When it comes to the U.S. government’s computer security, we in the tech press have a habit of reporting only the bad news—for instance, last year’s hacks into Oak Ridge and Los Alamos National Labs, a break-in to an e-mail server used by Defense Secretary Robert Gates … the list goes on and on. Frankly that’s because the good news is usually a bunch of nonevents: “Hackers deterred by diligent software patching at the Army Corps of Engineers.” Not too exciting.
So, in the world of IT security, it must seem that the villains outnumber the heroes—but there are some good-guy celebrities in the world of cyber security. In my years of reporting on the subject, I’ve often heard the National Security Agency’s red team referred to with a sense of breathless awe by security pros. These guys are purported to be just about the stealthiest, most skilled firewall-crackers in the game. Recently, I called up the secretive government agency and asked if it could offer up a top red teamer for an interview, and, surprisingly, the answer came back, “Yes.”
What are red teams, you ask? They’re sort of like the special forces units of the security industry—highly skilled teams that clients pay to break into the clients’ own networks. These guys find the security flaws so they can be patched before someone with more nefarious plans sneaks in. The NSA has made plenty of news in the past few years for warrantless wiretapping and massive data-mining enterprises of questionable legality, but one of the agency’s primary functions is the protection of the military’s secure computer networks, and that’s where the red team comes in.
In exchange for the interview, I agreed not to publish my source’s name. When I asked what I should call him, the best option I was offered was: “An official within the National Security Agency’s Vulnerability Analysis and Operations Group.” So I’m just going to call him OWNSAVAOG for short. And I’ll try not to reveal any identifying details about the man whom I interviewed, except to say that his disciplined, military demeanor shares little in common with the popular conception of the flippant geek-for-hire familiar to all too many movie fans (Dr. McKittrick in WarGames) and code geeks (n00b script-kiddie h4x0r in leetspeak).
So what exactly does the NSA’s red team actually do? They provide “adversarial network services to the rest of the DOD,” says OWNSAVAOG. That means that “customers” from the many branches of the Pentagon invite OWNSAVAOG and his crew to act like our country’s shadowy enemies (from the living-in-his-mother’s-basement code tinkerer to a “well-funded hacker who has time and money to invest in the effort”), attempting to slip in unannounced and gain unauthorized access.
These guys must conduct their work without doing damage to or otherwise compromising the security of the networks they are tasked to analyze—that means no denial-of-service attacks, malicious Trojans or viruses. “The first rule,” says OWNSAVAOG, “is ‘do no harm.’?” So the majority of their work consists of probing their customers’ networks, gaining user-level access and demonstrating just how compromised the network can be. Sometimes, the red team will leave an innocuous file on a secure part of a customer’s network as a calling card, as if to say, “This is your friendly NSA red team. We danced past the comical precautionary measures you call security hours ago. This file isn’t doing anything, but if we were anywhere near as evil as the hackers we’re simulating, it might just be deleting the very government secrets you were supposed to be protecting. Have a nice day!”
I’d heard from one of the Department of Defense clients who had previously worked with the NSA red team that OWNSAVAOG and his team had a success rate of close to 100 percent. “We don’t keep statistics on that,” OWNSAVAOG insisted when I pressed him on an internal measuring stick. “We do get into most of the networks we target. That’s because every network has some residual vulnerability. It is up to us, given the time and the resources, to find the vulnerability that allows us to access it.”
It may seem unsettling to you—it did at first to me—to think that the digital locks protecting our government’s most sensitive information are picked so constantly and seemingly with such ease. But I’ve been assured that these guys are only making it look easy because they’re the best, and that we all should take comfort, because they’re on our side. The fact that they catch security flaws early means that, hopefully, we can patch up the holes before the black hats get to them.
And like any good geek at a desk talking to a guy with a really cool job, I wondered just where the NSA finds the members of its superhacker squad. “The bulk is military personnel, civilian government employees and a small cadre of contractors,” OWNSAVAOG says. The military guys mainly conduct the ops (the actual breaking and entering stuff), while the civilians and contractors mainly write code to support their endeavors. For those of you looking for a gig in the ultrasecret world of red teaming, this top hacker says the ideal profile is someone with “technical skills, an adversarial mind-set, perseverance and imagination.”
Speaking of high-level, top-secret security jobs, this much I now know: The world’s most difficult IT department to work for is most certainly lodged within the Pentagon. Network admins at the Defense Department have to constantly fend off foreign governments, criminals and wannabes trying to crack their security wall—and worry about a bunch of ace hackers with the same DOD stamp on their paychecks.
Security is an all-important issue for the corporate world, too, but in that environment there is an acceptable level of risk that can be built into the business model. And while banks build in fraud as part of the cost of doing business, there’s no such thing as an acceptable loss when it comes to national security. I spoke about this topic recently with Mark Morrison, chief information assurance officer of the Defense Intelligence Agency.
“We meet with the financial community because there are a lot of parallels between what the intelligence community needs to protect and what the financial community needs,” Morrison said. “They, surprisingly, have staggeringly high acceptance levels for how much money they’re willing to lose. We can’t afford to have acceptable loss. So our risk profiles tend to be different, but in the long run, we end up accepting similar levels of risk because we have to be able to provide actionable intelligence to the war fighter.”
OWNSAVAOG agrees that military networks should be held to higher standards of security, but perfectly secure computers are perfectly unusable. “There is a perfectly secure network,” he said. “It’s one that’s shut off. We used to keep our information in safes. We knew that those safes were good, but they were not impenetrable, and they were rated on the number of hours it took for people to break into them. This is a similar equation.”