Future Tense

This Rumored Recommendation for NSA Reform Is a Horrible Idea

The rumored recommendations made by a presidential task force on the National Security Agency’s surveillance efforts include some sensible suggestions—like more direct oversight by the White House of certain sensitive programs. But according to the early reports, the recommendations may also include one deeply misguided and troubling idea to divide the agency and thereby handicap its ability to perform both its defensive and offensive roles. The Wall Street Journal reports that one of the soon-to-be announced recommendations “would split the code-making component of NSA, known as the Information Assurance Directorate, from the rest of the agency.” (This recommendation to split up the signals intelligence gathering and information assurance branches of the NSA is separate from the apparently already-dismissed recommendation that the NSA be placed under separate direction from the U.S. Cyber Command.)

The Information Assurance Directorate is the arm of the NSA responsible for defense. While other parts of the agency try to target, intercept, and decrypt sensitive information belonging to foreign governments and potential enemies, the Information Assurance team is in change of making it as difficult as possible for anyone—including those same foreign governments and potential enemies—to do the same to U.S. national security systems and information. Theirs is the hardest job at the agency, both because it’s typically easier to break into information systems than it is to protect them, and because their mission is sometimes at odds with that of their counterparts. When the NSA discovers new security vulnerabilities in information and communications systems, they simultaneously open up new ways into systems belonging to others and identify ways in which our own systems could be penetrated. At that point, the agency can take either an offensive approach—exploiting these vulnerabilities to learn as much as possible about others—or a defensive one—alerting necessary parties to patch the problem before it can be exploited by other.

The presidential task force may have a legitimate concern that the voice of the Information Assurance Directorate is not loud enough in these debates. Documents leaked by Edward Snowden seem to suggest that the NSA is much more focused on information gathering than building up U.S. defenses. However, splitting these two branches into separate organizations would not help that situation—it would only exacerbate it. The only way to know whether your defenses are any good is to know whether they’ve been broken and what you’re defending against—to be in constant communication with the people in charge of breaking them, in other words.

The skills and perspectives of the people at the NSA who defend sensitive U.S. government information and the people who collect sensitive information belonging to other parties are inextricably linked and mutually beneficial. If anything, the Snowden leaks suggest that there is too great a divide between these two groups at the NSA already, that there may not be sufficient attention paid to the negative defensive consequences of building vulnerabilities into popular products and services.

The task force is not wrong to consider ways of strengthening that defensive posture and making sure that the Information Assurance Directorate has the necessary resources and influence within the NSA to perform its mission and make its voice heard. But, if the rumors are true, then the task force’s proposed solution could well create more problems than it solves.