NSA Power Grab: New Legislation Would Give It Broad Powers To Spy On 'Critical' Private Networks

by Mike Masnick
Techdirt
Mar. 01, 2012

Well, we saw this one coming a mile away. Last week, in talking about the current fight in the Senate over the new cybersecurity legislation that's making the rounds, we noted that the behind-the-scenes story appeared to be that the NSA was going to make a power play to try to get responsibility for cybersecurity handed to it, rather than Homeland Security. Over the last few days, it's become clear that's exactly what's going on. While neither the NSA nor DHS inspire much confidence when it comes to heading up cybersecurity, the NSA plan is really crazy. It's expected that Senator McCain will be introducing legislation shortly that would give cybersecurity responsibility to the NSA.

McCain is positioning his version of the bill as one that focuses on "a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with prescriptive regulations." However, reports are that McCain's version involves a plan that the NSA has been aggressively lobbying for to give it access to networks deemed "critical." The NSA says that it wants to monitor these networks in case of attack so it can spring into action.

However, given the NSA's other mandates (spying!) this certainly has raised some fairly significant concerns. Should every private company running a network deemed critical automatically be required to install a special NSA spying box? Even the White House and the Justice Department (no strangers to over aggressive monitoring) have pushed back that this would be "unprecedented government" intrusion into the civilian internet. It's apparently gotten so bad, that the Obama administration has privately slapped down NSA boss General Keith Alexander (last heard talking about how Anonymous was going to shut down powerlines) for "advocating for something beyond that, that is undermining the commander in chief."

Of course, the administration can't stop former NSA boss Mike McConnell from running around spreading fear mongering stories about how the entire internet is at risk if we don't give the NSA unprecedented spying powers. Left out of his talks on this matter is that, not only has he been making these claims about how the internet is on the verge of collapse if the NSA doesn't get these powers for many, many years (without any evidence to show that it's true), but he's also now employed by Booz, Allen as a VP -- which is relevant, because Booz is already profiting massively from all this fear mongering, by getting hundreds of millions of dollars in federal contracts to "help" the government deal with the scary threats of the internet.

Jim Dempsey, over at CDT has a discussion of just how ridiculous this NSA powergrab is, in that it makes some key assumptions that just don't seem supported by reality:

The NSA’s claims are premised on the dual assumptions that the private sector is not actively defending its systems and that only the NSA has the skills and the technology to do effective cybersecurity. The first is demonstrably wrong. The Internet and telecommunications companies are already doing active defense (not to be confused with offensive measures). The Tier 1 providers have been doing active defense for years – stopping the threats before they do damage – and the companies have been steadily increasing the scope and intensity of their efforts.

The second assumption (that only the NSA has the necessary skills and insight) is very hard for an outsider to assess. But given the centrality of the Internet to commerce, democratic participation, health care, education and multiple other activities, it does not seem that we should continue to invest a disproportionate percentage of our cybersecurity resources in a military agency. Instead, we should be seeking to improve the civilian government and private sector capabilities.

Dempsey goes on to say that the NSA has already been helping Tier 1 providers by sharing its "secret sauce" to protect them against attack without having to have full access to the networks, and it seems silly that a process like that can't continue and be quite effective without giving up all privacy. Similarly, Jerry Brito, who has been following all of this very closely, notes that it's somewhat crazy to think that we can't just continue with the NSA assisting at arms-length without giving them full access to private networks.

Brito further highlights that there's a reason why we have civilian law enforcement for domestic issues, not military officials -- noting that (while they don't always succeed), civilian law enforcement is used to working within "an environment where constitutional rights apply and to use force only as a last resort." That is simply not true of the military or the NSA, whose operations usually involve issues outside the US, where the Constitution does not apply. And yes, they've certainly blurred that domestic/foreign line over the years, but that's no reason to go even further and give the military more power of the private domestic internet.