Wednesday 25 September 2013

GCHQ and NSA outsourcing cyber security tasks to third-party vendors


mikko-hypponen
Government agencies such as GCHQ and NSA are outsourcing their requirements to private security firms to boost their cyber capabilities, according to F-Secure.
F-Secure chief research officer Mikko Hypponen (pictured left) reported uncovering evidence that the NSA's Tailored Access Operations (TAO) unit and GCHQ are outsourcing missions to third-party security companies.
"One thing I've been doing for the past two years is finding where they get their expertise from. Do they recruit in house and train? Do they go to universities?" he said.
"I found these job posts listing experience with ‘the Forte Meade customer' as a necessary skill. The Forte Meade customer is the NSA."
Hypponen confirmed to V3 that he has seen similar job posts for roles with the UK GCHQ and several other government intelligence agencies. He added that the trend is unsurprising and is simply a sign that agencies are suffering the same effects of the ongoing cyber skills gap as private industry.
"It's no wonder they're outsourcing, because they can't build or find the skills inside. If you want to have a good cyber offensive capability you need a new arsenal of exploits. You need a fresh supply of weaponised exploits, which builds a demand in the market," he said.
A lack of skilled cyber security professionals is an ongoing concern within Europe. Within the UK the government has listed plugging the gap as a key goal of its ongoing Cyber Strategy. As part of the strategy, the government has launched several education-focused initiatives designed to increase the number of young people training to enter the information security industry.
Initiatives have included the creation of new higher education centres, apprenticeship schemes and open challenges. Most recently the UK GCHQ has launched a Can You Find It challenge to help find and recruit the next generation of cyber security code experts.
Hypponen said the outsourcing is troubling as it sheds further doubt on intelligence agencies' ethics, which have come into question since the PRISM scandal. The PRISM scandal broke when whistleblower Edward Snowden leaked confidential documents proving the NSA was gathering vast amounts of web user data from tech companies such as Google, Facebook, Microsoft and Apple.
Since word of the scandal broke the NSA has attempted to downplay its significance and justify its PRISM operations, claiming its agents looked at just 0.00004 percent of global web traffic. Hypponen dismissed the NSA's arguments, claiming there is no justification for PRISM.
"As the leaks came out they tried to explain ‘they're just monitoring the foreigners', which concerned me. I'm a foreigner. But then they said it's nothing to worry about as if it's not foreigners its part of the War on Terror. But then it emerged they'd targeted the EU. It's very difficult to list spying on an ally government department as being part of the War on Terror," he said.
"The next justification was ‘everyone's doing it' and this is no different. But it is different, as no country has the visibility the US does. How many businesses use US-based companies' systems? There used to be some people using Nokia, but that's been sold to the US. Skype used to be trusted but its been sold to the States. All the world is using a US-based cloud system that the US government has a legal right to. It's not the same."
The F-Secure chief added that the NSA's behaviour is doubly troubling as it has tarnished two of the most positive technology innovations of the age. "The two greatest tools of our time have been turned into government surveillance tools. I'm talking about the mobile phone and the internet. George Orwell was an optimist. This is what's happened."
Hypponen is one of many security experts to slam the NSA over PRISM. Renowned cryptographer Bruce Schneier attacked the NSA in August over its treatment of former anonymous email service provider Lavabit, claiming the agency has "commandeered the internet".
Lavabit was an anonymising mail tool used by Snowden. Lavabit owner Ladar Levison shut the service down earlier this year claiming unspecified requests from the NSA meant continuing the service would inevitably force him to commit crimes against the American people.

No comments:

Post a Comment