Jon Evans
More posts from Jon Evans
I spent much of this week at the Black Hat information security conference, after attending the head of the NSA’s keynote speech; and I am pleased to report, O my readers, that here in Las Vegas I have finally achieved enlightenment. That being: the fundamental problem with the National Security Agency, which it shares with most “security” companies, is that it’s not really in the business of security. It’s in the business of fear.
That’s why it’s so loath to reveal anything about its vast and classified machinery; that’s why, until Edward Snowden, the mere existence of the massive metadata dragnet that captures virtually every phone call made in America was a jealously guarded secret.
No one could seriously believe that this secrecy made the nation more secure, on the whole. Few-to-zero terrorists are dumb enough to think that their phone calls are inviolate. Whatever tiny, incremental benefits we might gain from the increased ability to track such morons are hugely outweighed by the risks inherent in concealing such a program and relying on those involved with it to do the right thing, forever, beneath the so-called “oversight” of a secret one-sided star-chamber court.
But the NSA is like any security company. It monetizes fear. The more frightening that the world seems, the more enemies that appear to exist, the more money and power that is piled on its doorstep. And so–just like all the Black Hat companies advertising anti-hacking tools–it has an enormous incentive to play up any and every fear to the maximum possible extent…and no incentive whatsoever to provide a measured, reasoned analysis of real risks.
What is the oldest and most primal of fears? The fear of the unknown. That’s why the NSA–and, again, security companies–fight so fiercely to create a fog of uncertainty and doubt. That’s why they are so loath to reveal anything about the true nature of the man behind the curtain. On some level the NSA must realize that the public deserves greater transparency and public oversight; but such two-way transparency is a direct and terrible threat to their money and their power.
We can see that already. When General Alexander revealed that the FISA 215 metadata dragnet led to only 12 reports to the FBI last year, he was trying to show that it didn’t threaten civil liberties; but at the same time, he set himself up for a reasoned cost-benefit analysis that will not necessarily swing the way he wants. “You’re spending all this time and money tracking every telephone call in America, on a questionable legal basis, and all you get out of it is one report to the FBI a month — and no evidence that there was ever any reason to keep this program secret?”
Similarly, he revealed that 54 “terror-related activities” were disrupted by the NSA over the last twelve years. You’ll note that that’s a very fuzzy phrase with no specific definition. If specifics actually were available, then almost by definition, our fears would be much diminished…along with the NSA’s power and mystique.
To be clear: there are real threats out there, just as there are real hackers attacking corporate networks. We need organizations, and tools, and software, that can defend ourselves against them. Like the NSA. They do good work. But at the same time, they’re continually, and hugely, incentivized to keep secrets that they don’t need to keep, and to exaggerate fears and dangers. That’s why they’ve gone so far beyond the boundaries of what’s right.
There’s no sense in making any moral judgments here. I’m absolutely prepared to believe that the NSA is populated by good and noble people. But if you give any person or entity a colossal incentive to do something, then the overwhelming majority, including good and noble people, will eventually find some way to rationalize it to themselves. That same incentivization is why capitalism works so well at lifting people out of poverty. (To forestall the inevitable naysayers: yes, it really does. At least up to a point.)
Therefore, the security-industrial complex must play up how fearsome those bogeyman called “child pornographers” and “terrorists” have become; and to maximize those fears, they must hide or play down the actual facts, numbers, and risks. Fortunately for them, most people don’t think rationally about their fears. That’s why shouting “terrorists!” “kidnappers!” “child pornographers!” is so effective at getting people to cede their authority, even though those actual risks are really, really, really low.
https://twitter.com/umairh/status/362661529058938880
https://twitter.com/umairh/status/362662039858053120
https://twitter.com/umairh/status/362669918979760135
But even people willing to sacrifice their liberty for perceived security are not necessarily willing to sacrifice visibility, so those in the business of fear have to convince them that that their own blindness somehow protects them. It’s amazing how effective this has been until now, given that it’s obvious nonsense–but it’s possible that we’re finally reaching a critical mass of people unwilling to be blinded.
The question isn’t how we fix the symptom, which is the NSA’s jealous secrecy and exaggeration of fears. The question is how we somehow keep them from being so strongly incentivized towards secrecy and fear in the first place. The same applies to every tech security company. I don’t pretend to have any answers, but I’m pretty sure, now, that that incentivization is the fundamental problem with the security-industrial complex.
Comment