A drop in Americans’ trust in the government is making the difficult task of public-private cooperation against cyber-threats even more difficult.
And that has officials such as Gen. Keith B. Alexander, director of the National Security Agency, scrambling to shore up confidence in his agency, whose image has taken a beating in the wake of leaks about its surveillance programs by former NSA contractor Edward Snowden.
At public hearings and in speeches, Alexander, who also heads the U.S. Cyber Command, is warning that cyberattacks on such critical and technology-dependent industries as energy, finance and transportation can be prevented only if those industries work with the government. But companies are wary of partnering with an agency that has been revealed to be conducting far-reaching domestic data collection in the name of thwarting terrorism.
“Industry is critical to resolving our problems” in cybersecurity, Alexander said at the Billington Cybersecurity Summit last month at the National Press Club.
Toward that end, he said, Congress needs to pass “cyber-legislation” to encourage private companies to share data on cyber-threats. A bipartisan bill the House passed in April would provide immunity from civil lawsuits or criminal prosecution to companies that give the Department of Homeland Security network data that might contain evidence of such threats. DHS would pass the data on to relevant agencies, such as the NSA.
Alexander said the protected data would be limited to technical material indicating vulnerabilities in systems and hackers’ tracks. “We’re not talking about sharing our private information,” he assured the summit audience.
But there is wide recognition within and outside the government that the Snowden leaks, which began in June, have created a deficit of trust. “It was tough enough to [pass the bill] when the waters were calm,” Michael V. Hayden, Alexander’s predecessor as NSA director, said last week at The Washington Post’s Cyber Summit. “Now [proponents are] trying to do it in whitewater rapids, and it’s not going to happen.”
Even before the Snowden revelations, the White House threatened to veto the bill on grounds it lacked adequate safeguards for Americans’ privacy, among other things. Now, experts say, it is increasingly unlikely that the House version will emerge from the Senate.
“I don’t think anybody thinks it’s realistic to put the NSA in the middle of domestic cybersecurity at this point,” said Michelle Richardson, legislative counsel at the American Civil Liberties Union.
One of the most consequential Snowden leaks was a classified court order whose publication forced the government to acknowledge that the NSA had obtained secret court permission in 2006 to gather the phone records of virtually all Americans — billions of calls — to search for clues to terrorist plots. Another leak detailed how nine Internet companies — including Yahoo, Google and Microsoft — cooperated, under court order, with the NSA to collect e-mails and other digital data from lawful foreign targets.
The scale of the data collection stunned Americans, said Paul Tiao, former senior counselor to the FBI director who is a partner at Hunton & Williams. “I don’t think a lot of people thought they had all that information. The NSA has been trying to overcome that ever since.”
Companies have long been sensitive to the implications of sharing data with the government, fearing harm to their reputations and potential lawsuits for privacy and other violations, Tiao said. “The Snowden disclosures have made companies more careful about what they might share with the government because they know that the public is that much more concerned about it.” And restoring confidence, experts say, depends on how meaningful the government’s surveillance reforms are.
Here’s the reality: The bits and bytes that zip through computer networks each day serve many purposes. Some are innocent messages and images sent by friends, co-workers or marketers. But others contain foreign intelligence useful to the government such as indications of terrorist activity. And some may contain malicious software or signals from foreign hackers designed to disrupt U.S. industrial networks or steal secrets from companies.
The NSA is supposed to ignore the first category of messages as it intercepts the second. But Snowden’s leaks have cast doubt on how well the agency protects the privacy of Americans’ communications it “inadvertently” collects while eavesdropping on foreign targets.
And that is impeding its efforts to be more successful at seeing the third category: the data that indicate a cyberattack is brewing. Whether the agency should have that capability is the crux of that debate.
Administration officials are optimistic about another initiative: a voluntary framework — which President Obama ordered — to help companies improve their network security. The National Institute of Standards and Technology is on track to issue a preliminary framework this week that includes controls such as a company identifying its computer systems so it knows what it has. It’s a far cry from the administration’s initial goal of mandatory industry standards. But, White House cybersecurity coordinator Michael Daniel said, “it will provide companies a good way of thinking about their cyber-risk and give them a very structured way to mitigate that risk.”
The outline should make it easier to elevate the cyber-risk discussion to the boardroom, on a par with financial risk issues, Daniel said. “This structured process will really make it much easier for companies that haven’t tackled this problem as fully as they would like to.”
Rick Dakin, chief executive of Coalfire Systems in Louisville, Colo., predicted that industry would get “tremendous mileage” out of the framework. “If you’re an exec today and you know there’s a downside if you’re not complying with that industry standard, wouldn’t you want that standard defined?” he said. “It’s really to industry’s benefit to know.”
But Paul Rosenzweig, a former Department of Homeland Security deputy assistant secretary for policy who consults on cybersecurity, called the framework a “modestly useful compilation of existing standards” that “breaks no new ground.” Anybody who operates high-risk systems, he said, already knows most of what is in it. And some industry officials say the framework is a step toward regulation that will stifle innovation.
Mark Weatherford, former deputy undersecretary for cybersecurity at the Department of Homeland Security, said it’s up to industry to raise its game — because the government’s role is limited by restrictions on the sharing of classified information and other policy constraints. “The government is not going to come riding in on a white horse to rescue you when you have a security incident,” he said at a speech in August. “The government is simply unable, at least today, to provide timely and actionable information when you really need it.”
Daniel said the next step is to create incentives for industry to adopt the best practices suggested in the framework — immunity from lawsuits, for example, or contracting advantages.
The bottom line, experts say, is that cyber-legislation looks unlikely without trust in government — unless there’s a major cyberattack on the United States.
“That,” Tiao said, “could change things.”