Admin Cyber-Security Plan Raises Concerns over NSA's Role
November 8, 2007
It's a no-brainer that the federal government needs a robust and effective program for protecting its computer networks. However, a new cyber-security initiative being shopped by the White House to Congress and others, including CDT and fellow privacy advocates, raises long-standing concerns over the role of the National Security Agency in securing unclassified computer networks. The NSA has long had a dual role: Wearing its signals intelligence hat, the agency spies on our adversaries, cracking their computer networks and breaking their codes. Turning that hat around, the NSA also is responsible for protecting U.S. government communications from interception. Exactly 20 years ago, an attempt by the Reagan Administration to expand NSA's computer security role led to the enactment of the Computer Security Act, which was intended to confirm the leadership of the National Institute of Standards and Technology, at least with respect to civilian and private sector systems. The Act's impact, however, was inconclusive, and ever since then responsibility for computer security has been in flux, shared between NSA and NIST. The line blurred even more with the adoption of the Homeland Security Act of 2002, which created the Department of Homeland Security and consolidated within it various cyber-security entities, without disturbing the functions of NIST or NSA. (See the policy post CDT wrote on the creation of DHS at the time.) From its creation, DHS has struggled to assert leadership on cyber-security. Its office of Assistant Secretary for Cybersecurity and Telecommunications remained vacant for more than a year. The September 2006 appointment of Greg Garcia promised to bring stability and direction. However, there is yet a new and very powerful figure on the scene: John "Mike" McConnell, NSA's head from 1992 to 1996, is now the Director of National Intelligence and is a progenitor of the Administration's new cyber-security initiative. There is no doubt that the security of both governmental and private sector computer networks remains at risk. It is equally clear that foreign adversaries, especially China, are committed to the development of an information warfare capability. Moreover, it seems, national security systems have recently suffered from some unnerving penetrations, for example the hacking of a Pentagon computer system in June. In September, the Washington Post reported that Unisys Corp. failed to detect a Chinese break-in on DHS computers and then tried to cover up its shortcomings. But acknowledging a problem and knowing how to solve it are two different things. The new initiative would be very troubling if it expanded the role of NSA into civilian government systems, let alone into private sector networks. Yet there are reports that that is exactly what is being planned. As usual on matters relating to the NSA, the Baltimore Sun's Siobhan Gorman has been all over the story. Her first article from September reported that NSA would be claiming a broader cyber-security role. Her piece yesterday suggests that the Administration was less than clear in its Hill briefings this week, raising concerns that it is purposely obscuring the role of NSA. After 9/11, and maybe in the years immediately before, NSA overstepped its bounds and evaded legislative and constitutional limits on its surveillance activities. Given that questionable history, can we trust the NSA not to use an expanded role in monitoring domestic cyber-security to develop as well domestic surveillance capabilities? Pending legislation focused on monitoring international calls could put NSA perilously deep into networks handling domestic traffic. The super-secrecy that shrouds NSA is reason not to give it a role that merits public oversight. For starters, the Administration should answer the long-standing question: Who is really in charge of cyber-security?