The NSA has released a network security tool that it claims is designed to help organisations "fortify their networks against cyber attacks".
But, after being revealed to be spying on just about anyone it wants to, from US citizens to leaders of allied governments, while undermining major tech firms in the process, IT administrators will likely be very skeptical of adopting it.
Seemingly to put security concerns to rest, the security tool is made available through GitHub, making it easy for security researchers to analyse the code and find weaknesses - of any kind - that could put networks at risk.
NSA's network security tool utilises SIMP (Systems Integrity Management Platform) technology, which "is considered a critical part of layered, 'defense-in-depth' approaches to cybersecurity", according to NSA. The purpose of SIMP, at least in NSA's vision, is to keep systems compliant with security standards and requirements. "By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: The wheel would not have to be reinvented for every organisation", adds the organisation.
"The open-source software method of transferring technology from the federal laboratory to the marketplace is extremely efficient", says NSA Technology Transfer Program director Linda Burger. "The open-source community can leverage the work that NSA has produced, and the government can benefit from that community’s expertise and perspective. It’s a win for everyone - and for the nation itself".
For those who are not familiar with NSA's GitHub repository, it was launched this spring by the agency. The only thing that is public is SIMP-related information, with the code being available at the dedicated SIMP repository. The only supported operating systems, at this time, are RHEL (Red Hat Enterprise Linux) versions 6.6 and 7.1, and CentOS versions 6.6 and 7.1-1503-01.
NSA's efforts to make networks more secure seem to be, on the surface, well-intentioned, but, given the agency's reputation and the possibility that it is not sharing everything it knows with regards to security with the public, will any of you IT admins, consider using it to protect the organisation you are hired to protect?