Tuesday, February 25, 2014

Opinion: DoD doing the wrong job, very well

[Note: Departing from my usual focus on past events in my career as an Internet professional, here's an opinion piece.]

Edward Snowden has been a lightning rod for controversy since July 2013, when he began disclosing what he considers Constitutional violations by various elements in the US Department of Defense, infringing on the rights of US citizens.  As a consequence, some consider Snowden a whistle-blower; others consider him a traitor.

Whatever your opinion of Snowden's actions, many of the revelations must be given careful consideration, because the practices of our government today tend to become the laws of tomorrow. We want our children to have the same freedoms that we enjoyed in the years of the past.  Government can only be held in check by an informed and involved electorate.
Reading over the disclosures, a few points jump out at me.

First, the disclosures have supported the inevitable conclusion that our rights to privacy and unreasonable search under the US Constitution have drastically eroded over the last 12 years. The disclosures reveal a pattern of surveillance of all US citizens, including logging our phone calls, text messages, social media, internet activity, porn viewing habits[0], and even conducting close surveillance, not just of suspects without a warrant or probable cause, but also of their entire social group to the 3rd degree.  If you have a friend of a friend who has a Muslim friend, you have probably been under close surveillance by the US government at some time in the past 12 years.

This is against a backdrop of many other erosions of those same rights under the US Constitution protecting us against unreasonable search.  Until this year, the "Stop and Frisk" policy of the NYPD allowed any person to be searched at any time on the streets of  NYC without probable cause[1].  Federally mandated vehicle GPS tracking systems are now being installed in cars, and many court cases have supported that law enforcement agencies can access this data "at will" and without probable cause[2].  Between 2001 and 2012, the FBI attached physical tracking devices to cars, again without probable cause or a warrant.  The FBI deemed the practice of attaching such a device not intrusive enough to be considered a search.  The Supreme Court disagreed in 2012 case, U.S. v Jones[3].  Some of these practices are eventually overturned as in the NYPD and FBI cases, but not before many years of infringing on the rights of thousands, if not millions, of law-abiding US citizens.  It's difficult to avoid comparison to J Edgar Hoover's FBI, which employed an equally powerful, though human-driven surveillance machine to vacuum up data on any persons deemed by Hoover to be not loyal Americans.  Under Hoover, we now know the FBI used that data, not only for well intentioned evidence-gathering of potential suspects, but for purposes that can only be described as blackmail and extortion[4].

Second, while many laypersons are surprised by the extent and power of the DoD's surveillance system, I suspect many academic security researchers (outside the DoD) are surprised for entirely different reasons.  The academic research community has long suspected that the DoD operated an almost super-human surveillance network, capable of monitoring everything, decrypting everything, and storing everything. To  academic researchers, the DoD has historically taken on an almost mythical, god-like power.  The disclosures actually point to a much more human infrastructure, with significant weaknesses in their data gathering capabilities, and a very human, bureaucratic processes, not usually seen outside of a DMV.  The apparent lack of sophistication in the intelligence gathering apparatus points to an organization which is more analogous to teenage hackers, so-called "script kiddies".  Have we taxpayers funded a multi-hundred billion dollar group of "script kiddies"?

Most surprising to me, though, is the entire focus on exploitation and data gathering.  While they appear very good at what they do, according to the Snowden disclosures, the agency is entirely focused on vacuuming up and archiving data, without regard to the implication that the same practices they are using, could also be used against the United States and against US interests.  The same exploits and hacks that the DoD is abusing nationally and internationally can equally well be employed by foreign adversaries against the DoD, US companies, and US citizens. Yet, the Department of DEFENSE has done little or nothing to defend the nation. This is like a man who openly steals from his neighbors while leaving his own front door, unlocked. Or, in this case, a multi-hundred-billion dollar organization that robs its neighbors while leaving its own front door, unlocked.

The world has experienced, what I consider to be, an unprecedented period of peace for the last 70 years. To be sure, there have been bloody civil wars and proxy wars, but nothing on the scale of the frequent, bloody regional wars that have occurred regularly, throughout human history.

But peace can not last.  At some point, there will be another war.  One of the new battlefronts must be the cyber battlefield.  The opening shots of that cyber war will not be heard, instead the electricity may go out and not come back on.  Vehicles may not start.  Cell, Internet, television, banking, and payment services may all go down throughout the US. 

Who will be there to protect us when that day comes?

Some might say, "Well, that's the job of anti-virus programs and private industry, not the Department of Defense!"  Is it?  Are we trusting the outcome of some future cyber war to Microsoft or Norton Anti-virus?  Or even Kaspersky (a Moscow based company)?  If Microsoft is our only champion in the next war, we are going to lose that war.

When that day comes, as it inevitably must, we can rest assured (in the darkness, with our dead cellphones, internet, and televisions) that we tax payers funded several hundred billion dollars to create a vast Department of Defense organization which has a very thorough record of our porn and phone calls.  But did little or nothing to protect the United States.