Marc Ambinder has some phenomenal reporting in Foreign Policy today about how the NSA assists companies that are the victims of (usually Chinese) cyberespionage. It is a must read.
One thing we learn: “Cyber-warfare directed against American companies is reducing the gross domestic product by as much as $100 billion per year, according to a recent National Intelligence Estimate.” That is just slightly more than half a percent of GDP, which puts the scope of the threat in perspective.
The most interesting thing, though, is this:
In the coming weeks, the NSA, working with a Department of Homeland Security joint task force and the FBI, will release to select American telecommunication companies a wealth of information about China’s cyber-espionage program, according to a U.S. intelligence official and two government consultants who work on cyber projects. Included: sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks.
Press reports have indicated that the Obama administration plans to give certain companies a list of domain names China is known to use for network exploitation. But the coming effort is of an entirely different scope. These are American state secrets.
Very little that China does escapes the notice of the NSA, and virtually every technique it uses has been tracked and reverse-engineered. For years, and in secret, the NSA has also used the cover of some American companies – with their permission – to poke and prod at the hackers, leading them to respond in ways that reveal patterns and allow the United States to figure out, or “attribute,” the precise origin of attacks. The NSA has even designed creative ways to allow subsequent attacks but prevent them from doing any damage. Watching these provoked exploits in real time lets the agency learn how China works.
Will you look at that? Information sharing between the government and the private sector without liability protection. Even more than information sharing, it seems some businesses are allowing the NSA to monitor their systems.
As I’ve said before, there is nothing preventing the government from sharing information about cyberattacks with the private sector. Legislation isn’t required to allow that. As for businesses sharing information with government, they too are free to do so. The only question is whether they should get a free pass for violating contracts or breaking the law when they share in the name of security. I think that would be a mistake.
As Ambiner points out, “the NSA’s reputation has been tarnished by its participation in warrantless surveillance[.]” People don’t trust the NSA with good reason. Security is important, but so are civil liberties. Removing the possibility of liability would also remove any incentive companies might have to be a check on what information the NSA collects. Ambinder writes that given their experience with the warrantless wiretapping program, today “telecoms are wary of cooperating with the NSA beyond the scope of the law.” That’s as it should be. Do we really want to give companies cover to cooperate with the NSA beyond the scope of the law?
According to Ambinder, the NIE suggests “that the NSA will have to perform deep packet inspection on private networks at some point.” (This is the so-called EINSTEIN 3 system This doesn’t sound like a good idea, but if it is to happen, it should be debated in public. Liability protection might allow businesses to allow the NSA to employ the system in secret.