What If China Hacks the NSA's Massive Data Trove?

What if China hacks Google&#x27;s data trove? Oh, that already happened:<p><a href="http:&#x2F;&#x2F;www.washingtonpost.com&#x2F;world&#x2F;national-security&#x2F;chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say&#x2F;2013&#x2F;05&#x2F;20&#x2F;51330428-be34-11e2-89c9-3be8095fe767_print.html" rel="nofollow">http:&#x2F;&#x2F;www.washingtonpost.com&#x2F;world&#x2F;national-security&#x2F;chines...</a><p>And in Denmark, hackers gained full access to many security services databases, among others the European &#x27;most wanted&#x27; database, the driver&#x27;s license database, passwords of 10&#x27;000 password officers etc.:<p><a href="http:&#x2F;&#x2F;www.berliner-zeitung.de&#x2F;politik&#x2F;hacker-angriff-datenleck-in-daenemark,10808018,23161384.html" rel="nofollow">http:&#x2F;&#x2F;www.berliner-zeitung.de&#x2F;politik&#x2F;hacker-angriff-datenl...</a><p>(Newspaper article in German, sorry …)

<i>According to the Washington Post, &quot;An estimated 854,000 people, nearly 1.5 times as many people as live in Washington, D.C., hold top-secret security clearances.&quot;</i><p>It&#x27;s worth noting that having a Top Secret clearance does not automatically mean you have access to all information classified as Top Secret.<p><a href="http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Classified_information_in_the_United_States#Sensitive_Compartmented_Information_.28SCI.29_and_Special_Access_Programs_.28SAP.29" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Classified_information_in_the_U...</a>

The scenario that a bigger adversary gaining access to the data is definitely troublesome. We also need to consider other scenarios.<p>How about the ramifications of the pipes created for NSA, getting leveraged by other actors?<p>What happens when a rogue employee <i>hacks</i> the infrastructure created for providing the pipe to NSA?<p>What if a group of such rogue employees across multiple companies act in concert, may be creating a cartel?<p>Such things have the potential to remain unnoticed for a pretty long time, ruining lives of innocent people.<p>Now, let&#x27;s replace the word <i>rogue</i> with <i>innocent and intelligent but cleverly manipulated by sophisticated player</i> and the scenario reads bleaker.<p>To believe that such things haven&#x27;t happened before or aren&#x27;t happening now, in some part of the world, will be pointless.<p>Consider a scenario in developing countries: let&#x27;s say you wrote some piece of code (unrelated to telecom) for a businessman. Let&#x27;s also say that the businessman runs many companies, one of which provides BPO services to telecom companies. Let&#x27;s say that the businessman wants to exploit you. He can very well track your location using the network of the telecom company without <i>that</i> company knowing it, let alone the law enforcement officials. He can remain under the radar because the request can be clubbed with other legitimate ones.<p>This is not just a US problem, it&#x27;s a global problem.<p>It is precisely for such reasons, that we need a manifesto about data collection policies, like &quot;Do No Evil&quot; or &quot;The Patent Pledge.&quot;

The fact you are paranoid doesn&#x27;t mean that there is not someone out there to get you.<p>This is useful information. Having access to someones social graph and contact list could go a long way to subverting dissidents.<p>If by chance NSA is aiding Russia and China by helping them secure internal stability and giving them more energy to play on the international scene is rather ironic.<p>Also it is not about downloading. Thing about the things you could do by just altering the data.

Do not mistake the NSA&#x27;s security to that of your average government office.<p>Since we are probably talking about petabytes of data, this would not be a one-time download, but would require continuous access to query the dataset interactively, which wouldn&#x27;t be hard to detect if you are on the look out for it.

What&#x27;s more likely is, convinced they&#x27;re legally obliged to turn over data to anyone with a plausible government letterhead, private companies start being subjected to an enormous amount of false flag &#x2F; social engineering attacks.

Do you think they&#x27;ll ever admit they are responsible for something like that?<p>They&#x27;ll just make the &quot;cyberwarfare&quot; campaign even louder, and say how new laws and bigger budgets are needed to keep you safe (and of course continue their spying and their hacking on others).<p>The &quot;cyberwarfare&quot; will be the new war on terror, 5-10 years from now.

What would happen? Well then they&#x27;d have an almost unlimited supply of individuals within our institutions whom they could easily blackmail and use to subvert those institutions.<p>But I don&#x27;t find it much more terrifying than people in our own government having that power.

As with any juicy enough collection of data, the relevant question is not &quot;what if an adversary gains access&quot; but &quot;when&quot;.

That&#x27;s part of the reason for the Utah datacenter. Consolidating several NSA datacenters around the country into one super-secure fortress.<p>First, separate offline networks and the most advanced network security ever conceived will be put in place at this new datacenter.<p>If you&#x27;re thinking that a reverse engineered Stuxnet might be able to hop over to the secure network, I doubt it, and even if it does then what will it do to transmit the data out?<p>It is slightly insulting to the engineers and security experts whose full-time job is to keep the NSA secure, but I suppose this scenario is worth discussing just in-case someone thinks of a clever way which the NSA has not.<p>The most vulnerable aspect is any remote access either to company servers or to the NSA search tools. I would hope that a data dump or unrestricted access to the NSAs &quot;database&quot; would be completely impossible. Even with extensive insider knowledge of the Utah datacenters systems, an ex-employee would have zero chance of gaining unauthorized access.

It wouldn&#x27;t be the first time an unintended party gained access to unsuspecting parties&#x27; personal information via government surveillance systems. The Prime Minister of Greece, among others, had their cellphones tapped by a hacker using a law enforcement agency&#x27;s backdoor.<p><a href="http:&#x2F;&#x2F;www.schneier.com&#x2F;blog&#x2F;archives&#x2F;2007&#x2F;07&#x2F;story_of_the_gr_1.html" rel="nofollow">http:&#x2F;&#x2F;www.schneier.com&#x2F;blog&#x2F;archives&#x2F;2007&#x2F;07&#x2F;story_of_the_g...</a>

Imagine if the US hacked into the Chinese data repository on their citizens?<p>Imagine if the US hacked into the Russian data repository on their citizens?<p>I&#x27;m sure it&#x27;s already happened, and I&#x27;m sure it is not a huge coincidence that Google and Facebook are not the biggest search &#x2F; social networking companies in those countries.<p>No idea about the others mentioned.<p>Oh and what about if those countries respective agencies have an agreement to share certain data amongst each other to make things a little easier?

We don&#x27;t even know if this thing has a public interface and even if it did access would probably be limited to a couple dozen IPs.<p>Furthermore, the article assumes that an adversary gets somehow the data. We&#x27;re probably talking about petabytes of storage, how on earth could you get hold of all that data? Download it? That would raise a gazillion alarms.

Sounds like the Cold War line of thinking. It was Russia then, now China takes over the place. What if Country_X does Y? Oh we must keep up the pace! What history tells me is when a government starts to draw people&#x27;s attention to some public enemy abroad, usually it has some ax to grind and some shit to hide.

It&#x27;s more a question of &quot;when&quot;, not &quot;if&quot;.

I&#x27;d doubt that&#x27;s possible. The NSA has the best mathematicians and cryptologists in the world. They probably also have the most.

Or have they already done that