The Washington Post

NSA tries to regain industry’s trust to work cooperatively against cyber-threats

Army Gen. Keith Alexander, commander of U.S. Cyber Command, director of the National Security Agency and chief of the Central Security Service, speaks at the Armed Forces Communications and Electronics Association's International Cyber Symposium on June 27 in Baltimore, Md. (Win McNamee/Getty Images)

A drop in Americans’ trust in the government is making the difficult task of public-private cooperation against cyber-threats even more difficult.

And that has officials such as Gen. Keith B. Alexander, director of the National Security Agency, scrambling to shore up confidence in his agency, whose image has taken a beating in the wake of leaks about its surveillance programs by former NSA contractor Edward Snowden.

At public hearings and in speeches, Alexander, who also heads the U.S. Cyber Command, is warning that cyberattacks on such critical and technology-dependent industries as energy, finance and transportation can be prevented only if those industries work with the government. But companies are wary of partnering with an agency that has been revealed to be conducting far-reaching domestic data collection in the name of thwarting terrorism.

“Industry is critical to resolving our problems” in cybersecurity, Alexander said at the Billington Cybersecurity Summit last month at the National Press Club.

Toward that end, he said, Congress needs to pass “cyber-legislation” to encourage private companies to share data on cyber-threats. A bipartisan bill the House passed in April would provide immunity from civil lawsuits or criminal prosecution to companies that give the Department of Homeland Security network data that might contain evidence of such threats. DHS would pass the data on to relevant agencies, such as the NSA.

Alexander said the protected data would be limited to technical material indicating vulnerabilities in systems and hackers’ tracks. “We’re not talking about sharing our private information,” he assured the summit audience.

But there is wide recognition within and outside the government that the Snowden leaks, which began in June, have created a deficit of trust. “It was tough enough to [pass the bill] when the waters were calm,” Michael V. Hayden, Alexander’s predecessor as NSA director, said last week at The Washington Post’s Cyber Summit. “Now [proponents are] trying to do it in whitewater rapids, and it’s not going to happen.”

Even before the Snowden revelations, the White House threatened to veto the bill on grounds it lacked adequate safeguards for Americans’ privacy, among other things. Now, experts say, it is increasingly unlikely that the House version will emerge from the Senate.

“I don’t think anybody thinks it’s realistic to put the NSA in the middle of domestic cybersecurity at this point,” said Michelle Richardson, legislative counsel at the American Civil Liberties Union.

One of the most consequential Snowden leaks was a classified court order whose publication forced the government to acknowledge that the NSA had obtained secret court permission in 2006 to gather the phone records of virtually all Americans — billions of calls — to search for clues to terrorist plots. Another leak detailed how nine Internet companies — including Yahoo, Google and Microsoft — cooperated, under court order, with the NSA to collect e-mails and other digital data from lawful foreign targets.

The scale of the data collection stunned Americans, said Paul Tiao, former senior counselor to the FBI director who is a partner at Hunton & Williams. “I don’t think a lot of people thought they had all that information. The NSA has been trying to overcome that ever since.”

Companies have long been sensitive to the implications of sharing data with the government, fearing harm to their reputations and potential lawsuits for privacy and other violations, Tiao said. “The Snowden disclosures have made companies more careful about what they might share with the government because they know that the public is that much more concerned about it.” And restoring confidence, experts say, depends on how meaningful the government’s surveillance reforms are.

Here’s the reality: The bits and bytes that zip through computer networks each day serve many purposes. Some are innocent messages and images sent by friends, co-workers or marketers. But others contain foreign intelligence useful to the government such as indications of terrorist activity. And some may contain malicious software or signals from foreign hackers designed to disrupt U.S. industrial networks or steal secrets from companies.

The NSA is supposed to ignore the first category of messages as it intercepts the second. But Snowden’s leaks have cast doubt on how well the agency protects the privacy of Americans’ communications it “inadvertently” collects while eavesdropping on foreign targets.

And that is impeding its efforts to be more successful at seeing the third category: the data that indicate a cyberattack is brewing. Whether the agency should have that capability is the crux of that debate.

Administration officials are optimistic about another initiative: a voluntary framework — which President Obama ordered — to help companies improve their network security. The National Institute of Standards and Technology is on track to issue a preliminary framework this week that includes controls such as a company identifying its computer systems so it knows what it has. It’s a far cry from the administration’s initial goal of mandatory industry standards. But, White House cybersecurity coordinator Michael Daniel said, “it will provide companies a good way of thinking about their cyber-risk and give them a very structured way to mitigate that risk.”

The outline should make it easier to elevate the cyber-risk discussion to the boardroom, on a par with financial risk issues, Daniel said. “This structured process will really make it much easier for companies that haven’t tackled this problem as fully as they would like to.”

Rick Dakin, chief executive of Coalfire Systems in Louisville, Colo., predicted that industry would get “tremendous mileage” out of the framework. “If you’re an exec today and you know there’s a downside if you’re not complying with that industry standard, wouldn’t you want that standard defined?” he said. “It’s really to industry’s benefit to know.”

But Paul Rosenzweig, a former Department of Homeland Security deputy assistant secretary for policy who consults on cybersecurity, called the framework a “modestly useful compilation of existing standards” that “breaks no new ground.” Anybody who operates high-risk systems, he said, already knows most of what is in it. And some industry officials say the framework is a step toward regulation that will stifle innovation.

Mark Weatherford, former deputy undersecretary for cybersecurity at the Department of Homeland Security, said it’s up to industry to raise its game — because the government’s role is limited by restrictions on the sharing of classified information and other policy constraints. “The government is not going to come riding in on a white horse to rescue you when you have a security incident,” he said at a speech in August. “The government is simply unable, at least today, to provide timely and actionable information when you really need it.”

Daniel said the next step is to create incentives for industry to adopt the best practices suggested in the framework — immunity from lawsuits, for example, or contracting advantages.

The bottom line, experts say, is that cyber-legislation looks unlikely without trust in government — unless there’s a major cyberattack on the United States.

“That,” Tiao said, “could change things.”

Cybersecurity 2013: A special report

The arms race in cybersecurity

Fort Meade transforming from Army base to cyber city

Ellen Nakashima is a national security reporter for The Washington Post. She focuses on issues relating to intelligence, technology and civil liberties.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments

Sign up for email updates from the "Confronting the Caliphate" series.

You have signed up for the "Confronting the Caliphate" series.

Thank you for signing up
You'll receive e-mail when new stories are published in this series.
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Video curated for you.

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.