It wasn’t exactly surprising to read in the Wall Street Journal Wednesday in an article by Siobhan Gorman that the National Security Agency is standing electronic watch over the country’s critical infrastructure, but the news is unsettling. This evolution in our national-security policy was only a matter of time. NSA has been itching for this job, and now, it has it. But there has been almost no debate or public discussion about letting the government into a huge swath of computer networks, much less whether it’s wise or legal.
In May 2007, former intelligence director Mike McConnell—a well known cyber warrior and a former chief of NSA—struck terror in the heart of George W. Bush when he told the President that the computer systems that run banks in this country were vulnerable to cyber attack. The President had never understood the kind of damage a determined hacker, terrorist group, or nation state could cause with a sophisticated attack on US data. Bush’s response to that new knowledge was to give McConnell what he wanted: authority to use the NSA as a front-line defender of US infrastructure.
The Department of Defense had managed to protect its internal networks by limiting the number of points where it connected to the public Internet to just 18. These off-ramps connecting the Information Superhighway to DOD’s equivalent of access roads were well guarded by NSA’s electronic sentinels. NSA had developed the capability to detect the malicious signals emitted by viruses and worms that hackers launched against computers in the US. So the agency began looking for those so-called “threat signatures” as they passed through those heavily guarded 18 points. But NSA started looking for both signatures directed at the DOD’s networks and at other systems in private hands, including electrical stations and financial organizations.
In the past, NSA was content to act like a sheriff standing guard against bandits on the edge of town. Now, under Perfect Citizen, NSA is expanding to post deputies both at the border, and at the bank, saloon and brothel as well.
When I interviewed McConnell for my book, he told me that he and other officials found a way for NSA to protect private assets without breaking laws limiting the agency’s operations. The NSA could cooperate with another DOD agency with statutory authority to protect military networks, as well as with the Homeland Security Department, the only department legally allowed to work with US utilities to set up cyber defenses. Technically speaking, NSA wasn’t protecting utilities on its own, just coordinating with other organizations. But make no mistake. NSA supplied the expertise, the technology, and the personnel to do the job—all it lacked was formal control of the operations.
It’s not clear from reading Gorman’s article on Perfect Citizen whether NSA is once again only monitoring threats from abroad. We don’t know that, in large part, because there has been almost no public debate about what NSA’s role should be in cyber defense. McConnell made it clear to me that he knew the political dangers of his plan and how the headline news of a bold, new cyberinitiative would play: “NSA spies monitoring US computers for hackers.” And here we are, three years later. Will there be outrage or acquiescence?