Why the NSA Should Not Lead Cybersecurity Government-Wide
UPDATE: At the RSA conference in San Francisco today, NSA Director Keith Alexander disavowed any interest by his agency in directing cybersecurity efforts outside of national security systems. Whether Alexander was engaging in damage control or whether his remarks truly represent a shift in Administration policy remains to be seen. Alexander also spoke of the need for a team approach to cybersecurity, leaving open the question of exactly what position NSA will play on the team. Let’s hope the pendulum is swinging back towards the center
While we are eagerly awaiting the results of the Obama Administration’s review of cybersecurity policy, the latest Wall Street Journal story on a computer hack of systems containing national security information highlights several points on which to judge the direction being taken by the Administration.
Tomorrow (Wednesday, April 22), Melissa Hathaway will speak at the RSA Conference in San Francisco and is likely to give some indication of the conclusions and findings of her 60 day review of U.S. cybersecurity policy. Her report to the President, completed last week, probably focuses more on organizing the White House and the Executive Branch for cybersecurity than on substantive questions of mandates, standards, and incentives, but even the allocation of responsibilities within the federal government has major implications. The Wall Street Journal story supports several conclusions.
First, the problem of cyber vulnerability is real and urgent. Siobhan Gorman and her colleagues report that computer spies stole terabytes of data about the design of a new fighter jet and also broke into the Air Force’s air traffic control system. Suspicion falls on China. Reportedly, the attackers were so clever that they encrypted the jet fighter data before they stole it, making it difficult to tell even what was compromised. The fact that a problem is deep and pressing, however, tells us little about how to solve it. In an atmosphere in which there is pressure to do something, it is critical to view skeptically any cybersecurity proposals. For any given “solution,” CDT will be asking whether it is likely to be effective and what impact will it have on Internet openness, innovation and freedom.
In that regard, the WSJ story offers a strong caution. First, it is clear that the federal government does not have its own house in order. Given the sorry state of computer security at government agencies and at the contractors who are subject to some direct government control (the fighter jet plans were stolen from defense contractors), the government is in no position to dictate to the rest of the private sector. Moreover, it is clear that the Department of Defense and the National Security Agency don’t have all the answers. Yet leading officials, including the Director of National Intelligence and the Director of the NSA, are arguing publicly and strenuously that only the NSA has the skills and knowledge to secure all of cyberspace. The fact that the NSA is failing to protect the systems it is already responsible for is powerful evidence that it should not be given authority over civilian government systems and even less so over private sector networks. And while everyone always dumps on the Department of Homeland Security, the last Administration never focused on creating an effective cybersecurity program there. Defaulting to NSA, with its flaws and secrecy, makes little sense without having really tried to create a balanced, effective and transparent cybersecurity program at a civilian agency.
Like most other complex problems, cybersecurity will require a multi-pronged approach. A successful program will assign the federal government very different levels of authority over government systems as compared with private sector systems that have little implications for free speech and privacy (such as the systems controlling electric power plants) and, even more so, with respect to the free-speech bearing, innovation supporting public Internet. These distinctions are among the things we will be looking for when the Administration releases the results of its 60 day review.
