies were to sustain a serious information attack.

"The possibility exists that the offensive arm would solely be some government element designated by the President to carry out a covert action. Executive Order 12333 [signed by Ronald Reagan in late 1981] allows the President to pick whoever he determines is capable of fulfilling the task," the official told us.

While there is a working agreement to organise US cyber-defences by the US Critical Infrastructure Coordination Group, chaired by National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism Richard Clarke of the White House National Security Council (NSC), one has to wonder if the spirit of cooperation might not get lost in the sort of inter-agency rivalries one finds throughout the US government.

"Yeah, this field has it also," the official told us, and "with a strange 'religious' overtone -- many agencies are acting like they are fighting to control the future."

The rapid growth and multiplication of interested parties in cyber-defence - military, intelligence and law enforcement - provides an excellent opportunity for empire-building, which could easily take precedence over coordination and integration.

"We have a 'systems-integration' problem," the official observed. "Not enough folks are involved; but much worse is the fact that what we are doing is not well tied together due to the complexity of the technical and organisational interrelationships."

So what we have is something of a paradox, with too many agencies marching to their own drummers, and too few getting to the heart of the problem, which is to exploit what each one does best, and then integrate the parts into a rational cyber-defence strategy. Otherwise, as the NSA's paralysing troubles illustrate, each player's individual preoccupations are really just that. ®

Sponsored: 5 critical considerations for enterprise cloud backup