Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said.
— according to Bloomberg, U.S. Agencies Said to Swap Data With Thousands of Firms.
Turns out what the firms are getting is not data on customers — nor in the main is that what they are giving. Rather the firms are giving advance info on vulnerabilities in their systems that could be used to by the TLA’s1 to get information from vulnerable systems. Plus some of the firms are allowing the feds to install monitoring equipment on their networks, ostensibly to protect against hacking, but in at least some cases with the ability to spy on message traffic.
In exchange, the firms are getting information about who, especially from abroad, is trying to hack them, and some help and advice on defending themselves.
I have no problem with the feds helping US corporations defend themselves against foreign (or domestic) hackers. I do have a problem if the price of that defense is allowing the feds access to customer data.
My first instinct is that I wouldn’t have a problem with firms like Microsoft giving advance warning about vulnerabilities to the feds — whether it is so they can harden their own systems or even if it is so they can take advantage offensively to hack into foreign targets. I would feel that way, however, only so long as I believed the program had adequate safeguards to prevent its misuse against US persons, whether at home or abroad. And, unfortunately, there is no particular reason to believe that to be the case. There is at present a lack of accountability.
- TLA == Three Letter Agencies [↩]
Well, as you may know, NSA did make some security enhancements to Linux that were contributed back to the Linux Community (per the requirements of the Gnu Public License, under which Linux is distributed). So there is that example. One can speculate whether they did so because of the GPL, though I would suggest that there was some good will involved since nobody would have known if they did not do so (and it may not even have been a violation of the GPL if the enhancements were for NSA use and not redistribution).
However, what I find distasteful here is that (for example) Microsoft KNOWS about vulnerabilities in its software that, rather than FIX them, it simply lets Government know about. If MS were doing its job properly, the only vulnerabilities would be those discovered by third parties, because if they are known, they’re fixed.
A secondary question is whether MS is getting help from NSA fixing the vulnerabilities in its proprietary code (ala Linux, above)? (I think maybe, but ultimately Windows is such an insecure O/S that it really can’t BE fixed without starting again from scratch. Were it not the defacto standard in other areas (because of “convenience”) I doubt Government would ever use it. I doubt NSA does in any real way internally.