U.S. code-cracking agency works as if compromised

WASHINGTON Thu Dec 16, 2010 11:33pm EST

A view from helicopter of the National Security Agency at Ft. Meade, Maryland, January 29, 2010. REUTERS/Larry Downing

A view from helicopter of the National Security Agency at Ft. Meade, Maryland, January 29, 2010.

Credit: Reuters/Larry Downing

Related Topics

WASHINGTON (Reuters) - The U.S. government's main code-making and code-cracking agency now works on the assumption that foes may have pierced even the most sensitive national security computer networks under its guard.

"There's no such thing as 'secure' any more," Debora Plunkett of the National Security Agency said on Thursday amid U.S. anger and embarrassment over disclosure of sensitive diplomatic cables by the web site WikiLeaks.

"The most sophisticated adversaries are going to go unnoticed on our networks," she said.

Plunkett heads the NSA's Information Assurance Directorate, which is responsible for protecting national security information and networks from the foxhole to the White House.

"We have to build our systems on the assumption that adversaries will get in," she told a cyber security forum sponsored by the Atlantic and Government Executive media organizations.

The United States can't put its trust "in different components of the system that might have already been violated," Plunkett added in a rare public airing of NSA's view on the issue. "We have to, again, assume that all the components of our system are not safe, and make sure we're adjusting accordingly."

The NSA must constantly fine tune its approach, she said, adding that there was no such thing as a "static state of security."

More than 100 foreign intelligence organizations are trying to break into U.S. networks, Deputy Defense Secretary William Lynn wrote in the September/October issue of the journal Foreign Affairs. Some already have the capacity to disrupt U.S. information infrastructure, he said.

Plunkett declined to comment on WikiLeaks, which has started releasing a cache of 250,000 diplomatic cables, including details of overseas installations that officials regard as vital to U.S. security.

Official have focused publicly on Army Private Bradley Manning, who is being detained at a Marine Corps base in Quantico, Virginia, as the source of the leak.

NSA, a secretive Defense Department arm that also intercepts foreign communications, conceives of the problem as maintaining the availability and assuring the integrity of the systems it guards, rather than their "security," she said.

NSA -- which insiders jokingly used to say referred to "No Such Agency" -- also focuses on standardization and auditing to hunt for any intrusions, Plunkett said. She referred to the development of sensors for eventual deployment "in appropriate places within our infrastructure" to detect threats and take action against them.

Mike McConnell, a retired Navy vice admiral who headed the NSA from 1992 to 1996, told the forum he believed no U.S. government network was safe from penetration.

A third-party inspection of major computer systems found there was none of consequence "that is not penetrated by some adversary that allows the adversary, the outsider, to bleed all the information at will," said McConnell, director of national intelligence from 2007 to 2009 and now leader of the intelligence business for the Booz Allen Hamilton consultancy.

(Reporting by Jim Wolf; editing by Todd Eastham)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (2)
Ralphooo wrote:
I wonder how you go about doing high-security work within a system which has already been compromised. Put out a lot of disinformation, I guess, while building a genuinely secure inner system within the compromised system.

If I were doing this, my inner system would use a lot of seriously dumbed-down technology, with no multitasking and only very simple in-house communication software when necessary. Truly dumb computers are impossible to penetrate without inside help.

It’s interesting, though, that the weak link in the diplomatic-cables fiasco has turned out to be the human part of the system. I don’t think technology alone can offer much help with that component.

At the center of all hierarchical systems there is a paradox of intent. What exactly is such a massive entity trying to accomplish? No two people will ever completely agree about the answer. As a result, any substantial human-based system will be intrinsically unreliable from someone’s point of view. You can’t write a computer program to control people’s goals and efforts, if only because those parts of us are essentially arbitrary, beyond the reach of rational calculation.

Dec 17, 2010 9:54am EST  --  Report as abuse
OneMoreThing wrote:
If NSA puts out statements that all of its systems may have been compromised, you can bet that they are trying to convince somebody that they have already broken into the most secure systems, when in fact they have broken into decoys. What better cover than an admission of vulnerability?

Dec 17, 2010 12:21pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.