Wednesday, July 8, 2009

Privacy Concerns And the Cybersecurity Act

We all know that cyber attacks are a real threat in today's information age. We also know that if nothing else, the Obama Administration seems to be extremely technically literate. Those two facts are now coming together in the form of an official Cybersecurity strategy. Little yet is known about the details of the Administration's plan, but some initial signs point to a variety of possible concerns for privacy advocates.

The first hint came a week or so back when it was revealed that the Obama administration would proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site.

It should be noted that President Obama said in May that government efforts to protect computer systems from attack would not involve "monitoring private-sector networks or Internet traffic," and Department of Homeland Security officials say the new program will scrutinize only data going to or from government systems. Each time a private citizen visited a "dot-gov" Web site or sent an e-mail to a civilian government employee, that action would be screened for potential harm to the network.

This intrusion detection system is known as Einstein, a software program that monitors all government networks. That new system would be designed to not only detect intrusions, but also preemptively block them, preventing the sorts of cyberspying incidents that have plagued the government and military for more than a decade.

Of course this leads to some important questions: Can private data be shielded from unauthorized scrutiny? How much of a role should the NSA play in light of its involvement in warrantless wiretapping during Bush's presidency?

The Washington Post detailed some of the internal debates within the Obama Administration about these very questions:

Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the plan called for telecommunications companies to route the Internet traffic of civilian agencies through a monitoring box that would search for and block computer codes designed to penetrate or otherwise compromise networks.

AT&T, the world's largest telecommunications firm, was the Bush administration's choice to participate in the test, which has been delayed for months as the Obama administration determines what elements to preserve, former government officials said. The pilot program was to have begun in February.


The internal controversy reflects the central tension in the debate over how best to defend the nation's mostly private system of computer networks. The techniques that work best, experts say, require the automated scrutiny of e-mail and other electronic communications content -- something that commercial providers already do.

Proponents of involving the government said such efforts should harness the NSA's resources, especially its database of computer codes, or signatures, that have been linked to cyberattacks or known adversaries. The NSA has compiled the cache by, for example, electronically observing hackers trying to gain access to U.S. military systems, the officials said.


Ari Schwartz, a vice president of the Center for Democracy and Technology, was among a group of privacy advocates given a classified briefing in March on the Einstein program. The advocates wanted to ensure that officials had a plan to protect privacy and civil liberties, including shielding such personally identifying data as Internet protocol addresses. "We came away saying they have a lot of work in front of them to get this done right," Schwartz said. "We're looking forward to their next steps."


Bush administration lawyers determined last year that DHS had the legal authority to conduct the Einstein program, and could do so in compliance with existing wiretap and privacy laws, as long as appropriate policies were in place. Last fall, plans for the pilot were proceeding, former officials said. But in the Bush administration's final weeks, AT&T lawyers raised concerns about legal liability, they said. Then-Attorney General Michael B. Mukasey was willing to give AT&T written assurance that it would bear no liability for participating in the program, but both AT&T and the Justice Department agreed that the new administration should issue the certification, they said.

So, that was last week. Today I found another article on this critically important debate in Forbes magazine. Unfortunately, it appears that the more we learn about the direction of the Administration's Cybersecurity plan, the more it feels like the good ole' Bush years (and by that I mean privacy invasive, and civil liberties intrusive).

Andy Greenberg of Forbes reports:

Since Obama's landmark speech on cybersecurity in May, his administration hasn't revealed much about its long-percolating plans to shore up the government's defenses against hackers and cyberspies. But privacy advocates monitoring the initiative are already raising concerns about what they know and what they don't: the details that have trickled out--including the involvement of the National Security Agency--and the veil of classified information that still covers much of the multibillion-dollar project.

"It feels like the Bush administration all over again," says Pam Dixon, executive director of the World Privacy Forum. "Not enough people know the details about these programs to have a good public discussion. We all want good security of government systems, but you have to balance the cloak and dagger elements with civil liberties."


"The same folks are being potentially entrusted with cybersecurity who have already shown that they have no regard for the law," says Lee Tien, an attorney with the Electronic Frontier Foundation, a nonprofit group that sued AT&T for its involvement in those wiretapping programs. "It's troubling that the Obama administration would consider this sort of thing."

At issue is whether government monitoring of networks could lead to intrusion in the digital lives of private citizens, whether through monitoring their visits to government Web sites or by blurring the line between government and private networks, privacy advocates argue. Much of the critical infrastructure that President Obama has spoken of protecting, including the power grid and telecommunications, is owned by the private sector.


But the NSA has rankled others with its growing influence over government cybersecurity. In March, the DHS' top cybersecurity official Rod Beckstrom stepped down in frustration, noting in his resignation letter that the "NSA currently dominates most national cybersecurity efforts" and that "the threats to our democratic processes are significant if all top level network security and monitoring is handled by any one organization."

While the concerns over privacy and the NSA are valid, they could hamper the progress of the Obama administration's cyber plan, says James Lewis, director of the Center for Strategic and International Studies, which authored an influential paper aimed at shaping the president's thinking on cyber issues. "We have technologies that would greatly improve cybersecurity, but their use wouldn't be consistent with our laws on surveillance and privacy," Lewis says, pointing to statutes such as the Electronic Communications Privacy Act of 1986, which disallows wiretaps without a warrant.

Perhaps Obama's privacy promises can be taken at face value, but the trouble remains the lack of transparency around the initiative. This of course is a reoccurring clash: privacy versus national that isn't going away anytime soon. I will withhold judgement until more is known, but it goes without saying I'm not a big fan of the NSA or AT&T, and right now, these are the two pillars of this new monitoring program.

Click here to read the rest of the article.

No comments: