By Ellen Nakashima
Washington Post Staff Writer
Friday, April 17, 2009
The Bush administration planned last year to direct the National Security Agency, which specializes in spying electronically on foreign adversaries, to take the techniques it has employed to defend military computer networks and use them to protect U.S. government civilian networks, according to current and former officials.
When the effort did not proceed as quickly as hoped, NSA employees on loan to the Department of Homeland Security sought to test sophisticated software that would send sensor technologies into the Internet to detect malicious code entering civilian government networks, the officials said.
The goal: "Stop it before it gets there," one former official said. He and other sources spoke on the condition of anonymity because the methods are classified.
The Obama administration is looking at the Bush plan as part of a 60-day review of the government's cybersecurity strategies and programs expected to be completed today. Congressional committees had concerns about civil liberties, cost and complexity, officials said. DHS still plans to conduct the sensor test, part of a program called Einstein 3, in a manner that the department says will respect privacy and civil liberties laws and rules, and has briefed Congress on the proposal, spokeswoman Amy Kudwa said.
The Bush administration's Comprehensive National Cybersecurity Initiative, much of which is classified, has renewed longstanding anxieties about whether the NSA -- which has spurred controversy over its warrantless surveillance of Americans' e-mails and phone calls -- can be trusted to keep inappropriate information out of its files.
Debate over the NSA's role in protecting the government and nation's computer networks is one of the thorniest issues facing the Obama administration's effort to build a broad cybersecurity strategy, one that is also intended to shield the increasingly global computer networks of major telecommunications, banking and utility companies.
The NSA's advocates say it is the only body with the technology and expertise to detect and thwart cyber attacks, but there are questions about its legal authority to protect civilian and private commercial systems, as well as privacy concerns, experts say. Meanwhile, the mission of the Department of Homeland Security is to defend civilian and commercial grids, but its skills, experts say, are lacking.
"The only people who can do the things we need to do today is NSA," said James A. Lewis, a senior fellow at the Center for Strategic and International Studies who directed a major study on the cybersecurity threat last year. "Then you immediately run into this legal issue. What can be surveilled domestically without a warrant?"
A top DHS cybersecurity official resigned last month to protest, among other things, a perceived power grab by the NSA. "NSA effectively controls DHS cyber efforts through detailees, technology insertion and the proposed move of [two DHS entities] to a Fort Meade NSA center," Rod Beckstrom, former director of the National Cyber Security Center, complained in a March 5 letter to Homeland Security Secretary Janet Napolitano. "NSA currently dominates most national cyber efforts."
At a speech at Stanford University last month, NSA Director Keith B. Alexander stressed that the agency seeks only to defend the government computer networks. To do so, he said, the government must marry the offensive skills spy agencies use to detect cyber threats with the defensive skills to thwart them. He said the government must create an "early warning" sensor grid and a real-time ability to detect a threat and parry it.
Meanwhile, congressional intelligence officials said yesterday that they will continue to look into revelations, reported in the New York Times, that the NSA had swept up the communications of Americans while targeting foreign groups and individuals. The House and Senate intelligence committees have had several briefings on the matter from Justice Department officials who said the overly expansive wiretapping was corrected after it was discovered during a routine review of the NSA program. Officials, however, declined to say how many Americans were affected, and what fixes were made to the program.
The lapses were primarily "technical stuff," said one former intelligence official with access to sensitive reports about the program. The official, who spoke on the condition of anonymity because the surveillance program is secret, noted that there had been no credible allegations of deliberate abuse. "There were no cases where [surveillance] was conducted in bad faith or used for improper purposes," the official said.
A former intelligence official briefed on the program said the allegations that it "was careless or poorly supervised are categorically false." He said there were "massive staff resources" devoted to oversight of the program.
In a statement, Director of National Intelligence Dennis C. Blair acknowledged "inadvertent mistakes" but said the NSA's eavesdropping programs complied with the law and went to "great lengths to ensure that the privacy and civil liberties of U.S. persons are protected."
But Sen. Russell Feingold (D-Wis.) said that flaws in the eavesdropping program are the consequence of "a tragic retreat from the principles that had governed the sensitive area of government surveillance for the previous three decades."
The Bush administration's cybersecurity initiative was outlined in January 2008 in a classified joint presidential directive. It called for about $17 billion in spending.
The initiative followed a series of alarming intrusions into the Pentagon's systems, including an e-mail network in Defense Secretary Robert M. Gates's office, and into those of the State and Commerce departments, as well as fears of a complete meltdown in the global banking system in the event of a cyber attack.
Last year, then-Director of National Intelligence Mike McConnell wrote Gates a letter recommending the establishment of a national cyber command, led by the NSA director. Among his missions would be that of supporting DHS in protecting the civilian networks through the cyber plan.
The plan was to detect and prevent malicious code infiltrating the domestic government networks at the points where they exchange traffic with the systems of commercial telecom carriers, current and former officials said.
McConnell, Alexander and others briefed congressional oversight committees on the proposal, urging them to focus on the threat, the agencies' capabilities and the need for action.
But the intelligence committees had major privacy and other concerns about the plan. "It was not at that level of maturity that we were comfortable in saying, 'Yes, go ahead,' " a congressional aide said.
Paul Kurtz, a National Security Council member in the Clinton and Bush administrations who served on the Obama transition team on cyber issues, said the NSA is the only agency equipped to have a view of threats in the global system. Until such a view is enabled, with strong oversight, he said, "we're going to keep taking it on the chin.''
Staff writers Peter Finn and Joby Warrick and staff researcher Madonna Lebling contributed to this report.