Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
United States Government Security

How the NSA's Hubris Left America Vulnerable (nytimes.com) 52

A new book promises "the untold story of the cyberweapons market — the most secretive, invisible, government-backed market on earth — and a terrifying first look at a new kind of global warfare."

Its author — a New York Times cybersecurity reporter — shares the book's story about David Evenden, a former National Security Agency analyst who later worked in Abu Dhabi: He, like two dozen other N.S.A. analysts and contractors, had been lured to the United Arab Emirates by a boutique Beltway contractor with offers to double, even quadruple, their salaries and promises of a tax-free lifestyle in the Gulf's luxury playground. The work would be the same as it had been at the agency, they were told, just on behalf of a close ally. It was all a natural extension of America's War on Terror. Mr. Evenden started tracking terror cells in the Gulf. This was 2014, ISIS had just laid siege to Mosul and Tikrit and Mr. Evenden tracked its members as they switched out burner phones and messaging apps...

Soon, though, he was assigned to a new project: proving the Emiratis' neighbor, Qatar, was funding the Muslim Brotherhood. The only way to do that, Mr. Evenden told his bosses, would be to hack Qatar. "Go for it," they told him. No matter that Qatar was also an American ally or that, once inside its networks, his bosses showed no interest in ever getting out. Before long his team at the contractor, CyberPoint, was hacking Emirati enemies, real and perceived, all over the world: Soccer officials at FIFA, the monarchy's Twitter critics, and especially Qatari royals. They wanted to know where they were flying, who they were meeting, what they were saying. This too was part of the mission, Mr. Evenden was told; it had all been cleared up high. In the War on Terror and the cyber arms market, you could rationalize just about anything.

All the rationalizations were stripped away the day emails from the first lady of the United States popped up on his screen. In late 2015, Michelle Obama's team was putting the finishing touches on a trip to the Middle East. Qatar's Sheikha Moza bint Nasser had invited Mrs. Obama to speak... And every last email between the first lady, her royal highness, and their staff — every personal reflection, reservation, itinerary change and security detail — was beaming back to former N.S.A. analysts' computers in Abu Dhabi. "That was the moment I said, 'We shouldn't be doing this,' he told me. "We should not be targeting these people."

Mr. Evenden and his family were soon on a flight home. He and the few colleagues who joined him tipped off the F.B.I. (The agency does not comment on investigations, but interviews suggest its review of CyberPoint is ongoing.) To pre-empt any fallout, some employees came clean to Reuters. The hack of Sheika Moza's emails with Mrs. Obama has never been reported.

It wasn't long after Mr. Evenden settled back in the states that he started fielding calls and LinkedIn messages from his old buddies at the N.S.A., still in the service, who had gotten a "really cool job offer" from Abu Dhabi and wanted his advice. By 2020, the calls had become a drumbeat.

"Don't go," he pleaded. "This is not the work you think you will be doing." You might think you're a patriot now, he wanted to warn them, but one day soon you too could wake up and find you're just another mercenary in a cyber arms race gone horribly wrong...

The author criticizes America's security establishment. "When we discovered openings in the systems that govern the digital universe, we didn't automatically turn them over to manufacturers for patching. We kept them vulnerable in the event the F.B.I. needed to access a terrorist's iPhone or Cyber Command had reason to drop a cyberweapon on Iran's grid one day..."

But the author also warns that "the potential for a calamitous attack — a deadly explosion at a chemical plant set in motion by vulnerable software, for example — is a distraction from the predicament we are already in. Everything worth taking has already been intercepted: Our personal data, intellectual property, voter rolls, medical records, even our own cyberweaponry..."

The book's title? This is How They Tell Me the World Ends.
This discussion has been archived. No new comments can be posted.

How the NSA's Hubris Left America Vulnerable

Comments Filter:
  • by Rosco P. Coltrane ( 209368 ) on Sunday February 07, 2021 @01:16AM (#61036356)

    David Evenden, a former National Security Agency analyst

    Let me guess: soon he'll have to flee to Russia and change his name to David Snowden - cuz it's kind of colder there?

    I see a pattern here.

  • No sooner have the Abraham accords been signed and adverts for cyber-experts to get high paying work in the UAE started showing up in my feed.
  • Foreign countries? (Score:5, Insightful)

    by cowdung ( 702933 ) on Sunday February 07, 2021 @01:26AM (#61036370)

    If you're working for the NSA in cyber warfare, wouldn't it be OBVIOUS that you shouldn't accept jobs from foreign governments doing the same?

    Sheesh.

  • Hmmm. So which horseman was in charge of the cyberwarfare ending? White, red, black, pale, and...?

  • I missed something (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Sunday February 07, 2021 @02:27AM (#61036424)

    Where does the "NSA's hubris" play into this particular story?

    • by flyingfsck ( 986395 ) on Sunday February 07, 2021 @04:24AM (#61036554)
      The writer doesn't know what hubris means.
    • by nagora ( 177841 )

      Where does the "NSA's hubris" play into this particular story?

      The phrase "a natural extension of America's War on Terror".

    • Re: (Score:3, Interesting)

      by AmiMoJo ( 196126 )

      They thought people would work for them for low salary out of patriotism. As soon as some other country offered them 5x as much their patriotism dried up.

      This guy decided he couldn't do the job for some reason (not sure what he expected it to be) but there will be plenty more who quite happily hacked US emails using skills that the NSA helped them acquire.

      The UK has the same problem, GCHQ doesn't pay very well and since they are basically a criminal organization at this point they only attract people who ha

    • Where does the "NSA's hubris" play into this particular story?

      The part about the NSA discovering vulnerabilities in software and keeping them to exploit later instead of alerting the vendors of that software so the vulnerabilities could be patched. The writer says this leaves us open to attacks from other countries.

    • Comment removed (Score:4, Interesting)

      by account_deleted ( 4530225 ) on Sunday February 07, 2021 @10:43AM (#61037186)
      Comment removed based on user account deletion
  • It wasn't long after Mr. Evenden settled back in the states that he started fielding calls and LinkedIn messages from his old buddies at the N.S.A., still in the service, who had gotten a "really cool job offer" from Abu Dhabi and wanted his advice.

    LinkedIn? Really?

  • by Anonymous Coward

    ***WARNING***

    If you comment on this article, you will be tracked by various agencies as a dissenter.
    Let's get smart guys! If 'they' can 'hack' all of those other networks, they can certainly hack slashdot.org. They know you're email. They've subpoenaed your ISP, or Google for your email address. Unless you are one of the 4 nerds that actually walks the security walk, and covers their tracks around here, you are now in the database. Welcome friend.

    This can, and will be used against you in your next

    • by pitch2cv ( 1473939 ) on Sunday February 07, 2021 @05:22AM (#61036640)

      Actually, it wasn't NSA but GCHQ who spoofed /. and linkedin to phish Belgacom BICS NOC and to then infect BICS routers (think SWIFT, NATO, EU,..) with NSA malware. https://www.pcworld.com/articl... [pcworld.com]

      Moreover, Operation Socialist also involved reading our PM's emails and lots more. And that's just what they do to allies. https://theintercept.com/2014/... [theintercept.com]

    • You are tracked in any case.

      That is the whole point of their current technology, as they bragged with in the Snowden leaks.
      Only if you track everything can you later retroactively trace people. It's also much simpler to just record everything, then filter out later. A key big data technique that Google pioneered, is to never throw any data away. So if your code gets updated or fixed, it can reprocess all the old data.
      And in the mid-2000s, storage tech became powerful enough to actually do that.

      Also: I don't

  • by BAReFO0t ( 6240524 ) on Sunday February 07, 2021 @05:05AM (#61036612)

    Newsflash: If you work at the NSA, you are already an enemy of the citizens of the United States of America, and every other country and person on the planet anyway. A hostile enemy combattant. A totalitarian state terrorist.

    It does not matter if you work for the NSA itself, one of its dingleberries, its "allies", or the Chinese, Russian, Saudi, Israeli or whatever equivalent of it, or worked for the Gestapo previously. It's all the same.

    And thanks to Snowden, we have hard, irrefutable proof.

    So quit deluding yourself.
    I get that you believe you are a good guy. But your actions are the opposite. So prove you are *actually* good, and start siding with the *people* and their rights!

    _ _ _ _
    INB4 being booed off stage for siding with the people that are doing said booing. ^^

  • by gweihir ( 88907 ) on Sunday February 07, 2021 @05:11AM (#61036620)

    What leaves the US vulnerable is what leaves anybody else vulnerable: Crappy IT security and "executives" that are just interested in their next bonus, but not the welfare of their companies.

  • by nagora ( 177841 ) on Sunday February 07, 2021 @06:14AM (#61036724)

    "He, like two dozen other N.S.A. analysts and contractors, had been lured to the United Arab Emirates by a boutique Beltway contractor with offers to double, even quadruple, their salaries and promises of a tax-free lifestyle in the Gulf's luxury playground."

    So, Aristagoras says, well, you know it’s not really so bad; they got this good road, besides I have here some several minae of silver that I’m glad to give to you, you might want to think again; and he keeps raising the amount that he’s prepared to bribe Cleomenes. At a certain point, Cleomenes’ little daughter, Gorgo, has been sitting there all the time, and being a Spartan girl, she gets up to her father and says, father ask this man to leave at once or he will corrupt you. Cleomenes accepted the admonition from his nine year old daughter and sent Aristagoras away.

    (source for this telling: https://brewminate.com/the-gra... [brewminate.com]).

  • "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety". Benjamin Franklyn. And yeap, I know the original context was different, but it's perfect for our days.
  • First sign those people were broke, why would anyone want to goto to a prison like the UAE. Its either hot or shopping malls....pathetic life.
    • by couchslug ( 175151 ) on Sunday February 07, 2021 @11:34AM (#61037328)

      You need not be "broke" to work in UAE for a year or two, and gobs of money from a US ally are quite reasonable incentive. The global expat community working for the US, allies, ARAMCO etc isn't small.

      If you don't care about the heat (it's less nasty than many areas of the US which are far more humid) and work indoors where heat isn't an issue, why not? (I spent nine months at Al Dhafra and even tent city wasn't particularly uncomfortable but I'm not hypersensitive.)

      There's no need to care about local culture or lack of places to go if your job is techy fun. A year or two (often more) away from the US is nothing if you're set for life afterwards. Workers can fly anywhere they like while on leave and Europe is a common destination. Tourism works better with money. The expat world isn't for everyone but it's not at all difficult for thousands of well-paid professionals.

      • > You need not be "broke" to work in UAE for a year or two, and gobs of money from a US ally are quite reasonable incentive.

        Of course it is if you are prostitute and will sell out your time with family and friends for some money.

        > If you don't care about the heat (it's less nasty than many areas of the US which are far more humid) and work indoors where heat isn't an issue, why not? (

        Because i have a life, theres more to do than just work.

        > There's no need to care about local culture or
  • by AlexHilbertRyan ( 7255798 ) on Sunday February 07, 2021 @08:09AM (#61036882)
    in the same sentence ?

    I find it hard to believe...anyone could possibly think that.
  • The NSA (Score:5, Funny)

    by e3m4n ( 947977 ) on Sunday February 07, 2021 @09:53AM (#61037080)

    The only government agency that actually listens to you.

  • Reading above summary got me thinking of back in1930s the FBI focused on Bonnie & Clyde, Pretty Boy Floyd, Public Enemy #1 John Dillinger, and few others. But these crooks were basic bank robbers, yes dangerous but a far more devastating band of crooks was organized crime associates which FBI ignored until 1970s. Sounds like many in NSA so focused on terrorists of the stereotypical type, they completely missed much larger state organizations.
  • The head of the NSA is a general.

    Generals hold to the adage that "The best defense is a good offense", which may well be true in traditional warfare, but it's not true in the NSA's field.

    So the NSA focuses on offense and leaves the USA's barn doors wide open.

[We] use bad software and bad machines for the wrong things. -- R.W. Hamming

Working...