Obama Administration to Involve NSA in Defending Civilian Agency Networks
Ellen Nakashima - Washington Post Staff Writer
The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site, according to three current and former government officials.
President Obama said in May that government efforts to protect computer systems from attack would not involve "monitoring private sector networks or Internet traffic" and Department of Homeland Security officials say that the new program will only scrutinize data going to or from government systems.
But the program has provoked debate within DHS, the current and former officials said, because of uncertainty over whether private data can be shielded from unauthorized scrutiny, how much of a role NSA should play and whether the agency's involvement in warrantless wiretapping under the Bush administration would draw controversy.
"We absolutely intend to use the technical resources, the substantial ones, that NSA has. But . . . they will be guided, led, and in a sense directed by the people we have at the Department of Homeland Security," the department's secretary, Janet Napolitano, told reporters in a discussion of cybersecurity efforts.
Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the pilot called for telecommunications companies to route the Internet traffic of civilian government agencies through a monitoring box that would search for and block malicious computer codes.
AT&T, the world's largest telecommunications firm, was the Bush administration's choice to participate in the test, which has been delayed for months as the Obama administration determines what elements of the Bush plan to preserve, former government officials said. The pilot was to have been launched in February.
"To be clear, Einstein 3 development is proceeding," DHS spokeswoman Amy Kudwa said. "We are moving forward in a way that protects privacy and civil liberties."
AT&T officials declined to comment.
A DHS official said the delay occurred because the original timeline "did not take into account all that was required to ensure the exercise would provide the data needed."
The program is the most controversial element of the $17 billion cybersecurity initiative that the Bush administration launched in January 2008. Einstein 3 is crucial, advocates say, in an era in which hackers have compromised computer systems at the Commerce and State departments, and have siphoned off sensitive military jet data from a defense contractor.
The NSA declined to comment on Einstein 3, but a spokeswoman said the agency would help DHS in "any way possible, including technical support" as it seeks to protect government networks.
The internal controversy reflects the central tension in the debate over how best to defend the nation's mostly private system of computer networks. The most effective techniques, experts say, require the automated scrutiny of e-mail and other electronic communications content -- something that commercial providers already do.
Proponents of involving the government said such efforts should harness the NSA's resources, especially its database of computer codes, or signatures, that have been linked to cyberattacks or known adversaries. The NSA has compiled the cache by, for example, electronically observing hackers trying to gain access to U.S. military systems, the officials said.
"That's the secret sauce," one official said. "It's the stuff they have that the private sector doesn't."
But it is also the prospect of NSA involvement in cybersecurity that fuels concerns of unwarranted government snooping into private communications.
"The bitter battles over privacy and NSA's role in domestic wiretapping hang over cybersecurity like a toxic cloud," said Stewart A. Baker, assistant secretary of homeland security during under the Bush administration.
AT&T, which was sued over its role in the NSA wiretapping program, is seeking legal assurance that it will not be sued for participation in the pilot. That legal certification has been held up for several months as DHS prepares a contract, said several current and former officials.
Einstein's promise, current and former officials said, is that it can more effectively detect malicious activity and disable intrusions before harm is done to civilian government networks.
"Intrusion detection is like a cop with a radar gun on a highway who catches you speeding or drunk and phones ahead to somebody at the other end," Michael Chertoff, former homeland security secretary, said in a recent interview. "Einstein 3 is a cop who actually arrests you and pulls you off the road when he sees you driving drunk."
The classified NSA system, known as Tutelage, has the ability to decide how to handle malicious intrusions -- to block them or watch them closely to better assess the threat, sources said. It is currently used to defend military networks.
The database for the pilot program would also contain feeds from commercial firms and the DHS's U.S. Computer Emergency Readiness Team, administration officials said.
The pilot has two goals. The first is to prove that the telecommunications firm can route only traffic destined only for federal civilian agencies through the monitoring system. The second is to test whether the technology can work effectively on civilian government networks. The sensor box would scan e-mail messages and other content just before they enter the civilian agency networks.
"We're looking for malicious content, not a love note to someone with a dotgov e-mail address," a former senior administration official said. "What we're interested in is finding the code, the thing that will do the network harm, not reading the e-mail itself."
Ari Schwartz, a vice president of the Center for Democracy and Technology, was among a group of privacy advocates given a classified briefing in March on the Einstein program. The advocates wanted to ensure that officials had a plan to protect privacy and civil liberties.
"We came away saying they have a lot of work in front of them to get this done right," Schwartz recalled. "We're looking forward to their next steps."
Bush administration lawyers last year determined that the DHS had the legal authority to conduct the Einstein program, and could do so in compliance with existing wiretap and privacy laws, as long as appropriate policies were in place.
Last fall, plans for the pilot were proceeding, former officials said. But in the Bush administration's final weeks, AT&T lawyers raised concerns about legal liability, they said. Then-Attorney General Michael Mukasey was willing to give AT&T written assurance that it would bear no liability for participation in the program, but both AT&T and the Justice Department agreed that the new administration should issue the certification, they said.
"They just wanted to make sure the certification would not be reversed by the next administration," said a former Bush administration official said.
In hindsight, Baker said, the Bush White House's decision to classify so much of its initiative was a mistake.
"It meant that the problem was not well understood," said Baker, former NSA general counsel in the Clinton administration. "The solution was veiled in secrecy in a way that allowed people outside to be suspicious, so anybody who mistrusted the intelligence community could just assume that it was because they were doing something that they shouldn't be doing."
Staff writers Spencer H. Hsu and Carrie Johnson contributed to this report.
www.washingtonpost.com/wp-dyn/content/article/2009/07/02/AR2009070202771.html