“We hope the . . . cyber pilot can be the beginning of something bigger,” Deputy Defense Secretary William J. Lynn III said at a global security conference in Paris on Thursday. “It could serve as a model that can be transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security.”
The prospect of a role for the NSA, the nation’s largest spy agency and a part of the Defense Department, in helping Internet service providers filter domestic Web traffic already had sparked concerns among privacy activists. Lynn’s suggestion that the program might be extended beyond the work of defense contractors threatened to raise the stakes.
James X. Dempsey, vice president for public policy at the Center for Democracy & Technology, a civil liberties group, said that limiting the NSA’s role to sharing data is “an elegant solution” to the long-standing problem of how to use the agency’s expertise while avoiding domestic surveillance by the government. But, he said, any extension of the program must guarantee protections against government access to private Internet traffic.
“We wouldn’t want this to become a backdoor form of surveillance,” Dempsey said.
Officials say the pilot program does not involve direct monitoring of the contractors’ networks by the government. The program uses NSA-developed “signatures,” or fingerprints of malicious code, and sequences of suspicious network behavior to filter the Internet traffic flowing to major defense contractors. That allows the Internet providers to disable the threats before an attack can penetrate a contractor’s servers. The trial is testing two particular sets of signatures and behavior patterns that the NSA has detected as threats.
The Internet carriers are AT&T, Verizon and CenturyLink. Together they are seeking to filter the traffic of 15 defense contractors, including Lockheed, Falls Church-based CSC, McLean-based SAIC and Northrop Grumman, which is moving its headquarters to Falls Church. The contractors have the option, but not the obligation, to report the success rate to the NSA’s Threat Operations Center.
All three of the Internet carriers declined to comment on the pilot program. Several of the defense contractors declined to comment as well.
Partnering with the major Internet providers “is probably the technically quickest way to go and the best way to go” to defend dot-com networks, said Gen. Keith B. Alexander, who heads the NSA and the affiliated U.S. Cyber Command at Fort Meade, testifying before Congress in March.
The premise of this strategy is that combining the providers’ ability to filter massive volumes of traffic — a large Internet carrier can monitor up to 100 gigabits per second — with the NSA’s expertise will provide a greater level of protection without violating privacy laws.
But the initiative stalled for months because of numerous concerns, including Justice Department worries that the program would run afoul of privacy laws forbidding government surveillance of private Internet traffic. Officials have, at least for now, allayed that concern by saying that the government will not directly filter the traffic or receive the malicious code captured by the Internet providers. The Department of Homeland Security is a partner in the pilot program.
“The U.S. government will not be monitoring, intercepting or storing any private-sector communications,” Lynn said. “Rather, threat intelligence provided by the government is helping the companies themselves, or the Internet service providers working on their behalf, to identify and stop malicious activity within their networks.”
But civil liberties advocates are worried that a provision in the White House’s recent legislative proposal on cybersecurity could open the way to government surveillance through public-private partnerships such as this one. They are concerned that the proposal would authorize companies to share vast amounts of communications data with the federal government.
“The government needs to make up its mind about whether it wants to protect networks or collect intelligence,” Dempsey said.
Although this NSA technology is more sophisticated than traditional anti-virus programs, it still can screen only for known threats. Developing detection and mitigation strategies for emerging new threats is more difficult.
The program also does not protect against insider threats or employees who deliberately leak material. Nor will it protect a network from penetration by hackers who have compromised security software, enabling them to log in as if they were legitimate users. That is what happened recently when security firm RSA’s SecurID tokens were compromised, enabling hackers to penetrate Lockheed Martin’s computers. Lockheed said no customer, program or employee personal data were compromised.
The pilot program has been at least a year in the making. Providers and companies were concerned that they would be vulnerable to lawsuits or other sanctions if they allowed the government to filter the traffic or shared network data with the government. The NSA, meanwhile, was concerned about the classified data getting into the hands of adversaries.
The Internet carriers that are part of the pilot are not being paid to prepare their systems for it, an effort that industry officials said costs millions of dollars. The providers will work with the companies they currently serve. In some cases, they already provide a similar service of filtering for malicious traffic using their own threat data.
Lynn’s speech also appeared to outline key elements of the Pentagon’s cybersecurity strategy, an unclassified version of which is due out soon. The strategy, said experts and analysts who have been briefed on it, focuses on building defenses and a framework for deterrence. It also makes clear the military’s prerogative to use cyberwarfare and other traditional military means if the United States is attacked or becomes engaged in hostilities with an adversary.
“First we must raise the level of protection in government and military networks,” Lynn said Thursday. “We must ready our defense institution to confront cyberthreats, because it is clear any future conflict will have a cyber dimension.”