PRIVACY OCTOBER 10, 2013
Ever since stories about the National Security Agency’s (NSA) electronic intelligence-gathering capabilities began tumbling out last June, The New York Times has published more than a dozen editorials excoriating the “national surveillance state.” It wants the NSA to end the “mass warehousing of everyone’s data” and the use of “back doors” to break encrypted communications. A major element of the Times’ critique is that the NSA’s domestic sweeps are not justified by the terrorist threat they aim to prevent.
At the end of August, in the midst of the Times’ assault on the NSA, the newspaper suffered what it described as a “malicious external attack” on its domain name registrar at the hands of the Syrian Electronic Army, a group of hackers who support Syrian President Bashar Al Assad. The paper’s website was down for several hours and, for some people, much longer. “In terms of the sophistication of the attack, this is a big deal,” said Marc Frons, the Times’ chief information officer. Ten months earlier, hackers stole the corporate passwords for every employee at the Times, accessed the computers of 53 employees, and breached the e-mail accounts of two reporters who cover China. “We brought in the FBI, and the FBI said this had all the hallmarks of hacking by the Chinese military,” Frons said at the time. He also acknowledged that the hackers were in the Times system on election night in 2012 and could have “wreaked havoc” on its coverage if they wanted.
Such cyber-intrusions threaten corporate America and the U.S. government every day. “Relentless assaults on America’s computer networks by China and other foreign governments, hackers and criminals have created an urgent need for safeguards to protect these vital systems,” the Times editorial page noted last year while supporting legislation encouraging the private sector to share cybersecurity information with the government. It cited General Keith Alexander, the director of the NSA, who had noted a 17-fold increase in cyber-intrusions on critical infrastructure from 2009 to 2011 and who described the losses in the United States from cyber-theft as “the greatest transfer of wealth in history.” If a “catastrophic cyber-attack occurs,” the Timesconcluded, “Americans will be justified in asking why their lawmakers ... failed to protect them.”
When catastrophe strikes, the public will adjust its tolerance for intrusive government measures.
The Times editorial board is quite right about the seriousness of the cyber- threat and the federal government’s responsibility to redress it. What it does not appear to realize is the connection between the domestic NSA surveillance it detests and the governmental assistance with cybersecurity it cherishes. To keep our computer and telecommunication networks secure, the government will eventually need to monitor and collect intelligence on those networks using techniques similar to ones the Timesand many others find reprehensible when done for counterterrorism ends.
The fate of domestic surveillance is today being fought around the topic of whether it is needed to stop Al Qaeda from blowing things up. But the fight tomorrow, and the more important fight, will be about whether it is necessary to protect our ways of life embedded in computer networks.
Anyone anywhere with a connection to the Internet can engage in cyber-operations within the United States. Most truly harmful cyber-operations, however, require group effort and significant skill. The attacking group or nation must have clever hackers, significant computing power, and the sophisticated software—known as “malware”—that enables the monitoring, exfiltration, or destruction of information inside a computer. The supply of all of these resources has been growing fast for many years—in governmental labs devoted to developing these tools and on sprawling black markets on the Internet.
Telecommunication networks are the channels through which malware typically travels, often anonymized or encrypted, and buried in the billions of communications that traverse the globe each day. The targets are the communications networks themselves as well as the computers they connect—things like the Times’ servers, the computer systems that monitor nuclear plants, classified documents on computers in the Pentagon, the nasdaq exchange, your local bank, and your social-network providers.
To keep these computers and networks secure, the government needs powerful intelligence capabilities abroad so that it can learn about planned cyber-intrusions. It also needs to raise defenses at home. An important first step is to correct the market failures that plague cybersecurity. Through law or regulation, the government must improve incentives for individuals to use security software, for private firms to harden their defenses and share information with one another, and for Internet service providers to crack down on the botnets—networks of compromised zombie computers—that underlie many cyber-attacks. More, too, must be done to prevent insider threats like Edward Snowden’s, and to control the stealth introduction of vulnerabilities during the manufacture of computer components—vulnerabilities that can later be used as windows for cyber-attacks.
And yet that’s still not enough. The U.S. government can fully monitor air, space, and sea for potential attacks from abroad. But it has limited access to the channels of cyber-attack and cyber-theft, because they are owned by private telecommunication firms, and because Congress strictly limits government access to private communications. “I can’t defend the country until I’m into all the networks,” General Alexander reportedly told senior government officials a few months ago.
For Alexander, being in the network means having government computers scan the content and metadata of Internet communications in the United States and store some of these communications for extended periods. Such access, he thinks, will give the government a fighting chance to find the needle of known malware in the haystack of communications so that it can block or degrade the attack or exploitation. It will also allow it to discern patterns of malicious activity in the swarm of communications, even when it doesn’t possess the malware’s signature. And it will better enable the government to trace back an attack’s trajectory so that it can discover the identity and geographical origin of the threat.
Alexander’s domestic cybersecurity plans look like pumped-up versions of the NSA’s counterterrorism-related homeland surveillance that has sparked so much controversy in recent months. That is why so many people in Washington think that Alexander’s vision has “virtually no chance of moving forward,” as the Times recently reported. “Whatever trust was there is now gone,” a senior intelligence official told Times.
There are two reasons to think that these predictions are wrong and that the government, with extensive assistance from the NSA, will one day intimately monitor private networks.
The first is that the cybersecurity threat is more pervasive and severe than the terrorism threat and is somewhat easier to see. If the Times’ website goes down a few more times and for longer periods, and if the next penetration of its computer systems causes large intellectual property losses or a compromise in its reporting, even the editorial page would rethink the proper balance of privacy and security. The point generalizes: As cyber-theft and cyber-attacks continue to spread (and they will), and especially when they result in a catastrophic disaster (like a banking compromise that destroys market confidence, or a successful attack on an electrical grid), the public will demand government action to remedy the problem and will adjust its tolerance for intrusive government measures.
At that point, the nation’s willingness to adopt some version of Alexander’s vision will depend on the possibility of credible restraints on the NSA’s activities and credible ways for the public to monitor, debate, and approve what the NSA is doing over time.
Which leads to the second reason why skeptics about enhanced government involvement in the network might be wrong. The public mistrusts the NSA not just because of what it does, but also because of its extraordinary secrecy. To obtain the credibility it needs to secure permission from the American people to protect our networks, the NSA and the intelligence community must fundamentally recalibrate their attitude toward disclosure and scrutiny. There are signs that this is happening—and that, despite the undoubted damage he inflicted on our national security in other respects, we have Edward Snowden to thank.
“Before the unauthorized disclosures, we were always conservative about discussing specifics of our collection programs, based on the truism that the more adversaries know about what we’re doing, the more they can avoid our surveillance,” testified Director of National Intelligence James Clapper last month. “But the disclosures, for better or worse, have lowered the threshold for discussing these matters in public.”
In the last few weeks, the NSA has done the unthinkable in releasing dozens of documents that implicitly confirm general elements of its collection capabilities. These revelations are bewildering to most people in the intelligence community and no doubt hurt some elements of collection. But they are justified by the countervailing need for public debate about, and public confidence in, NSA activities that had run ahead of what the public expected. And they suggest that secrecy about collection capacities is one value, but not the only or even the most important one. They also show that not all revelations of NSA capabilities are equally harmful. Disclosure that it sweeps up metadata is less damaging to its mission than disclosure of the fine-grained details about how it collects and analyzes that metadata.
It is unclear whether the government’s new attitude toward secrecy is merely a somewhat panicked reaction to Snowden, or if it’s also part of a larger rethinking about the need for greater tactical openness to secure strategic political legitimacy. Let us hope, for the sake of our cybersecurity, that it is the latter.
Jack Goldsmith, a contributing editor, teaches at Harvard Law School and is a member of the Hoover Institution Task Force on National Security and Law.