Don’t Mess with Success
Written by Jim Dempsey
Is the Administration about to snatch a civil liberties setback from the jaws of a cybersecurity success?
For years, efforts to improve the security of our communications networks have been stymied by a conundrum: The government, particularly the National Security Agency, is presumed to have special knowledge of where cybersecurity attacks come from and what they look like. But the Internet and the rest of our telecommunications system are privately owned and operated. We don’t want the NSA or any other component of the federal government monitoring the vast flow of traffic between private parties across the Internet. The operators of those private networks have always had the authority to monitor and protect their own systems and the government shouldn’t assume that role. If the government has special information, CDT has long argued, it should share it with the private sector.
But the NSA has always said its information on identifying cyberattacks is highly sensitive and cannot be disclosed to the private sector without compromising intelligence sources and methods. This led to calls to insert government monitoring boxes deeper into the private networks, which neither the companies nor civil liberties advocates wanted.
In the past year, there was a major breakthrough on this gridlocked situation: The NSA and several big Internet service providers agreed that the private companies could in fact receive cyberattack signatures from the NSA and use them to improve those companies’ cybersecurity defenses while at the same time securing the information against compromise. Moreover, the NSA was willing to forgo any feedback from the companies. The goal was to enhance the private sector’s ability to defend its systems and its customers, not to perform back door wiretaps.
The Washington Post reported today that the NSA, three major ISPs, and a number of defense contractors have entered into a pilot testing this new approach. NSA gives its signatures to the ISPs, they monitor and filter traffic to the defense contractors, and the NSA only gets back minimal statistical reports on which signatures are showing up where.
We do have some concern about the reports back to the NSA — even numerical reports say something about the private-to-private communications — but having the Internet carriers monitor their networks using NSA data is an elegant solution to the long-standing problem of how to apply the government’s special expertise while avoiding domestic surveillance by the government.
However, while the NSA was developing this approach, the Administration was going in a different, far less desirable direction. Instead of helping private network operators become better at the job they are already doing, the Administration has sent legislation to Congress that would create a blanket exception to all privacy laws, allowing the network operators to share information about any and all communications with the government and placing responsibility in the government to do the analysis. The Administration proposal could result in a flood of private traffic flowing to the government.
The government should not be the central analysis point for Internet traffic, not only for the obvious civil liberties reasons but also from the standpoint of cybersecurity effectiveness. Even assuming that the government does have some specialized knowledge of attack methodologies that the private sector lacks, the government has neither the knowledge of those private networks nor the agility to act quickly enough to defend them when needed.
Our national cybersecurity policy is at a critical juncture; the steady stream of recent high profile cyberattacks serves as a constant reminder that U.S. policymakers have yet to carve out a unified, workable cybersecurity strategy. The NSA program highlighted in the Washington Post piece today is an elegant solution to the problem of sharing specialized attack knowledge that government does posses, but the program needs to be monitored and the government must be held accountable. We cannot allow it to fall victim to dreaded “mission creep” and become a velvet hammer mandate of government intrusion that could erode civil liberties and become another obstacle to the trusted public-private partnerships that our fight against cyber-terrorism desperately needs.