The NSA's phony national firewall proposal

The NSA's phony national firewall proposal

Summary: According to an anonymously-sourced report in the New York Times, the NSA wants to build a firewall/IDS/IPS around the whole United States of America. The idea is completely ridiculous, impractical in the extreme, and perhaps just a ruse for other operations.

TOPICS: Security

Few government agencies have taken a reputation hit in recent times as big as that currently diminishing the National Security Agency (NSA). And while many in the tech industry were distrustful of the NSA before, there was at least an admiration for their prowess in cyberwarfare.

I have to say the agency has dropped a prowess notch in my opinion, if a recent New York Times article is to be believed. The focus of the article is how the political trouble in which the NSA finds itself doomed a proposal, championed by Gen. Keith B. Alexander, the director of the National Security Agency and head of the Pentagon’s Cyber Command. Details about the plan are only implied and the article makes no attempt to evaluate its merits.

What is the plan? From the Times:

Under this proposal, the government would latch into the giant "data pipes" that feed the largest Internet service providers in the United States, companies like A.T.&T. and Verizon. The huge volume of traffic that runs through those pipes, particularly e-mails, would be scanned for signs of anything from computer servers known for attacks on the United States or for stealing information from American companies. Other "metadata" would be inspected for evidence of malicious software.

It sounds like firewall/IDS/DLP for the whole United States of America. The notion is ridiculous. Many of the Internet pipes they speak of monitoring are OC-192's with capacity of almost 10Gbps. Not even the NSA can scan all that traffic for potentially malicious content and stolen intellectual property, all the while keeping up to date with threat intelligence.

Of course, any large organization or ISP attempts to do the same thing, on a much more modest and practical scale, using one (or more) of many commercial products. Perhaps they don't have all the same intelligence about attacks and the addresses of malicious actors as the NSA — although they might — but that doesn't mean the NSA can do anything constructive with such an operation.

We know that the NSA is inspecting some of this traffic already, but only a small percentage of it and for a much smaller problem scope. Effectively detecting "evidence of malicious software" requires mapping the traffic into a context, not just doing a pattern match. This multiplies the required computing resources.

And then there's the fact that they wouldn't be in a position to read any encrypted traffic. Even a large percentage of the e-mail traffic they are already sniffing is encrypted. Perhaps the NSA has the computing resources, with some time, to decrypt some traffic which they target for scrutiny. Such resources are best saved for high-value intelligence rather than ordinary intrusion detection.

The Times article says that the program actually goes a lot further than detection:

The worst malware could be blocked before it reaches companies, universities or individual users, many of whom may be using outdated virus protections, or none at all. Normal commercial virus programs are always running days, or weeks, behind the latest attacks — and the protection depends on users’ loading the latest versions on their computers.

Oh, really? They're going to block malware at the border? This is as bad as when they portray computers on "Law and Order" or "NCIS". Inevitably the systems can perform magical tasks with minimal effort (and inevitably the operator of the computer is a beautiful woman wearing glasses, but I digress…)

Later on the article makes some more reasonable observations about the value defense contractors involved in an NSA pilot proposal sharing intelligence saw in the program. One of the standard proposals made to justify greater government involvement in "cybersecurity" is to increase the sharing of security intelligence... as if this isn't happening already on a large scale.

It does happen. Everyone already talks to everyone else and shares information about malicious sites and malware through a variety of channels, some open some private. Anyone who can fly under the radar of today's best systems can probably get past the NSA's border firewall. Like I said, all you need to do is encrypt the traffic and route it through a trustworthy address. For a high value attack this is a small price to pay.

Like so many anonymously-sourced articles, this one stinks of thinly-hidden agendas. Someone is trying to protect their program budget. Another possibility, even less comforting than budget politics, is that it's a ruse to gain increased access to Internet traffic for other intelligence purposes. These may well be reasonable intelligence purposes, but I wish they wouldn't insult us by claiming it's all part of a magic Internet defense shield.

Security for the Internet is probably best left to the private companies that operate it and who have every incentive to do their best to protect it, and who can't get away (for long) with claims on which they can't deliver.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The Great Firewall

    Good to see we're learning from our Chinese masters
    R.L. Parson
    • You've got that right

      This is merely an opportunity to install censorship on a national scale.
    • You absolutely nailed t.

      This is all about being able to censor what information you can have access to. On a somewhat related note, were you also aware, that the President can text pretty much every iOS or Android phone in the nation, and there's not a thing you can do about it?
      • Political speach

        has the highest degree of 1st Amendment protection, bar none. Last I checked, O is a politician, he is allowed to send messages as he sees fit to further his political agenda. I may not *like* O, but something I like even less is the thought that someone might be able to use the courts to prevent a politician from communicating a political message to the public.

        The public is free to react positively or negatively or even ignore the message as they see fit. I suspect if O started spamming people with text messages, his waning popularity and effectiveness would take an even greater hit.
    • USA is going to become China

      This is horrible, should not be allowed ever.
  • Wow

    David Gerwitz's ghost writers will be scrambling to come up with a counter-response to this article.
    • But seriously…

      I hear a lot of talk above about protecting American business (it’s doubtful that the American public is of any real concern to them). I have to think that with all of the compartmentalization inherent within the ‘letter’ agencies, who is to say that there are not sections that actually do the reverse?

      Technically the NSA has the ability to know what every company is going to do before the public (think Wall Street) does, and one has to wonder how tempting that it would be to use this virtually unlimited power for financial gain. The only thing that could potentially prevent this from occurring is oversight, but within this type of environment oversight can easily be circumvented through claims if necessary security and it doesn’t cost much to pay off the oversight.

      It should be clear to everyone by now that verifiable accountability is effectively non-existent. Within that context is it hard to believe that the power would not be abused?
  • email encryption

    I remember years ago looking into email encryption for my personal email, but found the process to be overly burdensome. Is that still the case? Clearly my own government is not going to protect my privacy, so apparently I need to do it myself...
    • re-email encryption

      That’s an automatic alert to the NSA that your hiding something and considered probable cause.
      • re-email encryption

        I can live with that...just doing my patriotic duty...
        • If you're interested...

          I'm hearing talk of email encryption services like TOR, secure search engines like DuckDuckGo and personal cloud devices you keep in your home like Cloudlocker. There was a time such talk would have meant we were paranoid, or worse. No more.
      • Encryption is "an automatic alert to the NSA"

        That’s why I’ve been trying to encourage my friends to encrypt *every* message they send for over a decade.

        If everyone used 2048-bit encryption for messages like “See you on Saturday!” it’d put a stop to this nonsense very quickly.

        GPG have free packages for most platforms that really aren’t hard to use.
    • There Are Solutions!

      Check out ForHisGlory.PrivacyAbroad for secure emails and web surfing. The servers are located in Switzerland and are not subject to the US Patriot Act, etc. It's time to take a stand and protect our 4th Amendment rights!
  • US Firewall

    Bad theory. Remember the Maginot Line?
    Kootenay Coyote
  • Sweet Jesus! Firewall "A la China" style

    Sweet Jesus! Firewall "A la China" style.

    What will be next?
    Block content because is "malicious" but doesn't favor government?

    Wake up US people!

    Don't surrender the freedom your parents fought for!
  • It may be necessary...

    As scary as it sounds, it may be necessary to create something to protect our nation's infrastructure as the risks increase. There certainly have to be numerous checks and balances to ensure its proper use, but imagine if global attacks by foreign entities were able to significantly impair our nation's information infrastructure on a massive scale. It would result in economic collapse.
    • "It may be necessary... " SAY WHAT???

      and who is to say that a said foreign entities
      can not get the maliciouse code here by other means(USB stick for example).
      setup several powerfull labs with in US borders and run the attack this way.
      the great big firewall is out as the whole things is already in,
      IP(s) are local and maybe rolling from state to state as needed.
      run the bot to infect multyple PC and run the thing on command. it's already possible today.
      and the centralized firewall is not going to stop it.
      each and every sencitive entitiy need to be protected at the source.
      as in each and every PC at the time.
    • RE: It may be necessary

      There are simple solution to protecting the infrastructure from hackers, like the power grid and other utilities. Stop using internet services and disconnect from the public internet service. Put in your private internet lines that only have connection from one to the other
    • Are you for real?

      "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."
      -Benjamin Franklin

      That quote is used, paraphrased, and mis-quoted a lot, but it holds true.
  • You are actually criticising the NSA

    based on an anonymous post Larry? Back when journalism was just that, you'd do everything to confirm a story before posting it. So Larry, do YOU believe the story from The Times? Based on anonymouse source, an article was written, which YOU repeated, based on the same anonymous source and criticize the NSA for doing what the anonymous source claimed it did. If the source is wrong, will your respect for the NSA return to it's previous leve;s? Just curious........