NSA leaks halt defense plans
Experts say the U.S. is more vulnerable after the disclosure of spy tactics stalled cyber security initiatives.
WASHINGTON — Early last year, as Edward Snowden was preparing to disclose classified documents he had purloined from National Security Agency computers in Hawaii, the NSA director, Gen. Keith Alexander, was gearing up to sell Congress and the public on a proposal for the NSA to defend private U.S. computer networks against cyber attacks.
Alexander wanted to use the NSA’s powerful tools to scan Internet traffic for malicious software code. He said the NSA could kill the viruses and other digital threats without reading consumers’ private emails, texts and Web searches.
The NSA normally protects military and other national security computer networks. Alexander also wanted authority to prevent hackers from penetrating U.S. banks, defense industries, telecommunications systems and other institutions to crash their networks or to steal intellectual property worth billions of dollars.
But after Snowden, a contractor, began leaking NSA systems for spying in cyberspace that went public in June, Alexander’s proposal was a political nonstarter, felled by distrust of his agency’s fearsome surveillance powers in the seesawing national debate over privacy and national security.
It was one of several Obama administration initiatives, in Congress and in diplomacy, that experts say have been stopped cold or set back by the Snowden affair. As a result, U.S. officials have struggled to respond to the daily onslaught of attacks from Russia, China and elsewhere, a vulnerability that U.S. intelligence agencies now rank as a greater threat to national se- curity than terrorism.
“All the things [the NSA] wanted to do are now radioactive, even though they were good ideas,” said James Lewis, a cyber securi- ty expert at the Center for Strategic and International Studies, a nonpartisan think tank in Washington.
Snowden “has slowed everything down,” said Rep. Mike Pompeo (R-Kan.), who serves on the House Intelligence Committee.
The Obama administration has said it plans this year to release a list of voluntary best practices in cyber security for critical infrastructure, including electric utilities and chemical plants. And the State Department’s cyber coordinator, Christopher Painter, has achieved some little-noticed success, including agreements with Russia designed to smooth communications about cyber issues.
But President Obama’s warnings last summer to Chinese President Xi Jinping to halt what U.S. officials describe as state-sponsored hacking of U.S. corporations mostly have gone unheeded. The official U.S. position — that governments hacking governments for military and other official secrets is permissible, but governments hacking businesses for trade secrets is not — is a tougher sell these days.
Leaked documents showing that the NSA spied on Brazil’s energy corporation Petrobras, among other targets, have convinced many overseas that the U.S. government “engages in significant espionage related to economic affairs,” Harvard law professor Jack Goldsmith, a former legal advisor to President George W. Bush, wrote in an email.
Although Washington insists that governments shouldn’t spy on businesses, “the rest of the world ignores us because the U.S. position has no basis in international law, it is obviously self-serving, and it seems trite in the context of its massive surveillance in other contexts,” he said.
No one denies that cyber intrusions are a growing danger. U.S. Atty. Gen. Eric H. Holder Jr. said at a Senate hearing Wednesday that the Justice Department is investigating the cyber theft of 110 million Target customers’ data during a breach in December, including payment card numbers of 40 million customers and personal data of 70 million others.
Similarly, CrowdStrike, a security technology and services company based in Irvine, said it recently had identified a successful Russian campaign to steal data from hundreds of American, European and Asian companies, including energy and technology firms. CrowdStrike did not name the alleged victims, citing confidentiality agreements.
Many companies and institutions, which rely on a free f low of information, do too little to protect their networks. They also are often constrained from tipping off the government or other companies about computer attacks, or malicious software, because of potential shareholder suits or other legal liability.
The FBI, NSA and Department of Homeland Security Department, in turn, are barred by law from sharing malware signatures obtained from classified systems with the public. The problem, experts say, is akin to disease specialists not being allowed to share data about bacterial strains.
White House-backed legislation to legalize such sharing — the Cyber Intelligence Sharing and Protection Act — always faced an uphill fight in Congress because of concern that companies would give too much customer information to the government. But after Snowden revealed that major telecommunications and technology companies were transferring vast amounts of Americans’ data to the NSA, the bill was shelved.
A Homeland Security operation called Einstein monitors Internet traffic to search for attacks and intrusions on networks used by federal agencies. It uses deep packet inspection technology to scan for malicious code headed the government’s way.
Alexander, who is retiring as NSA chief in March, had hoped last year to adopt a similar model for the entire World Wide Web, not just the government portion. Instead, he has spent the last seven months defending the NSA against criticism of the programs Snowden exposed, and seeking to repair the damage.