By Ellen Nakashima
Washington Post Staff Writer
Friday, July 3, 2009
The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site, according to three current and former government officials.
President Obama said in May that government efforts to protect computer systems from attack would not involve "monitoring private-sector networks or Internet traffic," and Department of Homeland Security officials say the new program will scrutinize only data going to or from government systems.
But the program has provoked debate within DHS, the officials said, because of uncertainty about whether private data can be shielded from unauthorized scrutiny, how much of a role NSA should play and whether the agency's involvement in warrantless wiretapping during George W. Bush's presidency would draw controversy. Each time a private citizen visited a "dot-gov" Web site or sent an e-mail to a civilian government employee, that action would be screened for potential harm to the network.
"We absolutely intend to use the technical resources, the substantial ones, that NSA has. But . . . they will be guided, led and in a sense directed by the people we have at the Department of Homeland Security," the department's secretary, Janet Napolitano, told reporters in a discussion about cybersecurity efforts.
Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the plan called for telecommunications companies to route the Internet traffic of civilian agencies through a monitoring box that would search for and block computer codes designed to penetrate or otherwise compromise networks.
AT&T, the world's largest telecommunications firm, was the Bush administration's choice to participate in the test, which has been delayed for months as the Obama administration determines what elements to preserve, former government officials said. The pilot program was to have begun in February.
"To be clear, Einstein 3 development is proceeding," DHS spokeswoman Amy Kudwa said. "We are moving forward in a way that protects privacy and civil liberties."
AT&T officials declined to comment.
A DHS official said the delay occurred because the original timeline "did not take into account all that was required to ensure the exercise would provide the data needed."
The program is the most controversial element of the $17 billion cybersecurity initiative the Bush administration started in January 2008. Einstein 3 is crucial, advocates say, in an era in which hackers have compromised computer systems at the Commerce and State departments and have taken military jet data from a defense contractor.
The NSA declined to comment on Einstein 3, but a spokeswoman said the agency would help DHS in "any way possible, including technical support," as it seeks to protect government networks.
The internal controversy reflects the central tension in the debate over how best to defend the nation's mostly private system of computer networks. The techniques that work best, experts say, require the automated scrutiny of e-mail and other electronic communications content -- something that commercial providers already do.
Proponents of involving the government said such efforts should harness the NSA's resources, especially its database of computer codes, or signatures, that have been linked to cyberattacks or known adversaries. The NSA has compiled the cache by, for example, electronically observing hackers trying to gain access to U.S. military systems, the officials said.
"That's the secret sauce," one official said. "It's the stuff they have that the private sector doesn't."
But it is also the prospect of NSA involvement in cybersecurity that fuels concerns about unwarranted government snooping into private communication.
"The bitter battles over privacy and NSA's role in domestic wiretapping hang over cybersecurity like a toxic cloud," said Stewart A. Baker, who was assistant secretary of homeland security under Bush.
AT&T was sued over its role in aiding the Bush-era counterterrorism program to intercept Americans' e-mails and phone calls without a warrant. It is seeking legal assurance that it will not be sued for participating in the pilot program. That legal certification has been held up for several months as DHS prepares a contract, several current and former officials said.
Einstein's promise, they said, is that it can more effectively detect malicious activity and disable intrusions before harm is done to civilian government networks.
"Intrusion detection is like a cop with a radar gun on a highway who catches you speeding or drunk and phones ahead to somebody at the other end," Michael Chertoff, former homeland security secretary, said in a recent interview. "Einstein 3 is a cop who actually arrests you and pulls you off the road when he sees you driving drunk."
The pilot program has two goals. The first is to prove that the telecommunications firm can route only traffic destined for federal civilian agencies through the monitoring system. The second is to test whether the technology can work effectively on civilian government networks. The sensor box would scan e-mail messages and other content just before they enter the civilian agency networks.
The classified NSA system, known as Tutelage, has the ability to decide how to handle malicious intrusions -- to block them or watch them closely to better assess the threat, sources said. It is currently used to defend military networks.
The database for the program would also contain feeds from commercial firms and DHS's U.S. Computer Emergency Readiness Team, administration officials said.
"We're looking for malicious content, not a love note to someone with a dot-gov e-mail address," a senior Bush administration official said. "What we're interested in is finding the code, the thing that will do the network harm, not reading the e-mail itself."
Ari Schwartz, a vice president of the Center for Democracy and Technology, was among a group of privacy advocates given a classified briefing in March on the Einstein program. The advocates wanted to ensure that officials had a plan to protect privacy and civil liberties, including shielding such personally identifying data as Internet protocol addresses.
"We came away saying they have a lot of work in front of them to get this done right," Schwartz said. "We're looking forward to their next steps."
Bush administration lawyers determined last year that DHS had the legal authority to conduct the Einstein program, and could do so in compliance with existing wiretap and privacy laws, as long as appropriate policies were in place.
Last fall, plans for the pilot were proceeding, former officials said. But in the Bush administration's final weeks, AT&T lawyers raised concerns about legal liability, they said. Then-Attorney General Michael B. Mukasey was willing to give AT&T written assurance that it would bear no liability for participating in the program, but both AT&T and the Justice Department agreed that the new administration should issue the certification, they said.
"They just wanted to make sure the certification would not be reversed by the next administration," a Bush administration official said.
In hindsight, Baker said, the Bush White House's decision to classify so much of its initiative was a mistake.
"It meant that the problem was not well understood," said Baker, who was NSA general counsel in the Clinton administration. "The solution was veiled in secrecy in a way that allowed people outside to be suspicious, so anybody who mistrusted the intelligence community could just assume that it was because they were doing something that they shouldn't be doing."
Staff writers Spencer S. Hsu and Carrie Johnson contributed to this report.