Where will the NSA be in 5 to 10 years?

I’ve been thinking about how the structure of the intelligence community and specifically technical collection activities are understood. The departure of General Alexander and the current budget fights are policy fulcrum points that can be used for change. I have to caveat my comments that follow.  I don’t have a lot of experience at NSA, I have very little experience with CyberCom, and NSA/DHS paid for my PhD. Whether you think me shill for not being blood thirsty calling for the end of the NSA, or not experienced enough for not having served at the NSA, the comment and the opinions are free.

So, take everything I say with a grain of salt and let the logic or lack of it determine the credibility. I have a few things here that I think people will take interest in. I talked about some of this previously here. I think the following are the themes we will see in the next five to ten years.

1)    NSA will be half the size it is today.

2)    NSA becomes a contractor free agency.

3)    Elements of NSA working toward national infrastructure security are split off.

4)    NSA and CyberCom split

5)    NSA has to invest in privacy preserving security as penance

6)    Individuals may find themselves under congressional investigation

I figure the largest 5 year and out result will be a much smaller NSA. NSA will likely be a half to third the size it is today. The primary losses will be in contractor staff, hiring freezes, and about a 10 percent reduction in force. Nobody I know is talking about this currently. The reduction in force will be part of larger federal government reduction in force and will hit the NSA lighter than other government entities. There will be great gnashing of teeth, but considering how hard the Army and Air Force have already been hit there will be little sympathy internally or externally for the agency or intelligence community in general.

What about contractor staff? Government leadership states emphatically that it does not have the staff currently on hand to accomplish certain tasks and that it is more flexible to use contracted services. These are political decisions not born out by the costing and usually use selective bias as a method of measurement. If you predetermine that you want a case to hire contractors the wonks will bend the numbers to make that case. There is a proven risk of contractors owning inherent government processes and government loosing control of those processes. If anything, Snowden has proven that at one of the most controlled agencies of the federal government.

I expect that within 5 years the federal contracted work force will be a tenth the size it is today. This is a necessity as short and long-term goals of the bureaucracy realize they can slide one $200K a year line item contractor staff over to two $80K general schedule government employees. Wage deflation has always been a part of the federal government compensation strategy and the budget debacles will make this even more apparent. The effect of hiring retired military has always been to cause a deflation effect on wages for the general schedule employees. The career path of taking a government job or working as a contractor after a military career (especially for senior officers) has also been fraught with peril for society. It creates a particular view point in the federal work force. Due to this laws like the Hatch Act were created.

A second effect I see for NSA is splitting off the CyberCom role. There is a lot of internal feuding and “facts” leading to the perception that the new role must be status quo. There is admittedly a lot of cost associated with a split of the two entities. The cost to society and inherent fight that is sure to come is likely even more costly. Arguments that this is new and we must allow it to continue are based on individuals desires to keep the status quo. A lot of people have skin in this game. So, they argue from their personal biases. I admit I’m biased. I want to see NSA and CyberCom succeed. Currently that will not happen if they are linked at the hip. The arguments of keeping them together are specious at best.

I think CyberCom should be severed from the NSA and the 4 star billet with associated staffs sent to at least Texas. Physical distance is needed to separate this war fighting entity from the intelligence entity NSA. The structure of CyberCom should be more like SOCOM. I think that the split will happen. I think the structure as a combatant command will not change.

The argument that there are synergies between the intel organization of NSA and the war fighting support organization of CyberCom are accurate. There is also no competitive analysis, the war fighting and administrative tasks of the Title 10 organization are subjugated to the intelligence mission, and CyberCom though a 4 star organization will never come out of the shadow of the NSA a 3 star organization. This is a battle between the intelligence community and the war fighting community that has been fought many times before. Employees of NSA may feel that the Director of NSA (DIRNSA) focuses to much on his authorities of combatant commander, and the CYBERCOM employees that their commander focusses on intelligence to much. Senior leadership in the United States federal government is already done to much by five bullet point slides. This is a case where cognitive span of control stretches credulity.

The idea that the intelligence community feeds the operational community is a red herring. The concept that there are only so many resources to go around is also a fickle argument. In times of peace the intelligence mission moves from operational intelligence to threats and warnings. Largely the tasks of CyberCom are administrative in nature focusing on defense and stability. A very small contingent of adversarial minded individuals are required for fighting wars in cyber space. We currently rotate military through different roles so the sharing aspect is already built into the 2 year permanent change of station process. There are some profound issues in the idea of cyber fratricide between the 2/3/6 problem that has worried the general staffs. This is a real world concern that should be investigated further. However, none of those issues are solved by subjugating one command under another.

There is also another idea that is put forward as an off hand comment by leadership that is quite chilling. A person working in the NSA/CyberCom organization can move between intelligence authorities and military defense authorities with a metaphorical hat swap. The entire concept of specific authorities in the law was to keep that from being the case. A separation of duties and powers between entities and agencies to keep abuses from happening is a specific concern. Making it fundamentally easier to do that swap may make things more efficient but the authorities are set up to insure it is NOT efficient. The focus on making the intelligence communities job easier completely misses the inherent stresses purposefully built into the system by the likes of the Church Commission. It is in overcoming those stresses in a legal and non-simplistic way that makes the intelligence community stronger. Taking the easy way by stretching their authorities to the legal breaking point weakens the whole and jeopardizes their mission set.

So, that is the why for cleaving the two entities. What else is going to happen to NSA and CyberCom? NSA will likely be required at some point to divert some significant part of it’s budget into privacy preserving security. The worn out and logically barren concept of we must trade privacy to have security is false. NSA will be required to fund academic and corporate research into the concept. They may not call it privacy preserving security but they will still be required to fund this kind of research. Call the concept penance or just a good idea. It will be done as an independent act to mollify critics, and buy off some of the more virulent.

Following this the information assurance and security directorate (IAD) at NSA will be broken off and sent somewhere like DISA. We may well see DISA and CyberCom become one entity and the 3 star position at DISA become the J6 (sort of that way now) to CyberCom. There is also the chance the IAD could be sent out of Department of Defense and assigned to Homeland Security. I tend to doubt that as I think Homeland Security may be on the chopping block too. These are really large organizations. To the novice in what is joint operations topics I am using a machete for scalpel work. To the person who is expert I’m using a scalpel where a chainsaw makes more sense.

The NSA is a large organization that currently dwarfs CyberCom. The headcount at CyberCom is primarily provided by the military services with the train and equip mission. So, I’m not ignorant of the JOE/UCP and associated legislation. Nor, am I a dullard to the human cost of the people who have moved to the Fort Meade area. I’m just not worried about it. With an at most three year move to new assignment for many of the military members a three year plan for moving to Texas or back to Nebraska for CyberCom is not a deal killer. The people already move fairly frequently. For those who say they ain’t moving apply that to the attrition. Hard hearted? Many people are out of jobs right this minute. People who are willing to be more flexible in times of need are looking for jobs. The “old saw” we can’t find them is chum.

What else is on the horizon for NSA? Legislation is pending and having no idea what else the Guardian is going to publish I see legislation being a primary risk. The government employee working head down everyday to secure the nation does not usually track legislation until it is to late. I think we will see several legal loopholes closed directly by congress. The appetite for executive agency blood is fairly high on both sides of the aisle. Unrelated executive activities related to the October 2013 shutdown will cause snaps in policy where least expected. An agency unpopular with the people is a fine target for political punishment.

The information or more specifically narrative of the NSA and executive leadership in the government has been on five primary topics.

1)    The intelligence community protects America against terrorism

2)    We can’t tell you about our successes

3)    You can trust us

4)    We are servants of the people

5)    If you aren’t with us you are against us

One of the feeders to the angst people feel towards the intelligence world itself is the “I’m an intelligence professional and you don’t know what I know.” This of course is true, but rings false to most reasonable people, since it is a logical fallacy to argue from a position of experiential superiority. It has nothing to do with the reality of evidence seen by the common person. It ignores the reasonable person. It suggests ignorance of the people engaged in the discussion and that has a tendency to piss people off instantly. It closes off all further discussion which means people start making decisions without information. The only reasonable response to that “I know more than you” logic for most people is to work at disempowering the agency and entities that have engaged in that kind of logical leap. To the intelligence professional i say , yes you do know more, but that doesn’t mean you get to use it. I shouldn’t and likely wouldn’t have to say that to old school intelligence people. It is some of the recent post 9/11 crop that never learned that lesson.

The Guardian has reported the misuse and abuse of intelligence products for other than intelligence uses. If the products were used for criminal prosecutions it is proof of a failure to control executive ambition. The mere allegation of parallel construction could constitute a relevant defense. The United States code of laws is substantive and almost everybody violates some law at some point. To have an eye of Sauron looking over everything you do regardless of intent causes fear. Understand that the NSA itself may have violated the law but agencies don’t go to jail people do. Department of Justice opinions and general counsel opinions of the agency does not protect it against external prosecutions and individuals can be separated out based on legal decisions made after the fact. The agency redefined significant portions of the law and congress has the power to reach into the agency and yank both the authorities and individuals who violated those laws.

That means in the rush to punish the executive branch some poor workers at NSA might find themselves in front of Congress and on the other end of the classification stick. “I can’t tell you it is classified” works for the prosecution not the defense. When they start invoking the fifth amendment the agency will find itself punished. I have visions of Colonel North sitting in front of congress.

The consistent narrative that has been tried by NSA leadership jumped the tracks when they lost control of the information to the Guardian. A new information narrative is required that does away with the previous five points and ascertains a new reality. The new narrative is going to have to rely on more openness, but not the kind we’re used to talking about.

As an example, General Alexander talks about wanting access to the financial networks. A reasonable conclusion for a reasonable person might be that the NSA already has those accesses but is looking to create a legal access. As such if I were Alexander I would never use the word access and only talk about wanting to share with the financial industry. Currently sharing is a dirty word between government and industry. So, there be dragons in these waters.

Sharing is a dirty word because the way sharing currently works is this way. The industry is asked to share so they send somebody who general counsel has vetted and has given specific speaking points. That person gives the government pretty much what the government already knows. The government sits down and shares what the industry already knows. Each of these entities has really good people monitoring their networks so they already know a lot more than they are sharing. The transactional nature of the technology means that they get to see what the bad guys are doing.

The government saying they have classified information to share is a poor speaking point. From fusion centers to various information sharing organizations the government has rarely “shared”. It is not the nature of government to share, but to seek legal authorities to compel the disclosure of the information. The use of the word sharing is heard by most corporate counsels as compel organizational actions without compensation. As we have seen from the alleged Snowden disclosures the government through NSA has been more than willing to purchase information. In the grand scheme of things why would government pay for information they can compel an organization to produce? Sharing is a bad word.

Industry does not want to share because the government cyber intelligence program does not preclude regulator agency action. Since what industry says is not “classified” it can be used to hang them. The telephone companies sought liability protections for this reason. So some company says they get attacked, does not disclose that in an SEC statement, they then find themselves being investigated. All in the name of sharing. There have actually been studies on SEC statements and cyber attacks of companies that suggest this is far more truer than you might think. Sharing is a really bad word.

All of this comes back to trust, the concepts of who those public servants are actually serving, and the logically false concept of who is with us or against us. The narrative must change. Congressional oversight must be real. NSA is going to have to provide access and some oversight for trust to blossom. The concept put forward by former intelligence operatives that secrets are the domain of spies is true. It is also not something to build public trust upon. The use of that as a portion of an argument erodes trust further and the narrative to the public falls apart. The only reasonable action at this point is to stop using “hiding” as “reason” and start showing results. The intelligence community is about threat warning and attribution of threat actors. Yet they are not the most dangerous element in the swath of weapons the government has. We know more about the nuclear weapons arsenal of our country and other countries than we do about something as absurd as the dining court at NSA. Over classification is a two edged sword. This time it is going to cleave off chunks of the agency.

The new NSA leadership should embrace a narrative something like:

1) We don’t ask you to share and we give you this information. NSA would then publish indicators of compromise. All of them. It may put sources and methods at risk, but that can be obscured by letting others participate.

2) Leadership should once a year publish a document of successes and failures in the intelligence world. This is a long road for the intel professionals to even think of, but it could help with the narrative. Like it or not, nobody wants to spend on a black hole and the black budget of intel is about to end.

3) I think it is time for DNI and DIRNSA to reinvigorate the Open Source Conference and they can call it IntelCon or something similar. It doesn’t have to be a spendy thing but it is to allow line workers to mingle. In fact other than a keynote I wouldn’t allow any of the big wigs to interact. I would have agency cyber pro’s present. Is there risk? Yes. Is it worth it? Maybe. It is about building trust and “spot the fed” doesn’t exactly do that at BlackHat/DefCon.

4) There is going to have to be a mea culpa at some point. There are options, but the general officer hubris may be a larger risk than we expect. I could see DIRNSA become a civilian post. That is sacrilege to almost everybody. The size of the policy fulcrum going into 2014 is that big, but beltway insiders are blinded by their biases. Do the mea culpa now before it is to late.

5) Quit talk about hiring hackers. It is now seen as a liability. An underground discussion is that this is put forward because DIRNSA thinks they will break the law with abandon or are somehow ethically challenged. It is seen as pandering at best. Most of the hacker community express a deep sense of professionalism and are ruffled by the perception of pandering.

In closing, some people say NONE of this can happen. They said the same thing about sequestration. Nobody would ever allow sequestration to happen. People said a government shutdown would never happen. People say that they will never allow us to pass the debt ceiling. Congressman promised families of dead soldiers they would not have to go without benefits. Many of the people growing up in the government system have a set of shared experiences. Those experiences are over a decade in length. So it is real, current, and creates a blindness to the risks and reality of their environment. They do not reflect back on the Clinton era, or the Nixon era. What is going on now may not be normal but it is not unprecedented.

This might piss you off, it might be wrong, it could be that I’m talking through my hat. It’s free. It’s an opinion. Time will tell how accurate I’ve been.