Cybersecurity Legislation Should Force US Government to Listen Less and Speak More

NSA screens

To defend itself from the onslaughts of online crime and espionage backed by China and other nations, America’s private sector needs the capabilities of the US government. These tax-paying companies are on the new front lines of the cyber conflict, in which private enterprise is facing nation-state funded threats. Given their role in maintaining America’s critical infrastructure, these companies are not getting what they need. Now, new legislation puts too much stress on their responsibilities to talk to government. There is even talk of forcing cyber monitoring by the National Security Agency upon them. Rather than crowd out the security industry’s own monitoring efforts with a constitutionally troubling and expensive program, the government should bolster that market by simply declassifying the needed information.

 

Two recent articles by Ellen Nakashima revealed how NSA pushed the White House for over a year to force critical infrastructure companies to accept government monitoring of their networks. According to these reports, the White House “blocked draft legislation that would have enabled the National Security Agency or any government entity to monitor private sector networks for computer viruses and to operate ‘active defenses’ to block them.” 

The NSA may be the most capable cyber organization on the planet. Far larger than the CIA, the NSA’s capability is rooted in the agency’s decades-long responsibility to make America’s codes and ciphers unbreakable, while simultaneously breaking those of our potential adversaries.

While government monitoring would leverage this expertise, the real benefit would be to tap the NSA’s classified database of “signatures” of malicious software. These signatures — similar but more comprehensive than those at private security companies like McAfee — have been vacuumed by their worldwide network of sensitive collection sources and are considered among the crown jewels of the US government’s defense capabilities. With them, defenses can detect and prevent any attacks which use those signatures.

Despite these strengths, there are significant problems with forcing companies to accept monitoring. First, these capabilities may not be as awe-inspiring as advertised. A recent, highly touted Department of Defense program used a subset of these classified signatures to protect companies like Northrop Grumman or Lockheed Martin in DoD’s industrial base. Apparently, an independent review found only marginal benefit. Only one percent of the attacks were detected using “NSA threat data that the companies did not already have themselves.” It concluded that the value of the declassified signatures “was not conclusively demonstrated.” 

The second problem with mandatory government monitoring is the most obvious and severe.  Especially after scandals over warrantless intercepts, NSA has lost a great deal of the public’s trust.  Companies, even those that may hold the agency in high regard otherwise, may have little confidence that government agencies might not dip into the content of their monitoring communications to collect intelligence, not just block attacks.

But there is a solution to, at least, the second problem. The administration already has a better option than mandating government monitoring: declassification. When American soldiers are in harm’s way, intelligence agencies will take significant risks to declassify the right information to keep them safe. Though it is a different kind of fight, the US government should be willing to take bold risks to support our embattled companies on the front lines of the network.

The critics are already sharpening their knives: if we declassify these signatures won’t we compromise our sensitive collection sources and methods? In truth, the extreme classification surrounding most of these signatures protect little but bureaucratic inertia.   General Michael Hayden, a past NSA director, made this case best, saying, “Let me be clear: This stuff is overprotected.”

More importantly, the Internet is an open network and any adversary that uses novel malicious software knows it will eventually be discovered.  So by releasing their attacks “in the wild” over the Internet, the bad guys have themselves already made their malicious software public. Accordingly, NSA has plausible cover for declassification even if they relied on a sensitive collection source. Even better, most adversaries are non-state actors likely to suspect a careless colleague or a rat informing law enforcement.  

These signatures will still need some protection: though the malicious software is public, our adversaries may not know which particular aspects of it are detected by signatures, but this is a reason to be careful, not to classify. If some signatures are even more sensitive, then let’s reserve special protection for those few, rather than protect all at the highest levels. The Director of NSA could have a special non-delegable authority to delay passing certain signatures for thirty days, or sixty, or however long is needed. 

How might NSA passing their declassified signatures to companies work? Depending on the administration’s priorities and appetite for risk, there are several options.

For example, if the program truly must be mandatory, the administration could design a program requiring monitoring using NSA information but not necessarily conducted by the agency. If companies trusted that agency, they could opt for NSA monitoring directly and using every signature, even those the Director chose not to declassify yet. For companies not willing to take that leap, they could use an alternate provider (such as McAfee, IBM, or Symantec) which would have added the declassified NSA signatures to their own. 

Another option could leverage the idea in recent legislative proposals calling for an independent clearing house for signatures. NSA might anonymously add their signatures to the clearing house and further wash their source by mixing them with signatures from security companies and even with other nations’ intelligence agencies, like the UK’s GCHQ or Canada’s CSE. 

This option would create the world’s best-ever signature database, better than just the NSA’s on its own, and any organization that contributes their signature collection would then able to use the full database. Not only would critical infrastructure companies get an increased level of protection but so would the rest of America’s internet users. The government would use its taxpayer-funded information to bolster the security companies, rather than crowd them out. 

As a last option, the government could simply release all declassified signatures, possibly after a suitable waiting period. However, this option — the cheapest and easiest — will almost certainly be seen as too risky.

Some critics may still balk: If defenders act on these declassified signatures, then we have tipped our hand and bad guys will switch to new malicious software which we cannot track. On the face of it, this criticism is an unreasonable position: If government wants to monitor private sector companies, the only acceptable goal should be to prevent attacks on the private sector, not improve its own intelligence take.   

To win a battle, at some point you have to take the initiative, put your enemies on the defensive and force them to react: we are now at that culmination point. Adversaries will of course switch to new malicious software, but that is the nature of conflict — but at least the conflict will be less one-sided.

The cyber crisis is dire and the administration should take bold steps to defend America.  Forcing companies to accept government monitoring is the wrong kind of step. The right kind starts with NSA sharing its overclassified signatures in a way that boosts the private market, not supplants it. The right legislation will ensure the government declassifies signatures to give taxpaying companies the information they need to continue the fight at the front lines of today’s cyber conflict.   

Some of the same US government officials who warn us about how vulnerable the United States is to cyber attack have called their own cyber collection part of the “golden age of espionage.” The government should give up a little of that gold to protect the nation. This is the bold step we need and the one that is long overdue. 

Jason Healey is the director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey. The original version of this blog appeared at the online site of The Atlantic.

Related Experts: Jason Healey

Image: nsa.jpg