The fox and the hen: The NSA is helping Chase clean up after its data breach

Buried in the New York Times report on the ongoing investigation into the JPMorgan Chase data breach which compromised 83 million home addresses, phone numbers, and email addresses is a tidbit about the National Security Agency working on the case.

Here's what the Times wrote seventeen paragraphs into its report on the investigation:

The National Security Agency — which does not often get involved in most attacks on a private company — has been working with JPMorgan because the bank, particularly given its size, is considered to be part of the nation’s 'critical infrastructure.' Two people briefed on the matter said that an N.S.A. special team will sometimes work with a corporate victim of hackers to ensure that no trap doors remain.

The NSA's involvement in the investigation highlights the bitter irony of its existence. It's the agency from which most companies are now trying to keep customer data, but it's also the only one to which those same companies can turn when their data is stolen.

That's because the NSA is supposed to secure the United States from cyber attacks in addition to its efforts to compromise other systems. In theory this could allow the US to be more secure than other countries. In practice it just means the NSA attacks everyone.

The agency has tried to deny the conflict of interest inherent to its position. It claims not to stockpile exploits against which governments, companies, and citizens can't defend -- a claim I rebutted when a program, AURORAGOLD, was revealed earlier this month:

The program calls into question the NSA’s claims that it doesn’t amass knowledge about security vulnerabilities — a move which has been criticized because it means those problems can be exploited by other groups — to assist its surveillance efforts.

It also demonstrates the agency’s conflicting aims: to exploit vulnerabilities that allow it to surveil potential threats to the US (which, thanks to the broad interpretation of words like “imminent,” includes essentially everyone) while protecting against similar efforts that could help other countries spy on American citizens or the US military. Now the agency is being asked to clean up Chase's mess, which resulted from a technical oversight that left all those addresses and phone numbers vulnerable? If ever there were an example of someone asking the fox to guard the henhouse, this would have to be it.