Documents from the NSA show that the US is planning to implant malware on a million computers. How many terrorists are there in the world?
This is a brief diary regarding Barton Gellman's Washington Post piece.
The headline is that the US mounted 231 offensive cyber operations in 2011. One operation, of course, can inflict major damage. Stuxnet halted enrichment of uranium by Iran:
U.S. intelligence services are making routine use around the world of government-built malware that differs little in function from the “advanced persistent threats” that U.S. officials attribute to China. The principal difference, U.S. officials told The Post, is that China steals U.S. corporate secrets for financial gain.
...
an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets.
But much more interesting to me is a statistic in the article regarding the installation of "implants"--that is, malware:
The NSA appears to be planning a rapid expansion of those numbers, which were limited until recently by the need for human operators to take remote control of compromised machines. Even with a staff of 1,870 people, GENIE made full use of only 8,448 of the 68,975 machines with active implants in 2011.
For GENIE’s next phase, according to an authoritative reference document, the NSA has brought online an automated system, code-named TURBINE, that is capable of managing “potentially millions of implants” for intelligence gathering “and active attack.”
I can think of a lot of reasons why this is A Bad Idea.
* First, it's A Bad Precedent. It's impossible for us to crack down on Chinese hackers if our own Pentagon is involved in hacking the world.
* Second, it may rely on making sure that software has holes. The US is far more reliant on computers than its rivals. So, the consequences of this are far more serious for the US and more broadly the West than they are for those rivals. For us, though, it bleeds our economic strength. For example, every time a credit card company gets hacked, thousands of people may stop productive work to try to prevent financial ruin. The drips add up to the point that malware, spam, hacking, etc. consume a disproportionate amount of human and financial resources.
* Third, if applied to critical systems like nuclear command and control as the article suggests, it would cause adversaries to go to hair trigger systems. One of the most worrying things about nuclear war is the fact that response times are so short: if an attack is suspected, a nation has only a few minutes to decide whether or not to launch. Not to mention the possibility that malware might actually cause an adversary to think that an attack had been launched.
* But finally, millions? MILLIONS? There were estimated to be on the order of 10,000 people who went through Al Qaida's training camps in the 1990s. The total number of active international terrorists is unknown, but relatively small, perhaps in the tens of thousands (groups like the Taliban or the Sunni uprising aren't fundamentally terrorist in nature, though they may ally with terrorists).
And out of that small number of terrorists, how many even have computers? DItto for third world rivals like Iran.
So who is the NSA really planning to target? Russia? China?
Or Americans?
I've heard many testimonials on these boards as to how the NSA was cleaned up after the abuses of the Bush Administration. Even if we accept that theory, one belied by the dishonesty of Keith Alexander and James Clapper, what is to prevent this massive new capability from being misused by a President Palin, or whoever the Republicans choose to nominate?
We need to have a conversation about this, not just on DK, but nationally.
__
Added: BobSwern also blogged this article, almost simultaneously with this post.