Cyber Security: Einstein And The Privacy Debate
Within the next two weeks, as National Cyber Security Awareness Month begins, the White House is finally expected to name its executive cyber security coordinator, and former assistant secretary of defense Frank Kramer is the leading candidate. One of Kramer's selling points is that he sees a public debate about cyber security as urgent and necessary. The communications challenge he faces is, in some ways, the same old story: when it comes to homeland security, we do a poor job of estimating risk. Where DHS spent $50 billion since its inception on Project BioShield, which stockpiles medicines in the event of an improbably widespread biological terrorism event, it has spent about $80 million on cyber security, even though cyber security breaches happen regularly, and are regularly damaging. It's a fairly large miscalculation, one that has shaped policy and the public's response to it. Since the beginning of the administration, there have been more than 100 confirmed cyber attacks on major American corporate and government interests.
The government wants the Department of Homeland Security, which is nominally in charge of the "dot.gov" domain, to be given the authority to regularly inspect the "dot.com" domain for malignancies. The law doesn't seem to allow this just yet.
The government intends to use a technological apparatus called "Einstein 2," developed by General Dynamics and the National Security Agency, to perform deep packet inspections on dot.gov domain traffic and provide early detection of intrusions. DHS, and not NSA, will oversee the effort. The original "Einstein," version 1, was deployed in 2003.
But the government doesn't have the capacity just yet to prevent cyber attacks before they strike and cannot usually figure out who is behind them.
Einstein 2, if successfully deployed, would provide comprehensive protection to government data. It would allow for the type of deep packet inspection of private internet traffic that could detect malware, worms and denial-of-service hacks before they reach the dot.gov domain. The basic idea is that DHS, with help from the NSA, will have the capacity to read your e-mail, that it must have the capacity to read your e-mail, but it won't -- it will promise not to. Digg?
Because the dot.com domain hosts most of the nation's economic traffic, it is arguably the most vulnerable. And it is the least protected. Congress has shied away from writing new laws in part because the NSA remains a poisonous subject to debate, and in part because the cultural disposition of almost everyone involved in the cyber security debate is to avoid government intrusion. The business community wants to be left alone -- it owns 85% of the internet infrastructure in the United States. And Democratic experts on the issue tend to believe that government can never stay ahead of the technology, so it shouldn't try. These two ideologies are blended at the White House now, which is proceeding very cautiously.
Into this breach, the Department of Defense has stepped up aggressively. That's no surprise, and not necessarily worrisome. DoD was first exposed to the cyber security problem, and policy-makers there responded quickly to the challenge. There are now dedicated cyber security acquisition programs, a new policy group that reports to an assistant secretary of defense for cyber security, a vow that cyber security will be woven into the next Quadrennial Defense Review process. And then there's the recently stood up cyber command, overseen by Lt. Gen. Keith Alexander, the director of the National Security Agency. About half of the entire government's cyber security forces are co-located with NSA. The cyber command recently stood up its first field activities and is developing various intelligence and offensive cyber war capacities, all of which are highly classified. DoD and private contractors are hiring thousands of cyber-savvy employees.
To the civilians at the Department of Homeland Security, the NSA activity, unchecked by the White House, is cause for concern. DHS will be the public face of domestic cyber security efforts, and yet NSA and DoD seem to be commanding the lion's share of resources and attention. DHS has no formal guidelines about working with the military. It is ramping up its infrastructure and hiring talented cyber defense warriors from the corporate world. And the guy who thinks most about cyber security at DHS -- Rand Beers -- is very highly regarded in the field. DHS, in public, remains gung ho about its status. Still, it's significant that only very recently did DHS officials make the trip up the BW Parkway to Ft. Meade to see what their counterparts were up to.
NSA civilians worry that NSA bosses will too quickly merge the agency's strategic intelligence mission with its cyber security responsibilities, further exacerbating domestic and international tensions. When the Pentagon formally announced its new Cyber Command, it did not think to brief the State Department in advance. As a result, other countries, having not received a heads up from consular officials, viewed the announcement through the lens of a past administration: there goes America, telling the world what to do, militarizing cyber space.
Only within the past few months did the State Department begin to staff a unit dedicated to cyber security policy. There has been some inter-agency communication between James Steinberg, the deputy secretary of state, and his counterparts at other agencies.
Legitimacy -- in the eyes of corporations, the American people and the world community, is critical to cooperation. The American government is finding that even in countries where cyber laws are much more intrusive, like Australia, there is a profound skepticism about America's intentions.
The irony: those countries where the balance between civil liberties and security wasn't so profoundly altered after 9/11 are finding less public opposition to significant changes in the law today. If the past administration had been less aggressive and more public about building a consensus around national security, it would have been easier for them to convince the American people to accept the idea that the National Security Agency has to be heavily involved in civilian cyber security efforts. Not anymore.