NSA media hysteria misses the mark

The U.S. government spying scandal has implicated programs that secure critical infrastructure, protect intellectual property, and make commercial software more reliable.

Media reporting on NSA spying has ginned up scandal and confusion about unrelated cyber security programs. A Tumblr site, "Obama is Checking Your Email" makes light of the scandal.

Recent revelations about U.S. government spying have fueled a media firestorm that has tacitly implicated programs unrelated to the more controversial electronic eavesdropping. In reality, these programs help to secure critical infrastructure, protect intellectual property, and make commercial software more reliable.

On Friday, Bloomberg ran an exposé overviewing U.S. National Security Agency (NSA) and other government initiatives to help software makers address security vulnerabilities. The programs it alludes to are voluntary and incentivize companies to share "zero day" information on security bugs and hardware specifications in return for access to classified intelligence information to defend their systems from hackers. The information is available to the U.S. government before it's publicly disclosed. The fact that it's happening isn't very secret.

Cyber warfare puts infrastructure at risk from the power grid to stop lights. U.S. companies are frequently targeted in industrial espionage, and some systems have even been held for ransom by hackers. Ad networks like Google lose millions from sophisticated attempts at "click fraud" orchestrated by organized crime overseas. Companies that have been targeted and work with U.S. intelligence to protect their assets have said so.

Government involvement to address these issues is hot news in the wake of the PRISM leak controversy where it was "revealed" (some details were already known for years) that telecommunications and Internet companies were cooperating with the NSA to gather data. That snooping began illegally under the Bush administration, but Congress acted to shield participating companies from liability after it was done. President Obama carried the cyber spying forward and expanded its reach. It's understandable that industry partnerships are under scrutiny, but it's not another PRISM.

PRISM is presumably now legal, but secret interpretations of laws, shadow courts, a complete lack of judicial review, and the widespread nature of the program have upset civil libertarians and even some longstanding proponents. The author of the Patriot Act, which made some of this possible, now wants to see it amended. But none of that directly involves the aforementioned cyber security programs -- even if press reports tie them in.

The Federal Bureau of Investigation, Defense Department and NSA all work with thousands of U.S. tech companies to fight cyber warfare. It isn't used for spying (at least domestically), and isn't anything that hasn't been disclosed publicly. For instance, the NSA hosts a public Web site which describes what it does, so it's not a new "scandal" or news to anyone -- just fodder that media outlets use to generate Web traffic.

The NSA participates in a public worldwide effort to design and evaluate secure software called the Common Criteria Evaluation. The NSA's expertise led to the creation of at least one ultra secure operating system that has protected U.S. troops overseas, ensures that the complex systems found in commercial jetliners are reliable, and keeps vital infrastructure safe from attack. What exactly is the scandal there? Nothing much.

Disclosure: I volunteered with the NSA's Information Assurance Directorate as a technology ombudsmen at Temple University to gain grants and internships for students that were studying secure development. That program required changes to the curriculum, so the university opted not to formally participate.


This post was originally published on Smartplanet.com