[Cryptography] Should NSA & Cyber Command Have Separate Leadership?

John Denker jsd at av8n.com
Thu Oct 6 15:26:16 EDT 2016 

On 10/05/2016 06:31 AM, Jim Windle cited a 441-character URL
that can be reduced to:

  https://theconversation.com/should-nsa-and-cyber-command-have-separate-leadership-65986

The arguments in that article make no sense.  They seem like
something out of a Dilbert cartoon.  The key claim is:

> As a result of those conflicting goals, the panelists came to the
> consensus that those efforts should be managed separately.

The specific conflict is:

> The NSA’s job is a defensive one [...]
> By contrast, Cyber Command is a military unit, with a largely offensive mission

The alleged distinction between offensive and defensive military
organizations is unusual, to say the least.  The Maginot line was
considered primarily defensive;  however:
  a) Even so, it had cannons and other firearms.
  b) It has become an infamous symbol of ineffectiveness
   (although this is not entirely fair).

At the opposite extreme, paratroops are thought of as optimized for
attack, yet the 101st Airborne was called upon to dig in and defend
Bastogne.

The cryptography point of view is not the only point of view, but
it is certainly high on the list of relevant considerations.  In
crypto, one can distinguish between code-making and code-breaking.
However, it would be madness to separate these organizationally,
because if you don't know how to break codes you don't know how to
make them.

When applied to military operations, if you can break the enemy's
code it helps you both on offense and defense.  Indeed, almost any
battle between forces that are approximately evenly matched will
tend to be fluid, shifting from offense to defense from place to
place and from minute to minute.  The word "counterattack" exists
for a reason.  Sometimes it's impossible to draw the distinction;
for example, it hardly matters whether WWII antisubmarine warfare
was "defending" the convoys or "attacking" the U-boats.  So-called
stealth technology seems defensive, and indeed hardly seems like
a weapon at all ... but that doesn't mean that a stealth bomber
is defensive.  So we conclude, again, that splitting the NSA along
offensive versus defensive lines makes no sense.

One can also distinguish between passive crypto (eavesdropping),
active crypto (MITM), quasi-crypto (side-channel), and non-crypto
("tailoring" and black-bag jobs) ... but again it would be madness
to separate these organizationally.

Here's yet another reason why you wouldn't want to separate
offense from defense /or/ separate code-breaking from code-making,
even if you could:  The code-breakers will always have an unfair
advantage when it comes to budgeting and other forms of bureaucratic
infighting.  That's because they have spectacular successes to show
off.  In contrast, when the code-makers succeed, the best case is
that nothing exciting happens.  This is a perennial problem.  It
is not entirely solvable, but the only hope is to have a strong
and wise leader who has responsibility for the /whole problem/.

To summarize:  The arguments in the article make no sense.  So the
remaining task is to figure out what the stake-holders /really/ want.

One thing that must always be considered is that the folks
involved want to advance their own careers.  Splitting might
mean that the three-star in charge of Cyber Command gets to
move up to four stars, and everybody who reports to him gets
to move up one rank also.

One distinction that would make a certain amount of sense would
be military versus commercial.  The article does not address that.
The NSA is a wholly-owned subsidiary of the Department of Defense,
and splitting Cyber Command out of NSA wouldn't change that.

The civil/military distinction would make sense, because most of
the US economy does not (yet) belong to the military, and because:
  "In the long run it was more important to secure one's own 
  communications than to exploit those of the enemy."
                    	 -- Frank Rowlett (1942)

An example to illustrate the sort of thing I'm talking about
is NOAA, which makes weather information available to farmers,
sailors, fliers, hurricane-evacuation planners, et cetera.

We could apply that idea by having a trustworthy organization
that works with industry to improve their information security
practices.  There's a real problem here, because NSA has earned
a great deal of distrust.  Splitting would not suffice to fix
this.

In any case, that's not the sort of split The Powers That Be
are pushing for, so we must continue to wonder what they're
really up to.

Management efficiency cannot be the real reason.  There are
already 16 large agencies that officially make up the US
Intelligence Community (and that is arguably an underestimate,
depending on how you count).  Increasing this by one isn't
going to be a game changer.

Splitting might result in a short-term improvement in performance
due to the Hawthorne effect.  Picking two agencies at random
and combining them would have a comparable effect.

On the other side of the ledger, splitting would cause short-
term turmoil, disruption, and distraction, as people run around
inventorying the paper clips etc. and deciding which resources
get assigned to which successor organization.

In the long run, splitting might increase tribalism and invidious
competition ... although there is already so much of this that
it's hard to imagine it getting much worse.

The article cites the example of the Air Force, which spun
off from the Army, 70 years ago.  However, for 55 of those
years, the trend has been toward /combined arms/ and away
from stovepiping ... for good reasons.

The NSA mission statement and the Cyber Command mission
statement are different in wording more than in meaning.
It would make just as much sense to have NSA report to
Cyber Command as vice versa.
  https://www.nsa.gov/about/mission-strategy/
  https://www.stratcom.mil/factsheets/2/Cyber_Command/

In my experience, when it comes to management structures,
there are an infinite number of ways of doing it wrong.
However, there are also a near-infinite number of ways of
doing it right, which means that most optimizations are
not worth the trouble.  People who want to get stuff done
will find ways to work across organizational lines to get
it done ... whereas people who don't care will find ways
to define everything as "not my job".
  https://www.av8n.com/physics/not-my-job.htm

By the time you get through fiddling with the org chart
to make it reflect the "current" reality, that reality
is no longer current.  A mostly-new set of ad-hoc teams
has been formed while you were fiddling.

Management should be judged on how quickly it can set up
ad-hoc teams to get stuff done, or at least how well it
can support worker-bees who set up such teams on their
own.  This requires /trust/ which comes from /integrity/.
Specifically, this means that if I was given a budget to
do X, I can reallocate it to do Y, if I think that's the
right thing to do.

  I've seen some organizations that worked this way, and
  some that didn't.  It's not an exact science.

More information about the cryptography mailing list