Doug McLean - Blogmeister
The Washington Post broke an interesting story just before the Independence Day holiday about the issues the National Security Agency (NSA) has encountered in deploying their latest cyberdefense system. The Post requires a log-in to view the story, but the Wall Street Journal also covered the topic in more depth and it’s open to all to read, which I strongly recommend to anyone that cares about cybersecurity.
The basic story runs as follows. The Bush administration chartered the NSA with developing a comprehensive solution to both detect and block cyberattacks aimed at federal networks. The system, named Einstein, was originally deployed in 2002, though the functionality of the system was limited to intrusion detection, no countermeasure capability was included. Einstein III has been under development for a number of years and is nearly at the point where it’s ready to be tested.
So, here’s the problem. The architecture of Einstein III assumes that the content (not just the packet headers and meta data) of all incoming Internet traffic to government agencies will be inspected and evaluated to determine if it contains anything that might be a threat. In order to implement this approach the government must rely upon the cooperation from the carriers from which they purchase Internet connectivity services.
Having been burned by their participation in the Bush administration’s warrantless surveillance program in 2005, the carriers led by AT&T, are sensibly asking for advance approval from the Justice Department to avoid any potential legal liability. As the program will involve the inspection of both incoming public and private sector traffic, the carriers' concern is understandable. The legal issue involved assumed even more importance last month when the Obama administration announced their intention to proceed with the deployment of Einstein III and that the NSA has now been given the cybersecurity charter for all military networks. As the NSA already had a portion of the charter to protect civilian agency networks, this means that Einstein III could become the backbone of the federal government’s cybersecurity strategy.
For those of you that are opposed to carriers being involved in this effort, I have one piece of advice; get over it. While the carriers' participation of the warrantless wiretap program was regrettable, it does not mean the private sector doesn’t have a role to play in protecting public sector networks. In fact, the carriers' participation in Einstein III is exactly the kind of public/private sector partnership the President highlighted when he released the Hathaway report.
Just because such partnerships carry the potential for abuse does not mean they are not a necessary part of the nation’s cybersecurity strategy. In this particular case, there’s no practical way to achieve the mission of protecting government networks without this kind of collaboration. To be clear, I’m not arguing for blanket immunity for the carriers and other private sector firms that will be involved in this mission. We’ll need to develop standards of behavior and protocols with which the private sector will need to comply to prevent the kind of abuse that would infringe on our legitimate privacy and civil rights concerns. In this case, it will likely be necessary to codify these standards and protocols into federal legislation to ensure they are implemented consistently by future administrations.
The key to successfully protecting federal Internet assets is not to make it solely a federal government mission, but to structure the required public/private sector partnership in a way that is consistent with the mission, the legal framework in which it is operates, and the expectations of privacy and liberty Americans expect of their government. As Alfred Nobel learned when he invented dynamite in the 19th century almost all tools can be used for good or evil. Exactly how they are used depends upon the intent and skills of the craftsmen in whose charge we place the tools.