An excerpt from a November 2009 discussion paper:
An alternative would be to allow the U.S. to exercise broad warning and control functions and undertake to defend cyberspace at traffic aggregation points. Aggregation points exist in the “backbone” services of large telecommunications and internet service providers. More than 90% of internet traffic in the U.S. passes through these service providers. An ability to monitor traffic for malicious code and neutralize that code before it reaches its intended targets, by combining broad communications surveillance with an ability to exploit foreign intelligence to identify and defeat cybersecurity threats, would significantly improve our cyber defense.
This kind of monitoring requires “looking” at all traffic. Congress wrote the laws regulating such monitoring for an era when it was technically impossible to review traffic for malicious code without also “reading” it - gaining an understanding of its content. Technology can now scan traffic for malicious code without “reading” the content – like giving a person a letter written in a language they do not understand and telling them to look for a certain pattern of symbols. They “read” the letter and look for patterns without understanding its content. Using this to secure national networks would require broad communications surveillance combined with an ability to exploit foreign intelligence to identify and defeat cybersecurity threats.
The question of how to structure a national cyber defense complicates any new approach. We are still more comfortable with artificial distinctions between foreign and domestic missions even though this distinction make no sense in the global communications architecture. DHS, as part of its larger homeland security and critical infrastructure protection mission, is the natural lead for cyber defense. But DHS lacks the full range of capabilities to undertake a warning and control mission similar to NORAD’s. Its new National Cybersecurity and Communications Integration Center (NCCIC) could potentially take on a larger role, but not with its current policies and authorities. DHS’s Einstein III program, which, when it is deployed, can provide the ability to monitor and control malicious traffic aimed at government websites, but Einstein, as currently envisioned, will only defend Federal networks. Not using Einstein or Einstein-like technologies to defend commercial networks will put the U.S. at a serious disadvantage for cyber defense, but law, policy and public opinion work against this.
NSA has the capability to mount a national defense. NSA’s intelligence and cryptographic activities give it a unique capacity to detect and intercept hostile traffic. It currently supports DHS’s efforts by providing technical advice. The new U.S. Cyber Command, of which NSA will be a component, could potentially take on a NORAD-like monitoring and interdiction role for cyberspace, in partnership with DHS or by itself, but this mission is not envisioned for Cyber Command and would require a serious restructuring of authorities and oversight structures.
Any discussion of an expanded government role in defending networks runs into powerful antibodies that grow out of civil liberties and privacy concerns. Even if existing legal authorities allow for an expanded government role, the “perception problem” remains significant. The legacy of the 2008 FISA debate continues to shape discussion of government’s role in cybersecurity in unhelpful ways. Frankly, these privacy and civil liberties concerns are reasonable. Our current oversight and accountability structures were not designed for these kinds of technologies and are inadequate for assuring the public that expanded surveillance would not be intrusive. But updating surveillance legislation to make it make it “technology-neutral” and provide better accountability and oversight is probably not achievable at this time.
This is unfortunate, as expanding the roles and permissible actions for DHS and DOD and redefining their relationship to each other will determine how far and how fast we move ahead in defending cyberspace. Indecision will put the United States at a disadvantage.