How to Needlessly Complicate the Cyber Debate

Reports the Wall Street Journal's Siobahn Gorman:

The federal government is launching an expansive program dubbed "Perfect Citizen" to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program. The surveillance by the National Security Agency, the government's chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn't persistently monitor the whole system, these people said.

I feel like Kristin Wiig's Aunt Linda character from Saturday Night Live and want to let out a huge "Oh Brother" yelp. First, why does the government use names like "Carnivore," "Total Information Awareness," and now "Perfect Citizen" to describe data-mining projects?

What about "brown desk" or "door hinge" or "bronze plug" or some other meaningless thing? The government trains people (yes it does!) in creating nicknames for programs like this. Anyway, that complaint is a way of getting into a larger issue: these names, and the classification attached to this specific program, which is a fairly innocuous public-private partnership aimed at helping companies that handle critical infrastructure and whose networks might be vulnerable.

Gorman reports that "Public Citizen," which sounds Orwellian, is a mechanism for the government to help a power operator protect its grid with some whiz bang cyber tech (presumably with the power operators consent?). I am not sure why that it is a big deal -- I can't say that monitoring systems like this should trouble privacy advocates ... UNLESS the government decides to give the program a classification, a stupid name, and a classified nickname like "April Strawberry."

If the NSA hadn't classified this program, the thrust of the news would be: hey, government's doing something about cyber threats. Yay! They're actually taking steps to defend critical infrastructure ... that's a good thing. And they're letting the public know about it in advance. They're seeking the consent of companies who take part in it. Nothing to hide here, nothing to be afraid of.

But that's not how the NSA works. A program like this originating from the NSA cannot NOT be secret, or cannot NOT be classified, just because. Maybe it's the technology (although, frankly, hackers and foreign governments know about the technology). Maybe it's the "fact" that the NSA has the capability to monitor the domain (even upon request), which is something that, again frankly, citizens of the republic already know.

Maybe it's the fact that the government and industry are still scared to go before the public and say, "Here's what we're going to do. Some of the technical aspects are going to have to be classified because we think we have an advantage over the bad guys and we don't want to tip our hand, but Congress will be kept fully appraised. We are going to brief any member of Congress who is on homeland security, intel, armed services, judiciary, commerce, or whatever on the full details. We are going to answer every faulty charge if it involves unclassified information. Some are going to want to make 'Big Brother' arguments, etc. We are willing to have that debate, answer irresponsible charges, and take some votes on it."

That's what the Director of National Intelligence is for. It's what Howard Schmidt, the coordinator of cyber security at the National Security Council, is for.

But, now that a reporter has divulged details of a classified program, the debate will be taken over by alarmists. Mistrust will develop. Notions of "cyber kill switches" will be mustered up. And the public will be confused.
An ancillary but not unimportant issue: why isn't the Department of Homeland Security doing this? Aren't they, you know, supposed to develop precisely these types of programs to protect domestic infrastructure? Granted, they'll need technical assistance from the NSA, but having the NSA execute the program instead of DHS, in the sense of being the front facade, is meaningful. Actually, I know why DHS isn't doing this. They don't have the capacity. Or, at least, that's the message I get from reading about how the NSA is spearheading a program that DHS, by statute, should be taking the lead on. That's not very comforting, if you're a DHS official who is trying to get the world to take seriously the idea that DHS is a key player in front-line domestic cyber protection.

Strategic communication in the cyber debate matters. It should matter to anyone who cares about getting cyber right, from the people who think that Cyber Armageddon is around the corner to the people who think the threat is overstated.