I’d like to think Noah Shachtman started to think seriously about his latest policy proposal around the time he wrote this policy memo for PPI in January. But it’s more likely he had been chewing over the idea — articulated in the current issue of Wired magazine — to break up the National Security Agency (NSA) far earlier.
It’s a fairly daring proposal on the surface because, after all, even those of us who have worked in the intelligence community don’t have a great handle on what makes the NSA tick. Dissemination of intelligence products is so tightly controlled — even within the intelligence community — that we at NCIS would sometimes wonder (jokingly) if the NSA was actually on our side.
Here’s the gist:
NSA headquarters — the “Puzzle Palace” — in Fort Meade, Maryland, is actually home to two different agencies under one roof. There’s the signals-intelligence directorate, the Big Brothers who, it is said, can tap into any electronic communication. And there’s the information-assurance directorate, the cybersecurity nerds who make sure our government’s computers and telecommunications systems are hacker- and eavesdropper-free. In other words, there’s a locked-down spy division and a relatively open geek division. The problem is, their goals are often in opposition. One team wants to exploit software holes; the other wants to repair them. This has created a conflict — especially when it comes to working with outsiders in need of the NSA’s assistance. Fortunately, there’s a relatively simple solution: We should break up the NSA.
Noah advocates essentially splitting the offense (signals intelligence) from the defense (information assurance). Think of it in football terms: O and D can peacefully co-exist under a head coach in the NFL because they’re both working against a different team. But in the cyberwars, it’s unclear who the other team is, and the NSA runs the risk of putting its O and D on the field against one another.
To alleviate this problem, Shachtman wants to create a new Cyber Security Agency with the information assurance directorate. He believes the new CSA would be more trusted and thus able to coordinate better with outside cyber stakeholders. The directorates already have separate budgets and oversight, so it shouldn’t be all that painful.
That sounds about right to me. However, I should note that Noah’s piece doesn’t elaborate on the drawbacks of this approach. Is that because they’re aren’t any, or because we wouldn’t know them until it’s too late? That’s worth looking into.