In the debate over how best to defend the nation against cyberattacks, one of the main points of tension relates to the extent to which the government should be able to deploy “active defenses.”
The White House in January blocked draft legislation that would have enabled the National Security Agency or any government entity to monitor private sector networks for computer viruses and to operate “active defenses” to block them.
The monitoring, officials said, would have crossed an Obama administration red line — that there be no government monitoring of private networks. In particular, the phrase “active defense” set red lights flashing.
In the end, White House officials prevailed upon an aide to Sen. Dianne Feinstein, the chairman of the Senate Intelligence Committee, to remove the language from draft legislation.
But officials at the NSA, a Defense Department spy agency with advanced capabilities to detect harmful software targeting military and classified networks, disapproved of the move, according to documents and interviews with administration officials.
“It caused some consternation” because NSA “frankly wanted to get that authority,” said an administration official, who spoke on condition of anonymity to discuss internal deliberations. “But that was very much contrary to the administration’s position.”
NSA Deputy Director John C. Inglis said in an interview that the agency “did not register displeasure” over the language being removed. And, he said, NSA has never proposed any government plan “where it would monitor private sector networks.”
But interviews and documents make clear that agency officials felt the scaling back of the authority to monitor for cyber threats and to push out countermeasures to industry was of great concern.
It’s unclear what kind countermeasures the NSA would have been authorized to take under the proposal. In fact, one problem with proposals over active defense is that the term itself can be open to interpretation.
The Defense Department has defined active defense as a “synchronized, real time capability to discover, detect, analyze and mitigate threats and capabilities.”
But, said the administration official, that definition still wasn’t precise. “It wasn’t clear what active defense meant, and where the effects would be authorized to occur,” he said.
The administration felt that the measures could entail some form of government monitoring of private networks. NSA officials said they distinguish between monitoring, which connotes reviewing content, and scanning, which they say is an automated process to look for software that could damage computer systems.
Proposals advanced internally by NSA officials have called for Internet carriers to do the scanning of network traffic on systems operated by critical industries such as electrical grids. Private sector companies would then turn over to the NSA any e-mail or other communications that contain viruses so the agency could analyze them and devise more effective countermeasures, administration officials said.
Richard Schaeffer Jr., former information assurance director at NSA, says the debate over active defense suffers from a lack of linguistic clarity. “Let’s talk very precisely about what specific actions we want to take, under what conditions, so there’s no misinterpretation,” he said.
Active defense has been used to mean everything from “hunting in your network” for viruses, to quarantining malware, to shutting down an attacking server outside the military’s networks — including at its source. The latter can be seen as a form of cyber offense.
The issue has long been a subject of debate inside the Pentagon. As long as the military is acting inside its own networks, it is on solid legal ground. But legal and policy questions surround the extent to which the military can take actions outside its network without having to get presidential approval.
In the thick of the debate is Gen. Keith Alexander, NSA director and head of U.S. Cyber Command, the military’s offensive cyber arm. In 2010, when Alexander and the fledgling Cyber Command pushed for standing authority to take action inside the United States to protect critical systems against crippling attacks, the notion did not survive interagency debate. It even encountered resistance within the Pentagon.
“They were asking for way too much authority and they were contravening the Constitution with what they were asking for — to take unilateral action outside of their area of responsibility,” recalled Gen. James Cartwright, who retired in September as vice chairman of the Joint Chiefs of Staff.
Last November at a conference in Omaha, Alexander recalled taking a boxing class as a youth. The instructor, he said, divided the class into two teams. One could only hit. The other could only defend. “Which team do you want to be on?” he asked.
“We have to have more authorities to protect ourselves in cyberspace,” Alexander said. “We can’t just defend.”
One military official, who was not authorized to speak for the record, said “to have true active defense, you’ve got to be able to meet the threat wherever it occurs.”
When Alexander talks about active defense, “he’s talking about a set of pre-approved responses to counter specific threats,” said the military official. “The problem is he’s never come up with a scheme that specifies what threat may be met with what response that the interagency is comfortable with.”