The Snowden Revelations and Cybersecurity

By Jack Goldsmith
Wednesday, August 14, 2013, 7:03 AM

One immediate consequence of Snowden’s various revelations about massive USG surveillance – at home and especially abroad – was to put a chill on the loud U.S. campaign against Chinese cyber-snooping.  (The hypocrisy in the U.S. position, and the fecklessness of mere complaints about the Chinese practice, was something that I and others have been pointing out for a while.)  Yesterday David Sanger reported on another cybersecurity-related casualty: The NSA’s ambitious plans to screen all Internet traffic in the United States for malicious cyber agents.  As Sanger describes it:

Under this proposal, the government would latch into the giant “data pipes” that feed the largest Internet service providers in the United States, companies like A.T.&T. and Verizon. The huge volume of traffic that runs through those pipes, particularly e-mails, would be scanned for signs of anything from computer servers known for attacks on the United States or for stealing information from American companies. Other “metadata” would be inspected for evidence of malicious software.

“It’s defense at network speed,” General Alexander told a Washington security-research group recently, according to participants. “Because you have only milliseconds.”

This sounds like some version of EINSTEIN 3 extended to the private network.  (I wrote about the legality of this possible extension here; several prominent experts questioned the efficaciousness of such a system here.)

The thrust of Sanger’s story is that such a cybersecurity system is now much less likely in light of Snowden’s revelations.  This is no doubt true in the short term, but I think it is not true in the medium term – i.e. over the next few years.  Network exploitations and attacks are a very serious and still-growing threat to our national and economic security.  Over the medium (and long) term, NSA involvement in the domestic network to check this threat will be driven by the seriousness of the threat itself, the extent to which the threat is seen by the public (via some catastrophic cyber attack on critical infrastructure; endless newspaper stories about cyber-theft won’t much change public opinion), and trust in the NSA.  As I wrote years ago:

A major challenge for the government, and one it has not yet figured out how to accomplish, is to give the NSA wider latitude to monitor private networks and respond to the most serious computer threats while at the same time credibly establishing that the agency is not doing awful things with its access to private communications. Such credibility is hard to establish, and so the government will likely hold back until we suffer a catastrophic cyber attack.

I still think this holds true, but would modify it a bit.  NSA won’t be able to do the things that General Alexander wants to do in the private network until the lights go out for a week, or some similar such catastrophe.  When that happens, there will be a demand for more security, and the main issues will be how much the nation trusts NSA, how credible its representations of restraint are, and how transparent the NSA is about what it is doing.  As I suggested last week, I think over the medium term the effect of Snowden’s revelations will be to transform the NSA into a more open, more publicly credible organization – to bring the restraint that everyone in NSA feels everyday into the public realm, and to add new and more open forms of scrutiny. In this way, Snowden will, I predict, facilitate NSA’s deeper involvement in homeland cybersecurity when the true nature of the threat becomes apparent.