NSA’s top policy advisor: It’s time to start putting teeth in cyber deterrence

How about the NSA and similar institutions in other countries don't hoard zerodays and instead actively work to improve security? Defending against hackers is a lot easier than defending against nuclear missiles. We don't need an active deterrence if the defenses are good.

&gt; Citing the WannaCry and NotPetya malware attacks<p>Wait, did he just use Wannacry as a reason for more NSA involvement in cyber defense? Wannacry exists <i>because</i> of the NSA. Its exploitation tools leaked (as it always happens, even to the NSA or the Chinese spy agencies) and then others used them to create the highly-effective Wannacry.<p>So...thanks, but no thanks NSA! You&#x27;re done enough already. Not to mention the fact that the NSA is <i>actively</i> trying to this day to sabotage security efforts both in standards bodies and in private organizations (see recent Simon and Speck controversy, or how they asked Yahoo to put a backdoor in their email servers, Dual_EC scandal, etc).

From the beginning, the NSA should have held itself to having a primary purpose of cyber defense and deterrence. Even if it has some more aggressive programs running sub rosa, those defensive programs should be its central focus, and it&#x27;d be easier to sell as a patriotic career choice if cyber defense was what the NSA was known for.<p>Now we&#x27;re left playing catch-up, and the NSA is mostly known for cyber espionage against global adversaries and domestic surveillance.

The greatest trick the SIGINT Enterprise ever pulled was convincing the world that its capabilities were in danger of being outclassed by the Chinese, Russians, Iranians, Israelis, etc. Nice to see they&#x27;re still at it.

&gt; Joyce expressed the pride the NSA&#x27;s workforce took in &quot;delivering a midterm election that was free of malfeasance and interference&quot; [...]<p>Oh, that&#x27;s good. I was just imagining all the news out of Georgia, then.

I&#x27;m not a security expert, but even a layperson has to wonder if the NSA can actually be successful.<p>Apparently, he thinks the &quot;defend forward to disrupt or halt malicious cyber activity&quot; strategy was effective for mid-terms. Was it actually? Or, did &quot;... the responses come, if ever, after the costs [of those attacks] are already realized.&quot;<p>If it was effective, how long will it take for the adversaries to work around it (which apparently he acknowledges in the last paragraph)?<p>Even if they somehow walled all traffic off from Russia and North Korea, wouldn&#x27;t they just exploiting unwitting computers as &#x27;hop points&#x27; to get around the limitations?<p>Maybe I&#x27;m missing something? Maybe there&#x27;s some &quot;teeth&quot; that can provide cyber deterrence I don&#x27;t know about?

As if the NSA wasn&#x27;t part of the problem to begin with.

Since WW2 the difference between war and peace have been more and more blurred. Proxy wars, drones and &quot;cyber warfare&quot; have made open conflicts directly between superpowers almost non-existent.<p>Classic warfare, atomic, biological and chemical weapons all have rules and a loads of regulations. The &quot;cyber&quot; sector have a long process ahead to catch up. Unfortunately no one seems interested in being really serious about it it, but I certainly wish they will start work on it.<p>Hopefully we will never experience an all-out &quot;cyber war&quot;. Probably a new kind scenario with massive damages to infra structure, lots of civilian casualties and almost no losses among military personal.

The best offense is a good defense, so the sooner they start patching software, the better. The sooner they get developers to use safer languages, the better. But that&#x27;s not gonna happen, it&#x27;s apparently too costly to develop safe and secure software, but the damage caused by poor cybersecurity is somehow an externalized cost which means it costs nothing in the current equation.

Foreign actors hacking some servers and systems and placing malware is one thing -- that&#x27;s been going on for a long time, and it&#x27;s not unexpected -- but having the insight and expertise to run a campaign that exerts more influence than the entire media and PR industry put together, well that&#x27;s something else. That would require something above and beyond -- we&#x27;re not that fragile.<p>Consider this...<p>NB: These are the same questions I posed in a thread a few days ago (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=19282809" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=19282809</a>).<p>Do you know the size of the Russian economy? <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Economy_of_Russia" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Economy_of_Russia</a><p>How many individual US states have an economy larger than Russia? <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Comparison_between_U.S._states_and_sovereign_states_by_GDP_(nominal)" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Comparison_between_U.S._states...</a><p>And the size of the PR industry? <a href="https:&#x2F;&#x2F;www.statista.com&#x2F;topics&#x2F;3521&#x2F;public-relations&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.statista.com&#x2F;topics&#x2F;3521&#x2F;public-relations&#x2F;</a><p>We invented the modern PR industry, AI, and social media. And the PR industry has been perfecting the design of campaigns for 100 years. That&#x27;s our bailiwick.<p>You think Russia outclassed us at our own game, at home on our own platforms, on the biggest stage, in the highest stakes game of all?<p>And then to pull that off with no one noticing or countering it in the most measured world of all time?<p>That would be like the Russian basketball team [0] beating the US Dream Team [1] in all of our major sports combined, at the same time. Not gonna happen.<p>And to what extent would a feat like that even be possible for someone from the US? And if some super-genius person or group of US citizens with the combination of intimate understanding, sophistication and skill did exist, then why wouldn&#x27;t they just work for the campaign? And if one in the US could pull that off, why think Russia could?<p>[0] Russian Basketball <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Russia_national_basketball_team" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Russia_national_basketball_tea...</a><p>[1] US Dream Team <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;1992_United_States_men%27s_Olympic_basketball_team" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;1992_United_States_men%27s_Oly...</a>

And here I was expecting a way to record keystroke noise via a tooth recorder.