The NSA’s Tailored Access Operations Hurt Americans… and It Has Nothing To Do With Privacy

¡Rant Warning!

Let’s get this out of the way. First, I am not a privacy advocate. I’d like to believe in such a thing, but the reality (and we all know it) is that privacy is dead. My background is in security, which is really the underlying topic here when we talk about the NSA and their Tailored Access Operations, or “TAO”. I’d also like to state for the record that I am usually very reserved when it comes to voicing my opinion about the government, because in all honesty… I’ve never worked for the NSA or any other three-letter agency. Call me naïve… but I’d like to believe that the motive behind these operations is truly in the best interest of my country even though I disagree with the tactics.

Like many of you, last night I watched President Obama deliver the State of the Union. This year (and we were all prepared for it) he mentioned (and I use “mentioned” explicitly) that he is working on cyber policy in lieu of the ever-growing number of cyber attacks that are affecting American businesses and that are putting Americans at risk. He also mentioned that he has worked with privacy advocates regarding the activities of the NSA, which we all know is a polite way of saying “mass surveillance”.

Let’s sweep privacy aside for this argument and leave that to the pros… clearly not me.

What is TAO?

Here is the Wikipedia definition:

“The Office of Tailored Access Operations (TAO) is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least circa 1998. TAO identifies, monitors, infiltrates, and gathers intelligence on computer systems being used by entities foreign to the United States. The NSA terms these activities “computer network exploitation”.

Without getting into the nitty-gritty details of leaked classified documents, the government develops in-house and buys zero-day exploits from third parties to infiltrate computer systems of their target(s). This means that the United States government knows of vulnerabilities unbeknownst to software manufacturers that could be used to compromise a system in which their product is installed.

Leaked documents brought forth by Edward Snowden have also revealed that the NSA has used its capabilities to hijack malware that was targeting government assets. Specifically, I am talking about the case of “BoxingRumble”, which was a Chinese born botnet used to launch a Distributed-Denial-of-Service attack on a DoD network. Essentially, they created a DNS sinkhole to deflect the traffic.

Where am I going with this?

Well… let’s highlight two important points:

  • The NSA knows of vulnerabilities that could be used to compromise computer systems without disclosing knowledge of these bugs to the software manufacturers.
  • The NSA has the capability to intercept or completely stop malware, more specifically botnet related DDoS attacks. (I am sure that there are other campaigns out there that the NSA has the ability to prevent, but I can’t speak of what I don’t know)

The argument that the NSA would give is that these operations help ensure America’s safety, but do they?

Just last night during the State of the Union, President Obama stated, “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.” If you (President Obama) truly believe that then why are you facilitating insecurity by undermining America’s ability to defend itself?

TAO is not only morally irresponsible, it also hurts America where it can’t afford to be hurt… our wallets. We really cannot quantify how much money goes into these operations. It would be foolish to think that anyone would ever know how many tax dollars are actually blown each year on the NSA’s operations, but what we can quantify is the amount of damage sustained by American companies when a cyber attack takes place. 2014 is a clear example of what the financial consequences of such an attack could be. Target, Sony, Home Depot, JP Morgan… the list goes on.

Case in point: #SonyHack

There are endless theories about who actually executed the Sony hack, but what seems to be the root cause is not “who” but “how”. Just yesterday, Re/code published an article stating that a zero-day was the cause of the Sony hack. Whether this is true or not, I don’t know, but suppose it is. Imagine if the NSA was aware of such a vulnerability and actually disclosed this information to the software manufacturer?

Sony’s Playstation Network was crippled on Christmas Day by a DDoS attack by that utilized a botnet consisting of home routers. Again… we know that the NSA has the ability to thwart such an attack, but no relief for Sony or Microsoft?

I guess my argument is that instead of being on the offense, our resources should be spent helping us defend against such costly attacks. I do agree with the value of intelligence, but to President Obama’s statement on hackers not being able to infiltrate our networks… well… what are you doing about it? Policy? Last time I checked the bad guys don’t read up on those.

Leave a comment

Leave A Reply