The National Security Agency calls itself “the world leader in cryptology,” deploying its tens of thousands of employees (the exact number is classified, as is its number of unfilled positions) and estimated 11-figure budget (again, classified) to “outmaneuver those who would do us harm in cyberspace.” But the United States’ premier electronic-spying agency hasn’t been doing much outmaneuvering lately. In 2017, the NSA was forced to admit that some of its most effective hacking tools had been stolen and dumped online for anyone to see and use—and they were used liberally by U.S. cyber adversaries. “Created at huge expense to American taxpayers,” The New York Times reported, “those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.”
Then the Times reported last month that the theft wasn’t an inside job so much as a self-inflicted wound: A cyberfirm’s postmortem report determined that before hackers published the NSA’s most valuable malicious code online, they had been captured by Chinese intelligence operatives “from an NSA attack on their own computers—like a gunslinger who grabs an enemy’s rifle and starts blasting away.” Old NSA hands used to joke about their employer’s secrecy by saying that its initials stood for “No Such Agency.” Today, the moniker sounds more like a judgment on the NSA’s ethics and effectiveness.
The NSA is not alone in inadvertently inviting data breaches. On Monday, Customs and Border Patrol conceded that photographs it collected of roughly 100,000 border travelers at an unnamed U.S. port of entry, including “license plate images and traveler images,” were stolen in a “malicious cyberattack.” Those images were then “offered for free on the dark web to download,” according to one report. Responding to the hack, a lawyer for the ACLU, which has long challenged CBP’s expanding data-collection efforts, pointed out the obvious: “The best way to avoid breaches of sensitive personal data is not to collect and retain it in the first place.”
The revelations that NSA hackers and Border Patrol data-trackers had played themselves came on the heels of potentially worse news for wired Americans: An Israeli coding firm also admitted last month that its spyware was being deployed by hackers to attack WhatsApp users and gain access to their phones. The Facebook-owned messaging app, along with Signal and Telegram, all offer end-to-end encryption and have gained favor with newsrooms, activists, and privacy-minded individuals. But the spyware furor was just the latest chink in those apps’ armor; their encoding doesn’t help you if you don’t set them to delete your messages, or if you back them up to a cloud. There’s always a chance that another bug or an exploit in the system will allow the NSA, or other intelligence agencies, or increasingly prolific non-state actors, to snoop on you. Everyone’s threat vector is different—individually, few of us are interesting enough to spy on—but the problem remains the same: Americans’ private information, their digital communications, and the streams of data on which their day-to-day lives depend are not secure.
President Donald Trump’s response last month was to issue an executive order declaring a cyber-state of emergency and banning American telecommunications companies from using foreign-made equipment. “This will prevent American technology from being used by foreign-owned entities in ways that potentially undermine U.S. national security or foreign policy interests,” Commerce Secretary Wilbur Ross—who is tasked with carrying out Trump’s order—said in a statement. But the executive order is a broad, simplistic reaction to a complicated problem: America—its military, its political class, and its populace—is terrible at virtually every facet of information security.
The American military has known this for a decade, and it still can’t get its cyber-shit together. It’s a systemic problem, and one without easy solutions. Reports from the Department of Defense Inspector General and the Government Accountability Office read like a list of cyber-security “don’t”s: DODIG revealed last December that personnel leave doors to server racks unlocked, rarely encrypt anything, and regularly fail to use multifactor authentication on the bases where the U.S. houses the computers that control its ballistic missile defense systems—the defensive weapons meant to protect the country from an incoming nuclear attack. On one unidentified base, investigators found “an unlocked server rack despite a posted sign on the rack stating that the server door must remain locked at all times.”
It’s not just missile systems that are vulnerable. Hackers working for the Pentagon to test the cybersecurity of various weapons systems took control of aircraft, missiles, and ships using basic tools in 2018. They said it was easy. During one test, the operators figured out what was going on and tried to stop the hack. “The test team was able to easily circumvent the steps the operators took,” a GAO report on the tests stated. “In another case, the test team was able to compromise a weapon system and the operators needed outside assistance to restore the system.”
Lockheed Martin’s F-35 Lightning, a trillion-dollar fighter jet used by three of four armed services and one of the most technically advanced weapons ever created, is a cybersecurity nightmare, too. The aircraft’s operations rely on “ALIS,” an Autonomic Logistics Information System that has sent military aircraft maintainers through the looking glass: It runs on outdated Microsoft Windows software and is so buggy that “enemy hackers could potentially shut down the ALIS network, steal secret data from the network and onboard computers, and perhaps prevent the F-35 from flying or from accomplishing its missions,” according to the Project on Government Oversight. The system’s problems are so well-known that outgoing Air Force Secretary Heather Wilson quipped about them at a trade convention in February. “I can guarantee,” she said, “that no Air Force maintainer will ever name their daughter Alice.” The service is now rushing an overhaul of the ALIS system, internally dubbed “Mad Hatter.”
While the U.S. can’t secure its most strategically sensitive systems, it’s also been largely powerless to control security vulnerabilities in consumer products. The Department of Homeland Security issued an intelligence bulletin in 2017 warning the world that the commercial drone manufacturer DJI was “likely providing U.S. critical infrastructure and law enforcement data to the Chinese government.” Despite this, DJI remains one of the top-selling commercial drone manufacturers in the United States. The global marketplace has made it nearly impossible to reconcile private business interests with the federal government’s cyber-security priorities.
Trump’s executive order didn’t mention China by name, but it was widely understood to be part of a broader economic campaign against Beijing and its telecom giant Huawei, which is estimated to control around half the earth’s smartphone networks. Soon after the White House order went public, Google announced it would stop supporting Huawei phones with its Android operating system or suite of apps. The exit will be slow, but the consequences will be monumental. Huawei is the world’s third largest smartphone manufacturer, with half a billion users and a 17 percent market share in Europe alone. Google, in other words, is taking a massive potential hit in order to comply with Trump’s edict.
Much of the potential security hazard behind China’s electronic products stems from its government’s illiberal ability to dictate terms to the corporations that produce those goods. The U.S. government’s relationship with its top tech firms is, to put it mildly, more complicated. AT&T and Verizon partnered with the NSA for years to enable sweeping surveillance of their internet users—a collaboration that proved deeply embarrassing when Edward Snowden’s leaks revealed it to the American public. U.S. firms in emerging technologies like artificial intelligence, where intellectual copyrights can make vast fortunes, also have leverage that their Chinese counterparts lack. They squabble with each other for control of capital, and, occasionally, their skilled workers can object to doing “the business of war,” as Google employees did last summer, forcing the company to drop a contract worth hundreds of millions of dollars to develop AI applications with the Department of Defense. Pentagon leaders subsequently argued that Google has no similar qualms about its technology assisting the Chinese government.
Some tech firms saw Google’s crisis of conscience as an opportunity to burnish their own patriotic credentials. “If big tech companies are going to turn their back on the U.S. Department of Defense, this country is going to be in trouble,” Amazon CEO (and DoD Innovation Advisory Board member) Jeff Bezos told a tech conference audience last summer, as his company vied for a $10 billion military cloud-computing contract and planned its exit from a series of money-losing ventures in China. But tech workers can perhaps be forgiven for not entrusting their industry to a U.S. administration in which immigration officials conduct “digital strip searches” of border-crossers, and the president’s unelected son-in-law does state business with Saudi Arabia’s despotic crown prince on WhatsApp. (Bezos’s own phone was hacked by the Saudi government earlier this year.)
In the meantime, the DoD and NSA workforces suffer from low morale and continue to lose their smartest talent to the better-paying private sector, further driving a wedge between Silicon Valley and Washington. Asked about the exodus last year, one former NSA researcher, who exited the agency to launch her own security company with another dozen or so NSA veterans, didn’t mince words: “Some synonym of the word ‘epidemic’ is the best way to describe it.”
The circle of dysfunction is complete. There is no political capital for an ambitious American public-private partnership to secure our personal information or the technology that carries it. Even if there were political capital, the ethical pitfalls would be as enormous as the contracts involved, and questions about the U.S. government’s own spying, domestically and abroad, would only grow in importance. In lieu of a needed cultural change, regular phone and internet users like you and me will remain vulnerable, forced to take individual protective measures like multifactor authentication, hard passwords, and feeble hopes for the best, like a poor wage-worker without health insurance who’s told to secure her nest egg by cutting out morning lattes. “I hereby declare a national emergency with respect to this threat,” Trump’s executive order announced. In this emergency, American citizens and consumers are on their own.