The title is derived from an apocryphal saying that has many variations: "The Air Force builds weapons; the Navy builds targets". That's a restatement of a dilemma which has confronted military strategists since Sun Tzu, and probably before: will something built for offense be turned into a defensive liability by the adversary?
We're now witnessing the latest incarnation of this problem: the feds are busy trying to build massive data acquisition and analysis mechanisms, putatively in order to defend the country. There are Cyber Strike Command this and Anti-Terror Task Force that and all of them are getting their hands on email, voice, fax and other communications data -- with, as we now know, the illegal assistance of the telecom industry.
But put aside for a moment the whole FISA debacle and turn your attention, if you will, to another question: even if we optimistically presume that they have the very best of intentions and the highest standards of integrity, are they building a weapon or a target?
The answer, sadly, very much appears to be the latter. Which means that not only are American taxpayers funding the chilling invasion of privacy that all this represents, they're funding it for other governments.
To explain this, I'm going to pull together some points from three other diaries, and then add some new information. In Asst. AG admits: it's not phones calls, it's email, I discussed remarks by Assistant Attorney General for National Security Kenneth Wainstein which strongly suggest that email is just as much, or more, of an acquisition priority for the NSA et.al. as voice traffic. In Feds' back door + more FBI privacy violations = serious trouble we find that the feds have a back door into a "major wireless carrier" -- thought to be Verizon -- thanks for a whistleblower who's come forward with an affidavit describing his firsthand experience with it. And on the same day, the Washington Post carried yet another acknowledgment by the FBI that telephone records, credit reports, and 'net traffic were improperly accessed by people within their organization. And in How Room 641A Proves You're a Terrorist, I explained how there are now a huge number of fully-compromised computer systems scattered all over the world -- and near the end of that, I said:
The feds keep earning "F" grades in IT security from the GAO year after year. There are two reasons for this: first, the GAO is being generous. Second, there isn't a lower grade available.
So what possible reason does anyone have to believe that the feds are the only ones tapped into the output of Room 641A?
After all, building and maintaining all that infrastructure is expensive and tedious. A much faster path to the goal, if you're the real bad guys that we're supposedly trying to catch, is to let someone else do it for you at their expense, and then just skim the results.
So as bad as you feel about having all this data in the hands of the nascent fascists running the country at the moment, as awful as the consequences might be for anyone framed by it, how do you feel about having it in the hands of people who will sell it wholesale to anyone with cash-in-hand?
With all that as background, let's now fold in this (via Ars Technica): Pentagon attack last June stole an "amazing" amount of data, where we learn:
On June 22, 2007, Defense Secretary Robert Gates acknowledged that the Pentagon's network had been successfully attacked the previous Wednesday, and that this attack was responsible for a disruption in email service to some 1,500 Pentagon employees. At the time, Gates downplayed the attack, saying that it affected only the OSD's (Office of the Secretary of Defense) non-classified e-mail service and that there was "no anticipated adverse impact on ongoing operations." It seems that the adverse impact of the June attack may have been much greater than Gates' early guidance implied. According to a top DoD technology official quoted at GovernmentExecutive.com, the thieves behind that attack seized an "amazing amount" of data.
The Ars Technica article goes on to engage in the customary speculation about who might be responsible for this, and references another article on the same site: Pentagon hacked, Chinese Army suspected: report. Related but slightly different speculation by CNN also points to China, but to groups of independent hackers who may or may not be funded by the Chinese government. Additional, fascinating reading on this same subject may be found at The Dark Visitor, whose tag line is that it's "Tracking the history, organization, exploits and government affiliation of Chinese hackers".
Now either this theory is correct or it's not. If it's correct, then your private data is as available to China's spooks as it is to our spooks. In one sense, this isn't as bad: their spooks are unlikely to care that you're having an affair, cheating on your income taxes, criticizing the US government, or anything else that our spooks might care about. They're probably looking for data that has strategic value, and with few exceptions, we're not important enough to have any. Oh, it's possible they might use it to blackmail us, but few of us know anything or have access to anything that would make that worth the effort.
But suppose it's not correct. Then who's got that data?
It could be anyone. Schoolhouse Rock said "knowledge is power", and another way of putting that is "information is money". Data brokers like The Russian Business Network provide highly efficient marketplaces for the buying and selling of bulk data, so there's certainly ample profit motivation for anyone with the skills and nerve to acquire it. There are customers of all descriptions -- spammers, phishers, scammers -- quite willing to pay top euro for data they can use. And they have very different goals than the strategic thinkers inside China's government: they really are after you, because that's how they make their money.
There's also a third possibility: what if both of these are true? What if the same poor security that may have allowed China-based/funded hackers in also allowed other hackers? Or what if the freelancers working for the Chinese government made a side deal to pad their income? Or what if...well, you can see where this is going. The problem is that once it's known that the data is out --and it is -- it's extremely difficult to know where it's gotten to, or what uses it may be put to. The toothpaste does not fit back in the tube.
Which brings me back around to the subject of this diary. It seems that our spooks have been so busy thinking of their projects as weapons that they didn't stop to think about them as targets. Or if they did, they certainly didn't defend them adequately. Either way, the end result is the same: at least some of our private data is very likely in the hands of an unfriendly foreign government, and quite possibly in the hands of an unknown number of third parties. And all of this is based just on what's publicly known. The real picture (as anyone who works in IT security is sadly aware) is almost certainly much worse.