The New York Times reports today that the “Obama administration has adopted new procedures for using the Defense Department’s vast array of cyberwarfare capabilities in case of an attack on vital computer networks inside the United States, delicately navigating historic rules that restrict military action on American soil. . . . Under the new rules, the president would approve the use of the military’s expertise in computer-network warfare, and the Department of Homeland Security would direct the work.” The story makes pretty clear that the Defense Department capabilities in question lie in the National Security Agency (NSA).
This is the latest in a series of government disclosures over the last eighteen months that clarify the NSA’s growing role in domestic cybersecurity, including a growing role working with the private sector to address cybersecurity problems.
The Obama administration's “summary description” of the classified Comprehensive National Cybersecurity Initiative that began under the Bush administration explains (in Initiative # 3) NSA’s participation in the government-wide, domestic initiative to deploy the EINSTEIN 3 intrusion-prevention system. DHS has also stated that potential EINSTEIN 3 capabilities are “based on technologies developed by the NSA.” And Deputy Secretary of Defense William Lynn has argued that the NSA-supported EINSTEIN 3 should extend to some or all of the private sector. “We need to think imaginatively about how [the EINSTEIN 3] technology can also help secure a space on the Internet for critical government and commercial applications” (my emphasis), he said earlier this year.
Lynn has also been pushing more generally for a robust NSA role in private-sector cybersecurity, and has in the process described its ongoing efforts with the private sector. In a recent essay, he said:
The Department of Homeland Security has the lead in protecting the “.gov” and “.com” domains, but the Pentagon must leverage its ten years of concerted investment in cyberdefense to support broader efforts to protect critical infrastructure. The U.S. government has only just begun to broach the larger question of whether it is necessary and appropriate to use natural resources, such as the defenses that now guard military networks, to protect civilian infrastructure. Policymakes need to consider, among other things, applying the National Security Agency’s defense capabilities beyond the “.gov” domain, such as to domains that undergird the commercial defense industry. U.S. Defense Contractors have already been targeted for intrusion, and sensitive weapons systems have been compromised. The Pentagon is therefore working with the Department of Homeland Security and the private sector to look for innovative ways to use the military’s cyberdefense capabilities to protect the defense industry.
In addition, the Director of the NSA, General Keith Alexander, is in charge of Cyber Command. Cyber Command defends the ".mil" network, but according to a 2009 Memorandum from the Secretary of Defense, it must also provide “support to civil authorities” in their cybersecurity efforts. Lynn recently stated that Cyber Command “works closely with private industry to share information about threats and to address shared vulnerabilities.”
Finally, the NSA is quietly building a $1.5 billion, 1 million square foot cybersecurity data center at Camp Williams near Salt Lake City, Utah. The Camp Williams facility will reportedly “provide intelligence and warnings related to cybersecurity threats, cybersecurity support to defense and civilian agency networks, and technical assistance to the Department of Homeland Security.”
I am glad that NSA is involved in domestic cybersecurity beyond the “.mil” network, in these and doubtless other ways. Cyber threats are an enormous challenge to our economic and national security, and we should use every tool at our disposal to meet them. NSA has unparalleled technical expertise and experience in cyberdefense.
The problem, of course, is that many people fear NSA involvement in the domestic realm and especially in the private network. As I wrote elsewhere, a “major challenge for the government, and one it has not yet figured out how to accomplish, is to give the NSA wider latitude to monitor private networks and respond to the most serious computer threats while at the same time credibly establishing that the agency is not doing awful things with its access to private communications.” The government seems to be addressing this challenge, slowly and quietly, and thus far without much controversy or pushback.