I do believe it is game over for business as usual for those in the intelligence business. Radical reinvention of the US intelligence community is in order. What we need now are big, creative, wild ideas as we re-create our next generation, world-class, trusted, hyper-efficient, and globally admired intelligence apparatus. I explained this thinking here #SpyReboot.
With this in mind … how about this crazy idea for starters:
Maybe one of the NSA’s new roles would include: timely and vigilant disclosure of every zero-day exploit, design weakness or other discovered vulnerability they find in the world’s information and communications technology infrastructure. These discreet disclosures would be made to manufacturers globally – US and foreign companies alike, including for example the Chinese company Huawei. Why? Well, most of the world is friend, not foe … and lots of our friends use other people’s stuff.
While patching these hardware and software deficiencies is the responsibility of the manufacturer; just because they are notified is no guarantee they act. So maybe one way to compel manufacturers to take action would involve publishing some specific statistics about how many discovered/disclosed vulnerabilities remain un-answered- all in the name of transparency, of course. If manufacturers competed for security and trust around these public statistics, maybe everybody wins.
The NSA will still be sneaky. And if this sneaky work uncovers new vulnerabilities being eyed by foreign governments or criminal organizations, these too will be revealed.
True, we will be shooting ourselves in the foot with respect to our ability to penetrate some significant, hard to reach adversaries. But balance this cost with the many upsides: (1) The world’s infrastructure is more secure; 2) Global banking is less at risk; (3) There are fewer data breaches as it becomes harder for bad guys to steal data; (4) Average citizens world-wide will have more confidence in the security of their private communications; (5) Dissidents in oppressive countries will be less at risk when speaking up; (6) The amount of stolen US intellectual property over cyber channels will see all-time lows; (7) US technology manufacturers will recover much of the world’s trust in its ability to produce safe and secure products. Outcomes of such significance may well be worth the loss of some intelligence collection. Oh and by the way, I think foreign intelligence organizations will be at least as disadvantaged as the US, as their exploited foreign (and domestic) pipes that they currently enjoy also begin to dry up.
This one shift in mission would help level the cyber playing field in a way that the US could lead with credibility – yes, in part because the world now knows (thanks to the leaked documents) just how superior the NSA is, offensively.
The word ‘loved’ might be too strong, but do not underestimate the goodwill and trust towards the USA that would come from the free, voting people of the world as the NSA takes on the mission to help secure the Internet for everyone.
The NSA will still be expected to carry out offensive espionage, including SIGINT collection against foreign targets. And just because they have discretely disclosed the vulnerability to a manufacturer does not mean they won’t exploit the hell out of it until someone patches it. The NSA will also surely be investing in and using other clever (secret) methods – methods other than weakened, commercially available technology.
This might actually be a horrible idea. I don’t know. The devil is in the details. How would this be implemented? What is the new oversight mechanism? What kind of transparency would accompany this mission? Would publishing the total number of disclosed vs. fixed vulnerabilities by manufacturer and product really compel companies to make fixes faster?
Oh, and while I am thinking about it: to maximize this Jiu-jitsu move, maybe this white hat team of NSA geniuses should be moved from the NSA to a different organization, e.g., National Institute of Standards and Technology (NIST), National Telecommunications & Information Administration (NTIA) at the Department of Commerce, or Federal Communication Commission (FCC).
This idea might be too wild, or God forbid, not wild enough. One thing is clear – we need to break out of the old ways of thinking. Instead, let’s all start focusing on wild ideas in general, ideally hundreds of such ideas, as we envision a next generation, trusted, world-class, hyper-efficient, and globally admired intelligence apparatus.
Lots of law and policy have to be fixed too – wait till you hear my wild idea about what to do about the problematic “3rd Party Doctrine.”