There are plausible, more open alternatives to the plans floating around Capitol Hill to give the National Security Agency the ability to monitor Internet companies.
To defend itself from the onslaughts of online crime and espionage backed by China and other nations, America's private sector needs the capabilities of the US government. These tax-paying companies are on the new front lines of the cyber conflict, in which private enterprise is facing nation-state funded threats. Given their role in maintaining America's critical infrastructure, these companies are not getting what they need. Now, new legislation puts too much stress on their responsibilities to talk to government. There is even talk of forcing cyber monitoring by the National Security Agency upon them. Yet there are more effective and less constitutionally troubling options if the administration is bold enough to take them.
Two recent articles by Ellen Nakashima revealed how NSA pushed the White House for over a year to force critical infrastructure companies to accept government monitoring of their networks. According to these reports, the White House "blocked draft legislation that would have enabled the National Security Agency or any government entity to monitor private sector networks for computer viruses and to operate 'active defenses' to block them."
The NSA may be the most capable cyber organization on the planet. Far larger than the CIA, the NSA's capability is rooted in the agency's decades-long responsibility to make America's codes and ciphers unbreakable, while simultaneously breaking those of our potential adversaries.
While government monitoring would leverage this expertise, the real benefit would be to tap the NSA's classified database of "signatures" of malicious software. These signatures -- similar but more comprehensive than those at private security companies like McAfee -- have been vacuumed by their worldwide network of sensitive collection sources and are considered among the crown jewels of the US government's defense capabilities. With them, defenses can detect and prevent any attacks which use those signatures.
Despite these strengths, there are significant problems with forcing companies to accept monitoring. First, these capabilities may not be as awe-inspiring as advertised. A recent, highly touted Department of Defense program used a subset of these classified signatures to protect companies like Northrop Grumman or Lockheed Martin in DoD's industrial base. Apparently, an independent review found only marginal benefit. Only one percent of the attacks were detected using "NSA threat data that the companies did not already have themselves." It concluded that the value of the declassified signatures "was not conclusively demonstrated."
The second problem with mandatory government monitoring is the most obvious and severe. Especially after scandals over warrantless intercepts, NSA has lost a great deal of the public's trust. Companies, even those that may hold the agency in high regard otherwise, may have little confidence that government agencies might not dip into the content of their monitoring communications to collect intelligence, not just block attacks.
But there is a solution to, at least, the second problem. The administration already has a better option than mandating government monitoring: declassification. When American soldiers are in harm's way, intelligence agencies will take significant risks to declassify the right information to keep them safe. Though it is a different kind of fight, the US government should be willing to take bold risks to support our embattled companies on the front lines of the network.
The critics are already sharpening their knives: if we declassify these signatures won't we compromise our sensitive collection sources and methods? In truth, the extreme classification surrounding most of these signatures protect little but bureaucratic inertia. General Michael Hayden, a past NSA director, made this case best, saying, "Let me be clear: This stuff is overprotected."
More importantly, the Internet is an open network and any adversary that uses novel malicious software knows it will eventually be discovered. So by sending their attacks over the Internet, the bad guys have themselves already made their signatures public. Accordingly, NSA has plausible cover for declassification even if they relied on a sensitive collection source. Even better, most adversaries are non-state actors likely to suspect a careless colleague or a rat informing law enforcement.