139 comments

[ 3.9 ms ] story [ 204 ms ] thread
To me, it's pretty obvious that the supposedly "dual" mission of NSA, that of both anti-terrorism and cybersecurity, are completely incompatible. They are at the extreme ends of the spectrum.

One seems to need the abolishing of (true) secure systems and privacy (although, so far there is no evidence that mass surveillance actually helps thwart terrorist plots - and it may never be able to do so [1] [2]), and the other is supposed to be about having super-secure systems and strong encryption.

However, since the NSA is in charge of both, it seems the anti-terrorism side has won, and it now causes the NSA to make terrible cyber-policy.

To Schneier's new post, I believe the EU is already getting ready to propose that a civil agency (not one that is run in secret) should be in charge of cybersecurity in EU nations. Although, I think the NSA is working hard to convince EU spy agencies to push legislation that makes them responsible for cybersecurity, at least in some EU countries that are more easily "persuaded".

EDIT: So I actually disagree with Scheneir here. I see no reason why a secretive unaccountable agency should be in charge of cybersecurity. Why should it be a state secret that a hacker hacked into a US company? Just because the NSA has the "expertise" in cybersecurity? If you want to keep the experts, fine, but then turn the NSA into a civil agency.

I agree with his suggestion that surveillance (not mass surveillance, though - that should be banned for all agencies) should only be the domain of FBI.

To recap:

1) Cybersecurity = civil agency

2) Surveillance of local citizens = civil agency (FBI in US, I guess. Mind you, this is what already happens, when referring to targeted surveillance, so the real proposal here is that the NSA or anyone else shouldn't be spying on local citizens, too - only the FBI and with warrants. This is not, or should not be about giving the FBI "mass surveillance powers". If that's what Schneier is proposing, then I completely disagree with this, too)

3) Cyber-offense/cyber-war = military/Pentagon/whatever

4) I'm unsure whether we need another agency for spying on "world leaders", but right now I'm strongly inclined to give this one to the military too. Also, it would be best if this wasn't actually targeted at allies (like Merkel), but actual rival (Russia) or rival-like (China) countries. I think it's just good foreign policy not to do nasty stuff to your allies, just to be slightly "ahead" in negotiations.

[1] - https://www.schneier.com/blog/archives/2006/03/data_mining_f...

[2] - https://www.schneier.com/blog/archives/2006/07/terrorists_da...

I think an even better argument for breaking up the NSA is that there's a fourth category of work they (should) do that's totally unrelated to surveillance and that I'd classify as "very good:" actively working to secure the communications of US government and companies against the NSA-equivalents of other nation-states and rogue actors. Having this is on the same list as encryption sabotage is a recipe for mismanagement and bad policy.
Yes. Imagine if the NSA were tasked with being a gatekeeper for data privacy and integrity that large companies like Facebook had to work with any time they pushed an update that sent data somewhere new, in the same way that the FDA verifies safety and efficacy of pharmaceuticals when they're applied to a new problem-domain. (I know that sounds almost satirically over-the-top, but it could work—if it were limited to companies [and branches of government] that were handling enough user data that, say, identity fraud attacks would be made possible just by having it. And any system where the government itself has specified the data-integrity requirements: voting terminals, library checkout systems, etc.)

Come to think of it, this NSA would probably also be responsible for chasing down companies who ask you for your SSN, wouldn't it?

They could also offer free pen-testing services (presumably through their defense subcontractors; they wouldn't have to employ any whitehats themselves) for small businesses who can't afford pen-testers, like a specialized form of industrial-development grant.

And, of course, they could also do the only legitimate/legal "active no-advance-notice" pen-testing for infrastructure they're concerned about (ISPs, hosts like AWS, etc.), converting taxpayer dollars directly into those "eyes that make bugs shallow."

Effectively, the NSA are to our sovereign data boundaries as the coast guard is to (most of) our physical ones. Since that's the case—where's our Lighthouse Service?

> ...any time they pushed an update that sent data somewhere new...

So you think making the NSA (or any govt agency) the gatekeeper for all data, public and private, would be a good idea? As if there's no way that could be abused? No thanks.

The data wouldn't go through them, nor would they be responsible for auditing the algorithms themselves. The comparison with the FDA was exact: they would simply require the company to execute a study proving (to peer review) the data-integrity of each change they were going to make.

The one interesting thing is that this would likely enforce an open-core-SOA software development model: companies would be incentivized to build a "trust kernel" of services that the government regs apply to, exposing an API with stringent access controls; and then a view layer that consumes that API, which can have whatever sloppy code they wish. The trust kernel would then have to be at least shared-source to enable the peer review necessary for study. (The company couldn't just pass the code around within a cabal of trusted peer companies, since those peers might be unfairly positively-biased.)

Sorry, I tried to write what I imagined was a clarifying comment, at least along the lines of what I thought you were trying to say. But while I was typing it you (who I imagine is the real authority on your own opinion) did exactly the same, but better.
That's fairly analogous to the current NIST regulations.

Unfortunately, NIST has been dragging 140-3 in draft form on for years. 140-2 was written in the 1980's and reflects very badly on current hardware and software practices.

Another area you could look into is Common Criteria. I find these certifications to be much more modern.

I've taken products through both processes. If you're going for more than the basic levels they can be quite rigorous and thorough.

The parent comment is not suggesting that they are the gatekeepers of the data, but rather that they act as a third party to authenticate data transmission. For example, company X says it wants to get you data, pass it through service Y and return Z, with the claim that the sensitive parts be secure. The role of the NSA would be to provide an audit of this process to determine whether or not security was in place. So if a service passed this hypothetical NSAs test they would actually never see any private information. The only danger is that the NSA withhold information about known insecurities, but that isn't any different from the current situation, and does not amount to "gatekeeping".
having the government be the gatekeeper for private company data is a horrible idea
>"..in the same way the FDA verifies safety and efficacy of pharmaceuticals.."

There is some merit to what you say, but I'd not use the FDA as a model. To me that sounds like a recipe for disaster, imagine the NSA auditing our software with FDA like cronyism and inefficiency? Green-light passes to be auctioned off to the highest bidder, and otherwise legitimate products will be hampered by woe-some delays. "Sorry, cant launch your new update until the NSA approves it."

The NSA could require that certain security properties of the system be held (e.g., all wire transmission and storage of data is encrypted with certain key management policies..) and a 3rd party (e.g., like an accounting firm) could be the one doing the audit.
(comment deleted)
Indeed. Compromising cybersecurity as a means of defense is fighting with a gripless sword. It makes no sense that planting backdoors in all of your systems is somehow supposed to help security.

For one, there has been little appreciable gain from this practice, but it's also way too easy for an adversary to subvert a backdoor planted for purposes of peeping around, and use it to do very serious damage. The more entrenched surveillance via cyberespionage becomes, the more it expands the attack surface for a foreign actor to exploit it.

Second, there is no guarantee at all that the NSA is impervious to the same sort of infiltration methods. If they become compromised themselves by a foreign hacking entity, then that's it for everyone they're "surveying".

From The Article:

"And third, the remainder of the NSA needs to be rebalanced so COMSEC (communications security) has priority over SIGINT (signals intelligence). Instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.

Computer and network security is hard, and we need the NSA's expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts—from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly—no secrecy required."

The NSA's Information Assurance wing considers itself responsible for the security of classified US Government systems only—specifically not unclassified US Government systems, or any civilian systems whatsoever, which they feel falls under NIST's domain.

But yes, it's much smaller than their SIGINT wing, and yes, I also feel that having both teams under the same roof (so to speak) is not just an 'equities problem' - it's a full-scale irreconcilable conflict of interest.

You might feel that surely the NSA wouldn't backdoor their own stuff? But no: there they are, actually using Dual_EC_DRBG even in their own most trusted crypto hardware - in, I presume, the firm belief that "nobody but us" has the private key to use the backdoor. Which seems somewhat reckless in light of a working distinguisher and how very fragile (EC)DSA is… and a stark reminder of how the recent return to talk of backdoors - sorry, "front doors" or "secure golden keys", because they want to control the language to frame the debate in the way they want - are so much bullshit, and the only reasonable discussion we can have about things which undermine all of our collective security is one where the people who are asking for such idiotic things to - they think - make their jobs easier should kindly shut the fuck up.

Ahem.

GCHQ over here have the exact same issue with CESG and the MoD CRYPTO group versus the COMINT/ELINT/SIGINT bulk of their mission. GCHQ have even selected their own suppliers and political and other infrastructure for targeted surveillance in some cases! So for those who choose to try to work with them - surprise! - that doesn't mean they're not also working against you too. It just gives them another angle.

Isn't the PCI standard a better, although certainly imperfect, model for addressing this without roping the Beltway into the process?
This is actually against the law.

Title 10 explicitly disallows the NSA to proactively interfere (good or bad) with private industry services unless specifically requested by a law enforcement agency and in cases like you propose would have had to be requested by the private organization to the LEA in the first place.

Schneier addresses that later in his essay:

And third, the remainder of the NSA needs to be rebalanced so COMSEC (communications security) has priority over SIGINT (signals intelligence). Instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.

Sadly the voices of reason like Bruce will be yelled over by the voices of "terrorism everywhere".
I'm not sure this addresses the problem vs. just moving it to another agency.

Would it be better for the FBI to be doing these things than the NSA? Or should we be instead fighting that they're done at all?

I think holding the position "the United States should not be spying on anyone, ever" is perhaps too far over on the spectrum of idealism. You do need some spying on countries that pose genuine threats such as North Korea, Iran, China, Russia and the like.
Second, all surveillance of Americans should be moved to the FBI.

The FBI is charged with counterterrorism in the United States, and it needs to play that role. Any operations focused against U.S. citizens need to be subject to U.S. law, and the FBI is the best place to apply that law.

No no no a thousand times no.

One of the only saving graces about the massive surveillance from the NSA is that, I'm willing to wager, very little of it at all has made it over to where it could be used to oppress the citizens directly.

Bruce's claim that "FBI is charged with counterterrorism" means that they are also charged (along with DEA, ATFE, etc.) with the application of undue force on citizens--something we've been only somewhat spared from because of the difficulty they have in collecting information.

Turning over to them that capability--or even the just the current stockpile and archives of information!--would be a gigantic blow against freedom.

But.. what about parallel construction? We know that the NSA is feeding tips to, among others, the DEA and ATFE -- they're just pretending to find out about criminal activity in other-than-blanket-surveilance ways. The practice is so commonplace that the NSA has a special division for seeding the evidence to other agencies, and there are indications that even state and local law enforcement agencies are in on the fun.
The argument being made by the parent, is that it would be far worse than the abuse that is already occurring, were the FBI to have direct control of the equivalent spying systems and data trove that the NSA already has on US citizens.
Yes, but I disagree. It's a matter of avoidance of oversight. NSA is designed to avoid it and FBI is not, they simply cannot. FBI is tightly constrained by the process of law in ways that Guantanamo and NSA were created and operate in order to escape.

What's more, FBI is also a MUCH leakier boat when it comes to intel gathering, storage, analysis, and sharing. Law enforcement personnel and practice could not possibly hide the decade+ worth of mass surveillance practices from US senators, congress, and the office of the President as NSA has.

As it happens I know something about the mindset within both orgs. With FBI, eventually the truth will come out. Not so with NSA - unless another Snowden is willing to commit suicide, professionally and personally.

Exactly. Right now the NSA can escape all legal oversight because it has historically operated physically outside the US and under military governance. Since 9-11 and the Patriot Acts, BSA operations have moved inside the US. And in concert with the sharing of intel across military and civilian, the NSA now operates freely across all spaces. This was never intended by statute, and virtually no oversight is in place to ensure 1) intel is gathered lawfully or 2) info is shared lawfully. Unlike the NSA, the FBI must operate wholly within the US and state civilian court system, so its gathering and disbursing of info is much more closely overseen and regulated.

It's also become very clear from their response to Snowden's revelations that NSA is not going to get any closer oversight any time soon. The FBI and its partners cannot hope to maintain a comparable cloak of invulnerability. To Bruce's suggestion, I vote yea.

Here's your oversight:

http://en.wikipedia.org/wiki/J._Edgar_Hoover

Giving NSA powers (or archives) to the NSA is a really, really, really bad idea.

The court system and legal system in the US these days is a joke and a farce--just look at the number of cases that make it to trial. We can't afford to give this sort of power over to any law enforcement agency.

Can we just flip their budget over to making sure US companies are secure?
Is it possible to hold the position that the NSA should be conducting signals intelligence, data collection, and code-breaking (and yes, email snooping) -- yet at the same time hold the position that the blatantly malicious activities: 0day exploits, software and hardware backdooring, etc should not be allowed?

Why commit ourselves to a massive overhaul of the entire NSA when we can address the actual problem here with some granularity and minimal cost yielding an impact almost all of us would enjoy?

True, I think the Snowden events have uncovered the unfortunate reality that there is a gigantic hole in the boat. In the end, the only way we get out of this is to redesign the system, from hardware on up, to be secure. The NSA, as per their mandate from Congress as an expression of the will of the people of the USA, is using the holes in the boat to advance the security of the nation. It is literally their job to do this. Again, the issue is that the boat is leaky. Maybe we humans decide that this leaky problem is not all that bad, and like biology, a certain percentage of 'sinking' is acceptable versus the cost to make a better boat. I dont think this is true though, because lawyers. Making a better and more secure net is the end of the game, it is only time that stands between us.
The NSA does not have a mandate from Congress: it was created by an executive order of President Truman in 1952 (https://www.nsa.gov/public_info/_files/truman/truman_memo.pd...). That order was classified for a very long time.

That's to say that you're starting from false premises. It is not the NSA's job to advance the security of the nation at all. Hence the need to split it up now. It's time to move the legal basis from executive order to something else, that something else publicly debated and mandated by the people.

> Why commit ourselves to a massive overhaul of the entire NSA when we can address the actual problem here with some granularity and minimal cost yielding an impact almost all of us would enjoy?

Because they've been exposed as untrustworthy. Any attempt at reasonable reform will be met with obstruction, obfuscation, and lies.

> 0day exploits, software and hardware backdooring

Up until it was proven, they denied doing these kind of things. What makes you think they'd tell the truth in the future?

Read "The Puzzle Palace" and find out why the NSA is structured like it is. The US gov has been re-orging the NSA and factions inside the gov have been fighting over its control since its inception. To use an annoyingly beat to death phrase: we haven't seen its final form yet.

Actually a pretty good article overall, but these two lines bother me greatly:

   > "What was supposed to be a single agency with a dual mission—protecting the security of U.S. communications and eavesdropping on the communications of our enemies"
That was never the mission and is not the mission of any similar org in the past 100+ years. It is to eavesdrop on everyone, including ones allies. The Brits were eavesdropping on everyone's telegrams over 100 years ago. This isn't something new.

   > "The result is an agency that prioritizes intelligence gathering over security"
Again, that is the #1 goal of the NSA and other similar organizations. Security never has and never will be its #1 goal.
Technically, you are wrong. NSA has a signals intelligence side and an information assurance side. It does have two dual missions. You may argue that they haven't done a good job with the information assurance side of their mission, but you cannot argue that it is not a stated mission of the NSA.
Security is their objective; using all encompassing communication spying is their strategy for accomplishing that objective.

This comment is not an endorsement of any NSA policies.

Security, in terms of the NSA, refers to their COMSEC work.
Never mind that "security" is literally their middle name--the second L of their TLA.

It wouldn't be the first time that a government enterprise had a misleading name.

Exactly. They have as much to do with "security" as the Democratic People's Republic of Korea has to do with "democracy."
It just seems that you can do anything on paper but covert agreements between the agencies after break up will still occur.
Not necessarily. It's just a matter of dis-empowering the people who are on a die-hard mission of "spy on everything, and to hell with civil rights."

That is not the whole NSA; it's just a few key people in leadership positions that have been steering the ship lately.

If you keep those same people in power but split up the agency, yes, you'll just get the same thing again.

Defund them, it's not perfect (as with the CIA and it's ah interesting funding mechanisms) but it is one of the more effective of the least worst options.
It's easy to casually propose such things, on a blog, while lobbing the same tired criticisms about over-zealous intelligence gathering programs. But to actually implement such grand, sweeping measures would require resources that don't justify the benefits. Just scale back and increase oversight on troubling programs, and otherwise let the NSA do its critical job as an intelligence gathering agency.
Finally, a pragmatic voice amongst those calling for an anarchist solution. I will add my vote to those calling for increased oversight, and regulation over the all out "scrapping" of these programs.
If you take it as a given that the NSA is spying on all parties, that includes those supposedly providing oversight. Those providing oversight can then be coerced into rubber-stamping whatever the NSA wishes. Therefore, "increased oversight" is all but impossible.
(comment deleted)
Imagine if the Centers for Disease Control, instead of researching cures for diseases, had a budget in the billions for buying weaponized viruses and bacteria, and was subverting disease prevention. Nobody would stand for that. It would be poisoning health care worldwide.

As another commenter pointed out here: "Can we just flip their budget over to making sure US companies are secure?" That is, of course, what should be done. We get the results we spend money on. If the NSA's budget were spent on making security easy and routine, we would have easy and routine security. But that's not how we express our intentions with the budget right now.

I think that is a excellent example of how information might get abused.
Note that this is from 2014, but it is more relevant than ever.
Bruce makes a good point here. There is a balance between the COMSEC and SIGINT. Any advance you make in SIGINT is a failure of COMSEC and vice versa. The issue is then the 'viruses' of our internet ecosystem, the hackers and state level threats. How do you balance the two? Will the nature of the system self-balance as threats are discovered and then bandaged?

Still, good job not just demonizing the NSA, they serve a purpose in the game of international relations, one that the free world may not like, but that we all need.

It seems to be a sort of universal truth in that the people trying to break a system will always be ahead of people trying to secure/protect it. Why then, would prioritizing COMSEC over SIGINT change any of that? COMSEC will never catch up to SIGINT.

I'm curious to know what exactly the NSA currently does to protect the US. Do they already use their existing SIGINT knowledge to update systems ahead of attacks?

Well, maybe the lemma is flawed. Maybe they are not always ahead. I mean, to date, no one has even been able to decode Kryptos, right out front of the CIA in plain view: https://en.wikipedia.org/wiki/Kryptos

Again, what the NSA does to protect the US is an open question; if they did their job right, you'll likely not know it. Updating systems, at least large commercial ones that foreign governments use as well as the US citizenry, is not in the purview of their mandate, its the opposite. They do try to tell the world what they do, so as to justify themselves in some degree to their ultimate bosses (the US voting public). The Iranian nuke viruses are a good example, though, as far as I know, they have not claimed that particular hack yet.

I'm thankful to live in a country where we have the freedom to publish this kind of thing. (That said, I think that freedom will no last too much longer.)
I've got an idea. In the faux name of net neutrality, let's give one of the most abusive governments when it comes to privacy, vast control over regulating the domestic Internet, and let's allow them pass those new regulations without anyone external being allowed to review them ahead of time. What could possibly go wrong? It's not like the government will massively expand their direct control of the Internet, and use that to chill free speech. And it's not like we'll be sitting here in ten years, listening to pro net neutrality campaigners making excuses about how those weren't the laws they had in mind; after all, who knew the government would abuse their new powers, nobody could have guessed such a thing.

Whoops, too late:

https://www.eff.org/deeplinks/2015/02/dear-fcc-rethink-those...

I agree with the general thrust of what you're saying, and I think the FCC takeover of the internet is much more problematic than the NSA spying scandal.

That said, the EFF is getting what it has been advocating for: A government takeover of the internet.

That is what net neutrality has always been for and about.

Once we grant that the internet infrastructure is not private property and is open to government regulation, that means it's open to all government regulation, including speech regulation. There is no middle ground.

To think otherwise is to not understand principles and politics.

This reminds me a little of the breakup of the Atomic Energy Commission. The AEC was supposed regulate and promote nuclear energy. This conflict of interest was recognized in the 70s and it was split into the Nuclear Regulatory Commission and ERDA (which soon became the DOE).
This reminds me of the surreal world of the stock market, where organizations largely make their own rules and regulate and enforce them themselves.

In 1971, the National Association of Securities Dealers (NASD) gave birth to NASDAQ, which became publicly traded in 2000, and then a national securities exchange in 2006. NASDAQ wasn't really independent of NASD until 2000, so for a while the same people who owned the exchange also regulated it.

The NYSE is much older and became a Not-for-Profit in 1971. In 2006 it merged with ArcaEx and became a publicly owned for-profit, later merging with Euronext in 2007 and acquiring AMEX in 2008.

Here's the weird thing: exchanges are supposed to self-regulate, with the SEC basically just approving the rules they make for themselves. And the exchanges kind of 'outsource' their regulation - but not all of it - and that's not all that well defined anyway.

In 2007, NASD's and NYSE's regulatory and enforcement committees were merged into a new organization, FINRA, which basically makes the rules their members are supposed to abide by and enforces them in coordination with the SEC.

The SEC has been investigating exchanges since the "flash crash" of 2010, when it was shown how completely fragile the market had become by large players making very large trades, as well as new high-frequency automated trading.

In 2011, NYSE Euronext tried to merge with Deutsche Börse, which would have become the largest stock market in the world by far. It actually passed US antitrust investigation. But in 2012 the European Commission blocked the merger as it would have created a 93% monopoly on European derivatives trading. This doesn't have anything to do with the exchanges violating rules, but it does show how without regulation, monopolies would be a virtual certainty.

In 2012 NYSE was fined 5 million for giving data to its customers before the public. In 2014 NYSE was fined 4.5 million when it was found to have violated its own rules, or lacked rules it should have had.

Compare this to NASDAQ settling with the SEC for 10 million just for mishandling Facebook's IPO in 2013. This is apparently because the SEC stopped short of finding the NYSE's actions as felonies. And all of this is relatively new, as exchanges historically were never legally scrutinized or punished for their actions. (Their revenue is in the billions, so these fines are basically just for show)

What about the problem of distinguishing domestic vs foreign communications? NSA already minimizes American information, plus FBI doesn't have authority to track who called to or from the US to a foreign nation like Pakistan from what I understand, so no phone meta data. The NSA may be too big but I haven't seen anyone bring an actual technical solution for setting the boundaries and so forth.
> NSA already minimizes American information

While this is the PR, in practice it's categorically untrue.

As long as you believe in Santa Claus, how about the NSA also be put in charge of delivering Christmas presents to children who are nice by drone, and punishing children who are naughty (also by drone), since they are already monitoring everyone and everything, and they make it their business to know who's naughty and nice.
I would rather not agree with this "Break up the NSA" thing. I do follow the public opinion that its surveillance is wrong, but this is not the fix.

NSA is a organization, a empty shell without its people. If the people are not going to change their mindset in short-term (social change in mentality), it means that law has to be changed in short-term, so that very mentality gets more time to change.

But this is where I must contradict myself, does these people who are benefiting from such "Its abuse, not use of power" deserve such a delay? Given that for every second the situation remains the same, countless bottom-of-pyramid-people across the globe would keep suffering? Or have we become TOO used to looking away?

Also, a very important question is, that 'has NSA's Information Collection System become such a tool, where bulk of Americans are used to collect data on Bulk of Americans, and put that in the hands of Few, who then abuse it?' Or NSA has more to it than just the empty shell called: "Interest".

As Voltaire said: "You must ask, whether it is 'Just Interest' or 'National Interest'. "

A supporting question is, who is the Nation anyway? A few or all? Abraham Lincoln ought to be right here. But, fast forward 200 years, It is also important to question, whether "Nations" especially the idea of "America" stands as it is, given the fact that it is America itself that pushed for a "Globalized World" and still does.

Regarding NSA and CIA, what do they have to do to get shut down completely? Do we wait until genocide? It doesn't seem like a re-org is the proper response to institutionalized torture, semi-automated assassination campaigns, and creation of a panopticon.
So we should be left in the dark? I would not want the NSA/CIA shutdown unless the same is done with Russia's FSB or Pakistan's ISI.
Therein lies the rub.

There is a middle ground here, but people are (rightfully) foaming at the mouth with anti-NSA rage. In my eyes, this whole situation (NSA going off the map and doing whatever they want) stems from giving them free range with little to no oversight. They simply need better oversight and real consequences for leadership who don't act in the public interest (as determined by a neutral party, albeit a neutral party with top secret clearances).

'foaming at the mouth' is an Orwellian characterization of what is a profound and rational aversion to totalitarian state surveillance. Stop using the metaphor of a rabies infected dog to describe those who wish to live without the government spying on them.
It's better to keep the good parts and reform the bad parts than to throw the entire baby out completely.

Let's draw a parallel to something more tangible than the cyberwar we don't see. Recently there was a number of high-profile cases where police got into a clash with unarmed civilians, with disastrous results. Should police be shut down completely? Would you be safe in a city with no police? Many cities in the world have places where the police don't go, and those are dangerous places.

NSA and CIA serve important functions. They just need to be properly balanced.

Should we have tried to reform the Gestapo or Stasi too?

Also, we cannot confirm or deny that the NSA and CIA do anything important.

--Should police be shut down completely?

Sometimes, yes. When the corruption and brutality is so bad that there's no other option.

--Would you be safe in a city with no police?

In Acapulco, the answer was yes. The police went on strike and it was so much better without them that the people didn't want them back.

The US Army kills people. What does the US Army have to do to get shut down completely? Do we wait until genocide?
The fundamental issue isn't their culture or organizational structure, it's their unethical missions, which breed cultures of secrecy and opaque, unaccountable and defensive institutions. I don't see how you can set up a spy agency to prevent it from evolving in that direction. Would love to hear of counter-examples, though.
>Regarding NSA and CIA, what do they have to do to get shut down completely?

The US signs a complete unconditional surrender on the deck of the $SHIP of $NEW_WORLD_POWER - at least that would be my guess based on history.

We don't stop for genocide.

The (dollar) cost of the NSA makes us less secure.
"Actively attacking enemy networks is an offensive military operation, and should be part of an offensive military unit."

Key word here is offensive military unit, like a bomber squad or tank devision. You should not send out this kind of units to allies, neutral states or neighbors, not matter how "valuable" it would be in trade negotiations. Its to the benefit of all that on-line communication is restored to peace, rather than a free-for-all combat zone.

Of the 3 changes suggested by Schneier, this I feel is the most important change that internationally need to happen. Since NSA is the biggest offender here, fixing that actor would encourage other nations to do the same.

But this sort of spying clearly isn't like ordering a bombing run on Berlin or sending a tank division to capture Athens.

Spying isn't even a military operation, it is mostly diplomatic.

Spying has always been common even amongst allies. It is a form of hacked transparency. Countries hide as much as they can.

There's a distinction to be drawn between James Bond-style spying ("Humint" - which is the kind you're actually referring to) and the large-scale, indiscriminate, archived, mass-surveillence of otherwise ordinary people ("Sigint" - which is what we've learned about over the last couple of years).
Sigint has been around signals signals were around.

The only reason I see a reason to distinguish is what the info collected is being used to so America can blackmail German citizens, that is shitty. But if we are just trying to collect information about Germany or people who just happen to be in German who are people of interest? That is the NSA mission.

The real issue is the potential for abuse. But the US government has plenty of stuff it could really abuse.

> "... who are people of interest?"

I think you've missed the part where everyone is now (effectively) a person of interest.

That is just not true. Sure, they are collecting some limited information on every, but mostly because its harder to collect targeted information than to just get it all.

So maybe the US has a record of every call made in Germany, but nobody is tracking some random bus driver in Bavaria.

Right now there aren't is the manpower to actually look at even a tiny fraction of what is collected.

I guess in the future, if an AI with human like ability is created, the actual monitoring of every person could occur. But it just isn't a fear right now.

I'd call it psuedo-pirvacy.

Tell that to people who died needlessly during a civil war thanks to the sabotaged communication system that NSA caused. I'm sure their death felt like a diplomatic problem, something people discuss between drinking port wine and eating walnuts on the embassy.

Attacking civil infrastructure of a foreign nation is not spying, especially if that nation has an ongoing war. If one uses the term spying like that, then the term spying has been extended beyond what can possible be reasonable. Just because someones intent is information extraction does not make it any less of an offensive military operation if the method used are offensive military in nature.

(comment deleted)
honestly, would you rather be at war or be secretly spied on? No contest!!

You need to reject this as a false choice.

Unsolicited movie recommendation for you: http://www.imdb.com/title/tt0405094/

Other worth watching, to all those who live by "I don't care, I have nothing to hide mantra:

http://www.imdb.com/title/tt0088846/

Spoiler: it's not what you consider worth hiding, it's how the government will interpret it.

Do you really think the disagreement is because we've never heard that argument before? That all the people who think this way have just never been exposed to Brazil, or Minority Report, or any of the other thousand works of fiction in which this idea is shown?
Interesting, but I doubt it would go far in helping anything. You can't cut and disperse the cancer growing inside of the US Government and expect anything to be solved or fixed, it needs to be uprooted and burned. Would any of this address secret courts, police brutality, domestic propaganda, or corruption? It'll have to be all at once, otherwise it's just rearranging the furniture in our cell.
"collecting data on innocent Americans either incidentally or deliberately, and data on foreign citizens indiscriminately. It doesn't make us any safer, and it is liable to be abused. "

If you are collecting data in order to analyze and identify threats to national security, how would you possibly exclude "the innocent" beforehand? These people are not innocent as much as they aren't guilty - however blinding oneself to observation seems like a knee-jerk alternative.

If these practices are "liable to be abused" isn't the solution proper oversight or accountability and not to shut down the entire program?