Will NSA Power Grab Imperil Cybersec Consensus?
In recent weeks, policymakers have been working to reach consensus on steps to strengthen the nation’s cybersecurity capabilities, but the National Security Agency’s campaign to expand the military’s role in protecting private sector systems threatens to derail forward movement.
Until the military lobbying became public, as reported Monday in the Washington Post, there seemed to be widespread recognition that significant improvements could be achieved by strengthening the public-private partnership and the allocation of responsibility under which the military defends .mil systems, the Department of Homeland Security defends the government’s civilian systems (in cooperation with NSA), and the private sector defends its own systems (using signatures and other information provided by NSA). So far, the Post suggests, the White House has rejected the NSA’s bid for deeper intrusion into private systems. But last week, Sen. John McCain seemed to endorse the NSA view that it should actually be monitoring the private networks, and the Wall Street Journal suggests the debate is by no means over.
The NSA’s claims are premised on the dual assumptions that the private sector is not actively defending its systems and that only the NSA has the skills and the technology to do effective cybersecurity. The first is demonstrably wrong. The Internet and telecommunications companies are already doing active defense (not to be confused with offensive measures). The Tier 1 providers have been doing active defense for years – stopping the threats before they do damage – and the companies have been steadily increasing the scope and intensity of their efforts.
The second assumption (that only the NSA has the necessary skills and insight) is very hard for an outsider to assess. But given the centrality of the Internet to commerce, democratic participation, health care, education and multiple other activities, it does not seem that we should continue to invest a disproportionate percentage of our cybersecurity resources in a military agency. Instead, we should be seeking to improve the civilian government and private sector capabilities.
We already have proof that the NSA can assist the function of the Tier 1 providers without taking over from them. In what used to be called the DIB (Defense Industrial Base) pilot, and is now continuing under DHS oversight, the NSA is sharing its “secret sauce” with the Tier 1 providers to supplement what they are already doing to protect their critical infrastructure customers. Meanwhile, Congress is developing legislation that would promote further information sharing among the private sector service providers and with the government. There are competing proposals that need to be reconciled and improved with further checks and balances, but the need for information sharing is now widely accepted.
The best cybersecurity strategy would leverage the best capabilities of both the private sector and the government while protecting privacy, openness and innovation. The best capabilities of the private sector network operators is that they know their own systems better than the government ever could and are able to act most quickly to stop threats before they can propagate. The best capabilities of the military are the classified insights gleaned from intelligence sources and methods (as well as offensive capabilities, but those are quite separate in many ways).
That’s the framework we were moving towards, and it is the one that we have to make the effort to make it succeed. A strategy based on making the public-private partnership work and keeping the military out of the privately-owned and operated networks is the strategy most consistent with the nature of the Internet, the nature of the threat, and our democratic values.