It is a truism of intelligence work that while the public all too often learns of their failures, the successes are rarely known.
By definition, undercover work is meant to go unnoticed, not only by the general public, but especially by those who are the subjects of surveillance and espionage. Only when something goes wrong — an agent is caught by the enemy, a project goes awry — do we hear about what was going on.
Those failures are part of the known history of the Central Intelligence Agency (CIA), the National Security Agency (NSA) and other government bodies that operate in secret. Exposure is itself a failure, forcing the shutdown of operations and sometimes even the loss of life.
Most people can call to mind some of the more notorious blunders and debacles: The very word fiasco became synonymous with the CIA after its sponsored invasion of Cuba in 1961 was wiped out in a humiliating defeat by Fidel Castro’s security forces. This action entered the annals of the Cold War as the “Bay of Pigs Fiasco.” Just the year before that saw the shooting down of a U-2 spy plane over Soviet Russia.
More recently, the 1985 Iran-Contra scandal revealed illegal arms deals with Tehran, and in 2002 and 2003 American forces failed to locate weapons of mass destruction in Sadaam Hussein’s Iraq. (It must be said, however, that it was the broad consensus of Western intelligence agencies, not only the CIA, that such weapons were there to be found.) The expose of the NSA’s snooping on innocent private citizens through internet servers in 2013 added to a reputation for goings-on both sinister and incompetent.
On the other hand, who knows or remembers the CIA prediction that Israel would win the 1967 Six-Day War, or its warning to the White House in the summer of 2001 that there would be a terrorist attack (later disclosed by the 9/11 Commission)? Or the thwarting of a plan to bomb the New York Stock Exchange in 2013?
In a congressional hearing that year, NSA director Gen. Keith B. Alexander said that American surveillance had helped prevent “potential terrorist events over 50 times since 9/11,” including at least 10 “homeland-based threats.” He said, though, that most of the others must remain secret.
But on Tuesday came that rare event: the American people and the world were invited to share in a notable success of the intelligence community, not decades after the deed, when participants are long gone and files are declassified, but in real time, as it happened.
The National Security Agency discovered a major security flaw in Microsoft’s Windows 10 operating system that could allow hackers to intercept seemingly secure communications, the Associated Press reported.
In this case, disclosure was possible because it caused no threat to the safety of agents in the field, and the benefit to the citizenry was immediate and valuable.
Thus, an intelligence success you can hear of.
Amit Yoran, CEO of the security firm Tenable, observed in an interview with AP that it is “exceptionally rare if not unprecedented” for the U.S. government to share its discovery of such a critical vulnerability with a company. Yoran, who was a founding director of the Department of Homeland Security’s computer emergency readiness team, urged all organizations to get the patch on as soon as possible.
Former NSA official Priscilla Moriuchi called it a good example of the “constructive role” that the agency can play in improving global information security.
She explained further that it likely reflects the 2017 revision of the “Vulnerability Equities Process,” which encourages governmental bodies to identify and publicize vulnerabilities whenever possible to protect the nation’s internet systems.
This is a welcome break from the negative disclosures we have become so used to: of ubiquitous surveillance and privacy invasions, an incipient Big Brother police state spearheaded by the CIA and NSA, a sinister grouping of spies using the most advanced technology against us. For once, we have a true story of intelligence agencies working for us instead of against us.
We don’t know what would have happened had the NSA not discovered the Windows 10 flaw.
An advisory sent by the NSA on Tuesday said, “The consequences of not patching the vulnerability are severe and widespread,” but did not go into the potentially gruesome details.
Microsoft, however, dared to sketch the scenario — in which an attacker could exploit the vulnerability by falsifying a code-signing certificate so as to make it appear the file came from a trusted source. “The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” the company said.
Decades of bad publicity will not easily be shaken off. Paranoia will persist, along with legitimate concerns about security officials crossing the line of law and ethics, but it’s at least somewhat comforting to know that the “spooks” who work for us really are working for us — at least some of the time.