The National Security Agency has pushed repeatedly over the past year to expand its role in protecting private-sector computer networks from cyberattacks but has been rebuffed by the White House, largely because of privacy concerns, according to administration officials and internal documents.
The most contentious issue was a legislative proposal last year that would have required hundreds of companies that provide such critical services as electricity generation to allow their Internet traffic to be continuously scanned using computer threat data provided by the spy agency. The companies would have been expected to turn over evidence of potential cyberattacks to the government.
NSA officials portrayed such measures as unobtrusive ways to protect the nation’s vital infrastructure from what they said are increasingly dire threats of devastating cyberattacks.
But the White House and Justice Department argued that the proposal would permit unprecedented government monitoring of routine civilian Internet activity, according to documents and officials familiar with the debate. They spoke on the condition of anonymity to describe administration deliberations. Internal documents reviewed by The Washington Post backed these descriptions.
White House officials cautioned the NSA that President Obama has opposed cybersecurity measures that weaken personal privacy protections. They also warned the head of the spy agency, Army Gen. Keith Alexander, to restrain his public comments after speeches in which he argued that more expansive legal authority was necessary to defend the nation against cyberattacks, according to several officials.
“We have had to remind him to at least be cognizant of what the administration’s policy positions are, so if he’s openly advocating for something beyond that, that is undermining the commander in chief,” an administration official said.
The debate, which is surfacing as Congress considers landmark cyber-legislation, turns on what means are necessary and appropriate to protect vital private-sector systems from attack by China, Russia or other potential adversaries. Even some criminal gangs and hackers, such as the self-styled activist group Anonymous, increasingly may acquire the tools to mount major assaults on the nation’s computer systems, U.S. officials say.
NSA officials said that they have issued warnings about such threats but that they have not sought to establish policy.
“As a major source of the nation’s technical expertise on cyber and cybersecurity, we have a responsibility to ensure our leaders are informed and aware of what is happening in the cyber-realm,” NSA spokeswoman Judith Emmel said. “We also work diligently to team with other agencies, industry and academia to find solutions to protecting our nation’s critical infrastructure.”
The proposal was intended to supplement an administration legislative package, unveiled in May, that NSA officials thought did not go far enough in protecting critical industries such as nuclear power, according to administration officials. The proposal was put forth by the Defense Department, which includes the NSA, and the Department of Homeland Security.
The proposal drew on a Pentagon pilot program launched last year in which Internet service providers used the NSA’s library of threat data to scan e-mails and other computer traffic flowing to and from the nation’s top defense contractors . That program was a response to fears that foreign spy services were using cyber-technology to steal corporate or U.S. military secrets.
A Pentagon-commissioned report in November validated the concept but said the effectiveness of such an approach remained uncertain.
The NSA, however, saw the program as a model for expanding its role in protecting other potentially significant targets of cyberattacks. The proposed legislation would have made participation in an expanded program mandatory for designated industries that didn’t reach certain security benchmarks on their own after one year, according to a draft copy of the legislation and officials.
The reason, NSA officials said in internal administration discussions, is that the companies have not shown that they are capable of defeating the rapidly evolving universe of cyberthreats. By the time a major attack on a water system or nuclear plant is discovered, it might be too late to thwart it.
“In order to stop it, you have to see it in real time, and you have to have those authorities,” Alexander, who is also head of the U.S. military’s Cyber Command, said in remarks at Fordham University in New York last month. “Those are the conditions that we have put on the table. Now, how and what the administration and Congress choose, that will be a policy issue.”
His remarks prompted calls to the Pentagon and White House from congressional staff members wondering whether the administration was seeking new powers for the NSA, said several government officials with knowledge of the exchanges.
The NSA proposal, called Tranche 2, sparked fierce debate within the administration. It would have required an estimated 300 to 500 companies with a role in critical infrastructure systems to allow their Internet carrier or some other company to scan their computer networks for malicious software using government threat data. The Department of Homeland Security, which helped develop the plan, would have designated which companies were required to participate.
NSA officials say this process would have been automated, preventing intrusions into the personal privacy of ordinary users visiting Web sites or exchanging electronic messages with friends.
Only when a scan identified a potential threat would analysts become involved to assess what the software had identified and use it to devise better tools to stop such threats, the agency said in the internal administration debates. Identifying information on specific Internet users would have been blocked.
Agency officials took exception to suggestions that such a procedure amounted to “monitoring” of private-sector Internet traffic, something that Obama has specifically and publicly opposed.
In an interview with The Post, NSA Deputy Director John C. Inglis said, “At no time was there, from the NSA perspective, a proposal that the government enter into an arrangement where it would monitor private-sector networks.”
But the White House and other agencies, including the departments of Justice and Commerce, said the proposal left open the possibility that large Internet carriers themselves could be designated critical entities. This, they said, might have allowed scanning for cyberthreats of virtually all Internet traffic on behalf of the government, opening a more-expansive window into American behavior online.
Officials also worried about the the effectiveness of the approach and the costs to participating industries. Senior officials at numerous government agencies reviewed the NSA proposal. At a White House meeting in August, Tranche 2 was killed, said officials with knowledge of the debate.
“At the end of the day, it was shut down because it looked way too much like a government monitoring program,” a second administration official said.
More recently, in January, NSA officials expressed concern when the White House blocked draft legislation being prepared by a Senate Intelligence Committee staffer that would enable any government agency to monitor private computer networks for cyberthreats and to take measures to counter those threats, according to administration officials and documents. These sources include draft versions of legislation and internal communications discussing them.
A revised version of the bill, which is part of the cyber-legislation introduced in Congress this month, would allow only private-sector entities to monitor networks and to operate the countermeasures.
The issue, said James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies, is one of trust. He said that he trusts the NSA to handle the data responsibly but that “the oversight we have in place isn’t enough to reassure everyone the data are not being used for other purposes.”
White House resistance to giving the NSA a greater role in protecting Internet traffic worries some other cyberexperts, who say that private industry should be required to turn over evidence of cyberthreats to the government.
“We’re desperately late in doing this,” said Alan Paller, research director at the SANS Institute, a Bethesda-based cyber-training organization. “Our future economic well-being and future national security are at stake if we don’t mandate it.”