First, separate offline networks and the most advanced network security ever conceived will be put in place at this new datacenter.
If you're thinking that a reverse engineered Stuxnet might be able to hop over to the secure network, I doubt it, and even if it does then what will it do to transmit the data out?
It is slightly insulting to the engineers and security experts whose full-time job is to keep the NSA secure, but I suppose this scenario is worth discussing just in-case someone thinks of a clever way which the NSA has not.
The most vulnerable aspect is any remote access either to company servers or to the NSA search tools. I would hope that a data dump or unrestricted access to the NSAs "database" would be completely impossible. Even with extensive insider knowledge of the Utah datacenters systems, an ex-employee would have zero chance of gaining unauthorized access.
Especially funny (in a way) at a time where leaks of secret/classified data and informations is becoming endemic.
I find the idea of a super-fortress of data a bit far-fetched to begin with, that such a place would be goverment run seems even more ridiculous.
The NSA has computer security technology that the public and other government do not. They also have an unfathomable amount of processing power without the Utah data center (Tordella).
What congress in their right mind would slash the NSAs budget and put the entire nation at risk?
Also, it isn't a set fact of life that all government agencies / programs are inefficient and incompetent.
Humanity can often get it wrong.
It's a truism in computing that the only really secure computer is one that has been disconnected from the network, turned off, encased in solid concrete, and sunk to the bottom of the ocean.
Even then, better hope James Cameron doesn't want what's inside.
I'm sure NSA's security people are aware of this. If they are not, then they're not very good at their job.
And yes, it is insulting. The NSA has been at the forefront of encryption and network security for the past 60 years.
Am I giving the NSA too much undeserved credit?
How about the ramifications of the pipes created for NSA, getting leveraged by other actors?
What happens when a rogue employee hacks the infrastructure created for providing the pipe to NSA?
What if a group of such rogue employees across multiple companies act in concert, may be creating a cartel?
Such things have the potential to remain unnoticed for a pretty long time, ruining lives of innocent people.
Now, let's replace the word rogue with innocent and intelligent but cleverly manipulated by sophisticated player and the scenario reads bleaker.
To believe that such things haven't happened before or aren't happening now, in some part of the world, will be pointless.
Consider a scenario in developing countries: let's say you wrote some piece of code (unrelated to telecom) for a businessman. Let's also say that the businessman runs many companies, one of which provides BPO services to telecom companies. Let's say that the businessman wants to exploit you. He can very well track your location using the network of the telecom company without that company knowing it, let alone the law enforcement officials. He can remain under the radar because the request can be clubbed with other legitimate ones.
This is not just a US problem, it's a global problem.
It is precisely for such reasons, that we need a manifesto about data collection policies, like "Do No Evil" or "The Patent Pledge."
I still don´t see the legitimacy of the US government accessing citizen´s data. Perhaps it´s because I´m from an european country, and governments in europe have laws to proctect citizen´s private data.
I agree with you. My point was related to a legitimate telecom request, for example to track the telephone of a person declared missing.
Since we are probably talking about petabytes of data, this would not be a one-time download, but would require continuous access to query the dataset interactively, which wouldn't be hard to detect if you are on the look out for it.
And what happens when it actually gets hacked? Nothing. Nobody will come out and say "our bad we shouldn't have collected and stored all this sensitive data". Heck, you would be lucky if it's not used as evidence for why further pushes for massive surveillance is needed.
Then there is also the issue that even though the data might be stored with good intentions today, we don't know who is going to be in charge tomorrow, or after that. Whatever Obama promises only lasts until somebody else becomes president, who thinks that all this data that is already stored and ready, should be used in new interesting ways. The data doesn't even need to leak and be hacked for it to be misused, when the owners of the data are in constant flux.
I would find it somewhat relieving to find out that the NSA is run better than the rest of the government, but I don't see any reason to believe that's the case. If anything, they are likely as over-confident and technically out-of-touch at the higher administrative levels as their peers.
Also another possible threat scenario would be a spearphishing attack that would plant a virus on the network which would slowly (in botnet fashion) access pieces and send it to China a little bit at a time, uncoordinated, many little connections inside the network.
Ask yourself, if you had unlimited funds, spies in the US, and so forth, how would you attack the NSA? Those resources make a sophisticated and successful largescale attack a lot more possible and feasible.
http://www.washingtonpost.com/world/national-security/chines...
And in Denmark, hackers gained full access to many security services databases, among others the European 'most wanted' database, the driver's license database, passwords of 10'000 password officers etc.:
http://www.berliner-zeitung.de/politik/hacker-angriff-datenl...
(Newspaper article in German, sorry …)
They'll just make the "cyberwarfare" campaign even louder, and say how new laws and bigger budgets are needed to keep you safe (and of course continue their spying and their hacking on others).
The "cyberwarfare" will be the new war on terror, 5-10 years from now.
Yes, just like the war on terror is the new war on communism.
By 1990, all the defence contractors figured out that without a boogey man to scare people with, the US government has a lot of things it would rather spend money on than billable hours.
Probably not. Doesn't that just make the whole thing even more of a bad idea though?
Imagine if the US hacked into the Russian data repository on their citizens?
I'm sure it's already happened, and I'm sure it is not a huge coincidence that Google and Facebook are not the biggest search / social networking companies in those countries.
No idea about the others mentioned.
Oh and what about if those countries respective agencies have an agreement to share certain data amongst each other to make things a little easier?
"Your copying all of my private data from several sources to the nsa, what is another country hacks that and copy it ?" "No worry, we can hack them and copy their citizens data too"
I fail to see how to answer the concern for the question, or how that should be reassuring in anyway. That we can, or cannot, or already do similar data repository in other countries is irrelevant to the question "should all of my data be aggregated in a single juicy store".
I'm not even sure I agree with OP's premises (especially since I'm an European, for me the NSA thing is a foreign governement spying on me and I expect the EU new data privacy laws to be much more strict than the safe harbor joke we've had so far), but your answer doesn't address it at all.
Furthermore, the article assumes that an adversary gets somehow the data. We're probably talking about petabytes of storage, how on earth could you get hold of all that data? Download it? That would raise a gazillion alarms.
It's worth noting that having a Top Secret clearance does not automatically mean you have access to all information classified as Top Secret.
http://en.wikipedia.org/wiki/Classified_information_in_the_U...
This is useful information. Having access to someones social graph and contact list could go a long way to subverting dissidents.
If by chance NSA is aiding Russia and China by helping them secure internal stability and giving them more energy to play on the international scene is rather ironic.
Also it is not about downloading. Thing about the things you could do by just altering the data.
But I don't find it much more terrifying than people in our own government having that power.
http://www.schneier.com/blog/archives/2007/07/story_of_the_g...
