Three years ago, the National Security Agency publicly stated that it operates under the assumption that it is already compromised. Recent disclosures are a good reminder that when data is shared a little, it’s often difficult to keep it from being shared a lot.
“There’s no such thing as ‘secure’ any more,” the NSA’s Debora Plunkett told an audience back in 2010. “We have to build our systems on the assumption that adversaries will get in.”
Assuming systems are compromised, from an information security point of view, is a smart move, and possibly the only rational one. But such a standpoint should also play a factor in what kinds of data are collected and how long they are maintained.
And as Farhad Manjoo points out, that’s not even just a hypothetical issue — it’s at the heart of the current scandal.
Referencing Edward Snowden’s relatively junior experience and expansive access to data, Manjoo was incredulous.
“The NSA trusted its most sensitive documents to this guy?” he wrote. “And now, after it has just proven itself so inept at handling its own information, the agency still wants us to believe that it can securely hold on to all of our data? Oy vey!”
In other words, you do not have to just trust “the government” with your data when they are monitoring your communications, you have to also trust every employee they hire, even when they are in a desperate hiring mode competing with the likes of Google and Amazon while facing sequestration; you have to also trust every contractor they use; you have to trust all the groups that are, daily, trying to hack into the NSA’s various data centers and backdoors; you have to trust the employees at the various service providers who now make it easy to access this data routinely, making it a more tempting internal and external target; you have to trust whoever comes up with the requisition and sunsetting policies for the equipment that store all this data, at every point, to ensure that they buy knockoff hardware with backdoors built in or forget to full and properly erase hard disks before selling them for scrap.
In short, there is a lot of trust required, all loosely overseen by a Congress that struggles to update its iPhone apps.