U.S. spy agencies ... email for cybersecurity

Jerry Dixon jerry at jdixon.com
Wed Jul 11 14:08:01 UTC 2012

It's more of a strategy to centralize protection efforts versus using a
de-centralized approach.  I want go into the scalability issues and also
"scope" creep aspects however, as Chris points out, it would be far better
to share indications & warnings with organizations that can leverage their
own security infrastructure to protect themselves.  Organizations have
different risk management profiles meaning they know what is important to
protect to sustain their business and will make decisions based off of

You can share this information automated style depending on your level of
trust of what is being provided so things can move at the speed of light so
to speak however this is still, yet another, reactive approach.  We all
know the issues of signature based systems.  However, their intent is good
and all about protecting the country.  The approach can be debated though :)


On Mon, Jul 9, 2012 at 11:22 PM, Christopher Morrow <morrowc.lists at gmail.com
> wrote:

> (note, people ought to: 1) think about this on their own making up
> their own minds, 2) understand that the press has some very weird
> ideas, 3) take some better protections on their own, for their own
> security)
> also, I'm not judging the OP nor the reporter nor the ideas espoused
> in the article/clips...
> On Mon, Jul 9, 2012 at 9:46 PM, William Allen Simpson
> <william.allen.simpson at gmail.com> wrote:
> > Somebody needs to give them a clue-by-four.  The private sector
> people keep trying, sometimes it's helped. sometimes reporters need to
> sell stories :(
> > already has the "Internet address where an email ... originated";
> it's not just email they care about :( (you knew that I think)
> > it's already in the Received lines.  We don't need to be informed
> > about it, we already inform each other about it.
> one interesting idea, that has proven out some merit over the years is
> the ability to share 'incident' data across entry points (say across
> companies, or gov'ts even) about 'bad things' that are happening.
> Take the case of 'spam came in from this end system to my mailserver',
> if I tell you that (or some central system that which you can query)
> you'll learn that maybe the inbound connection to you is also
> spam-rich.
> > And it's already delivered "at network speed."
> >
> the article sort of reads like the above scenario though... maybe it's
> NOT that, maybe it's something else entirely... it SEEMS that the
> gov't wants to help. They may be able to, they may just foul things
> up. The reporter certainly didn't leave enough details in place to
> tell :(
> > It is my understanding the Dept of Homeland Security already
> > cooperates in sharing government intrusion information.  We certainly
> > don't need a "U.S. spy agency" MITM to "protect the private sector."
> <http://en.wikipedia.org/wiki/Einstein_%28US-CERT_program%29>
> you may mean? could be... the wikipedias are sometimes wrong, or so
> says the teacher of my 7yr old.
> > Moreover, the US is the source of most spam and malware, so the NSA
> > isn't really going to be much help.  And the US is the source of the
> but hosts in the US that are botted/spamming, also spam/bot other
> things outside the US, right? so really who cares where the src is,
> get some data collection points up and use that data to inform your
> security policy, no? (sure, you'll have to have some smarts, and some
> smart people, and be cautious... but you'd do that anyway, right? :) )
> These folks have some awesome tech for that sort of data collection
> and analysis:
>  <http://en.wikipedia.org/wiki/SHERIFF>
> it's a shame that their parent company can't find a way to monetize
> that sort of thing. (the article there talks about some older version
> of the system, which is still alive/well today doing fraud detection
> and was doing some IDS/anomaly-detection-like work as well for ip
> network things)
> > only known cyber attacks on other country's infrastructure, so it's
> > not likely much help there, either.  Unless they expect retaliation?
> >
> > ===
> >
> >
> http://in.reuters.com/article/2012/07/10/net-us-usa-security-cyber-idINBRE86901620120710
> >
> > U.S. spy agencies say won't read Americans' email for cybersecurity
> > 8:48pm EDT
> >
> > By Tabassum Zakaria and David Alexander
> >
> > WASHINGTON (Reuters) - The head of the U.S. spy agency that eavesdrops on
> > electronic communications overseas sought on Monday to reassure Americans
> > that the National Security Agency would not read their personal email if
> > a new cybersecurity law was enacted to allow private companies to share
> > information with the government.
> > ...
> >
> > But to help protect the private sector, he said it was important that the
> > intelligence agency be able to inform them about the type of malicious
> translated: "Hey, what if we could tell our private sector partners
> (Lockheed-Martin, for instance) that they should be on the lookout for
> things like X, or traffic destined to Y, or people sending all their
> DNS queries to these 5 netblocks." (dcwg.org sorta crap)
> that doesn't sound 'bad', it sounds like there is a gap in the
> business world to wrap all this data up and sell access to it... but
> the gov't can jump in with their mountains of data from their
> 'einstein' or whatever and go to town protecting their 'partners' who
> have often close interactions with the gov't, right?
> > software and other cyber intrusions it is seeing and hear from companies
> > about what they see breaching the protective measures on their computer
> > networks.
> adding to the above: "What if we had an API such that you could feed
> your collected alarm/alert/badness data to us as well? and we could
> feed that back into our system, protect ourselves AND send it back out
> to the other partners?"
> again, that's not that bad, really it sounds pretty cool... only if
> MCI could have found a way to productize and monetize that... which we
> built for them too :( but I digress.
> > "It doesn't require the government to read their mail or your mail to do
> > that. It requires them, the Internet service provider or that company, to
> > tell us that that type of event is going on at this time. And it has to
> be
> > at network speed if you're going to stop it," Alexander said.
> alexander is loose with his pronouns, which makes this worse... in
> reality: "send your alarm data to our system, hurrah!", PROBABLY this
> could include large ISP people if the pricing (or regulatory world
> were right), these folks COULD of course limit that to 'business isp
> traffic only', maybe.
> this sounds a little less on the ball though, so I'll blame bad
> reporter-translation, and hope that Alexander really meant: "Our
> partners in the industry, who help supply us and build our widgets for
> us, would be enabled to send data into our API..."
> >
> > He said the information the government was seeking was the Internet
> > address where an email containing malicious software originated and
> > where it traveled to, not the content of the email.
> I'm sure this was simply an example... and the reporter jumped on it
> like a carnivore, poor job reporter! :(
> > ...
> >
> > But the U.S. government is also concerned about the possibility of a
> cyber
> > attack from adversaries on critical infrastructure such as the power
> grid or
> > transportation systems.
> yes, put in the boogie-man! also, keep in mind that CI things are ...
> in a horrid state, and as it turns out the folk running it are
> ostriches :(
> -chris

jerry at jdixon.com

More information about the NANOG mailing list