If some signatures really are truly sensitive, then let's reserve special protection for those few, rather than protect all at the highest levels. The Director of NSA could have a special
non-delegable authority to delay passing certain signatures for thirty days, or sixty, or however long is needed.
How might NSA passing their declassified signatures to companies work? Depending on the administration's priorities and appetite for risk, there are several
For example, if the program truly must be mandatory, the administration could design a program requiring monitoring using NSA information but not
necessarily conducted by the agency. If companies trusted that agency, they could opt for NSA monitoring directly and using every signature, even
those the Director chose not to declassify yet. For companies not willing to take that leap, they could use an alternate provider (such as McAfee, IBM,
or Symantec) which would have added the declassified NSA signatures to their own.
Another option could leverage the idea in recent legislative proposals calling for an independent clearing house for signatures. NSA might anonymously
add their signatures to the clearing house and further wash their source by mixing them with signatures from security companies and even with other
nations' intelligence agencies, like the UK's GCHQ or Canada's CSE.
This option would create the world's best-ever signature database, better than just the NSA's on its own, and any organization that contributes their
signature collection would then able to use the full database. Not only would critical infrastructure companies get an increased level of protection
but so would the rest of America's internet users. The government would use its taxpayer-funded information to bolster the security
companies, rather than crowd them out.
As a last option, the government could simply release all declassified signatures, possibly after a suitable waiting period. However, this option -- the cheapest and easiest -- will almost certainly be seen as too risky.
Some critics may still balk: If defenders act on these declassified signatures, then we have tipped our hand and bad guys will switch to new malicious
software which we cannot track. On the face of it, this criticism is an unreasonable position: If government wants to monitor private sector
companies, the only acceptable goal should be to prevent attacks on the private sector, not improve its own intelligence take.
To win a battle, at some point you have to take the initiative, put your enemies on the defensive and force them to react: we are now at that
culmination point. Adversaries will of course switch to new malicious software, but that is the nature of conflict -- but at least the conflict will be less
The cyber crisis is dire and the administration should take bold steps to defend America. Forcing companies to accept government monitoring is the
wrong kind of step. The right kind starts with NSA sharing its overclassified signatures in a way that boosts the private market, not supplants it. The right legislation will ensure the government declassifies signatures to give taxpaying companies the information they need to continue the fight at
the front lines of today's cyber conflict.
Some of the same US government officials who warn us about how vulnerable the United States is to cyber attack have called their own cyber collection
part of the "golden age of espionage." The government should give up a little of that gold to protect the nation. This is the bold step we need and
the one that is long overdue.