ZDNet recently had the opportunity to sit down and discuss how the NSA approaches the difficult challenge of both protecting our security and supporting the American ideals of openness and transparency. The recent Heartbleed bug brought these issues to light in a particularly relevant way.
This article contains a transcribed version of that interview. Other than a few housekeeping clean-ups, the interview is verbatim.
Before we start, I also want to point out that I was permitted to ask whatever questions I wanted, and Neal Ziring, Technical Director in NSA's Information Assurance Directorate was willing to answer them.
Here are some tidbits from the full interview:
- "Vulnerabilities are very precious currency in cyberspace."
- "...have we looked at OpenSSL? Of course we have. We, like a lot of other folks in the community, did not spot this particular vulnerability."
- "Did we find it? No. We did not. A lot of other people didn't find it, either."
- "We have people that are spread thin, looking at a lot of different pieces, and we just didn't catch this one."
- "With a super-widespread vulnerability like Heartbleed, it's going to be in the national interest of the U.S. government to act to eliminate that vulnerability"
- "What we try to do is understand those systems to a very deep level so that we can understand where they're strong, where they're weak.."
- "I'll be frank with you. If it comes down to protecting against a terrorist or protecting against his privacy, I'm afraid that his privacy is not going to be the number one thing on people's minds."
- "The only way to improve the trust is for us to be out there and transparent."
And now, the full interview, in its entirety...
ZDNet: Let's start out with some background. Tell us about yourself.
Neal: I've been at NSA since 1988, and I worked mostly in evaluation of security products, crypto products, things like that. I worked a little bit on mobile code security, executable content security as you sometimes call it at the DOD and IC levels. I worked a lot on router security, so if you go on NSA.gov, you can see some of the products I worked on, the guidance available on security, and I worked with NIST on security content automation protocol.
"The folks that are here on the inside get to see the intelligence that they're delivering every day. They get to see a soldier go home who they gave intelligence to his platoon so it wasn't ambushed."
Then I spent four years working over in our Technology Directorate as a security architect for some large government systems including some that went out to the field like Iraq and Afghanistan. Then I came back to my home, IAD Directorate, to be the Technical Director. You can think of it like a senior technical advisor position to our director.
Then, through all of that, like the last decade or so, I've been working a lot in our academic outreach efforts. We have a large program for designating Centers of Academic Excellence in information assurance and cybe security education, and I work on that, especially with the high level one called "CAER," which is for research universities.
ZDNet: What's your specific role here at NSA?
Neal: I said I'm from the Information Assurance Directorate. As you know, NSA has these two missions, a signal intelligence mission and an information assurance mission. I've spent most of my career in that information assurance mission, so my answers are going to tend to be from that viewpoint, although I understand the other mission.
ZDNet: What exactly is information assurance?
Neal: Information assurance, most people today would call it cybersecurity, although it's actually a little bit broader than that, but it's the art and science of being able to use our information with confidence in military systems, other national security systems, and being able to ensure that it is confidential when it needs to be confidential, that it has integrity when it needs that, that we have freedom to maneuver in cyber space.
Our motto for the Information Assurance Directorate is "Confidence in Cyberspace." We try to provide that for a very wide spectrum of customers. Under National Security Directive 42, our primary customer set are the national security systems, which are all your military and intelligence systems, certain other government systems that have to do with maintaining the national security of the U.S., but we actually do a lot beyond that in working with other parts of government and assisting government agencies at their request, for example, DHS with critical infrastructure, so we have a pretty broad mandate, and we've been operating in that mode since NSA was founded in the early 1950s.
ZDNet: Moving on from that to NSA's global mission, where do you see the NSA's global mission with regard to the digital systems data?
Neal: NSA's global mission from the intelligence side is to continue to produce actionable intelligence to the United States for the decision makers, the war fighters.
That mission hasn't gone away. It really hasn't changed. We still face a lot of threats in the world, and it's very important that the President, the military commanders, etc. have reliable intelligence about all those issues, so that hasn't changed.
Similarly, our information assurance global mission hasn't changed. We have to continue to provide products and services that protect national security systems wherever they may be. We have people deployed to the Middle East, working with folks on their networks out there right now. IAD [Information Assurance Directorate] does.
Those missions haven't gone away. They're complex. They keep getting more complex as our adversaries gain new tradecraft, but we're continuing to prosecute those and to partner with the folks we need to partner with all the time.
"...and certainly, NSA does have folks that look for vulnerabilities. We have to."
ZDNet: NSA is in a damned-if-you-do and damned-if-you-don't place with Heartbleed. If you did know about Heartbleed and didn't help get it fixed to protect us all, you're irresponsible spies. But if you didn't know about it and it's been there all along, in a very well-known piece of software, you're incompetent. So, which is it? Irresponsible or incompetent?
Neal: Yeah. This is a very tricky question, and certainly, NSA does have folks that look for vulnerabilities. We have to.
Vulnerabilities are very precious currency in cyberspace, and have we looked at OpenSSL? Of course we have.
We, like a lot of other folks in the community, did not spot this particular vulnerability. It's also very interesting to note that automated code scanners … I've talked to SMEs [Subject Matter Experts] both inside and outside NSA about this, didn't catch it either.
If you look at the structure of the OpenSSL code involved, it's a number of reasons why that could have been the case. Nobody knows exactly. The various companies are scrambling to rectify that at the moment, at least a few of them that I've talked to.
Did we find it? No. We did not. A lot of other people didn't find it, either. There's a lot of software out there. We have people that are spread thin, looking at a lot of different pieces, and we just didn't catch this one.
It's important to note that we focus on the technologies, the systems that we think have the most impact for national security. We have to prioritize on that basis.
The interview continues on the next page...