Last summer at an AEI-sponsored event on cybersecurity, NSA head General Keith Alexander made the case for information sharing legislation aimed at improving cybersecurity. His response to a question from Ellen Nakashima of the Washington Post (starting at 54:25 in the video at the link) was a pretty good articulation of how malware is identified and blocked using algorithmic signatures. In his longish answer, he made the pitch for access to key malware information for the purpose of producing real-time defenses.

What the antivirus world does is it maps that out and creates what’s called a signature. So let’s call that signature A. …. If signature A were to hit or try to get into the power grid, we need to know that signature A was trying to get into the power grid and came from IP address x, going to IP address y.

We don’t need to know what was in that email. We just need to know that it contained signature A, came from there, went to there, at this time.

…

[I]f we know it at network speed we can respond to it. And those are the authorities and rules and stuff that we’re working our way through.

…

[T]hat information sharing portion of the legislation is what the Internet service providers and those companies would be authorized to share back and forth with us at network speed. And it only says: signature A, IP address, IP address. So, that is far different than that email that was on it coming.

Now it’s intersting to note, I think—you know, I’m not a lawyer but you could see this—it’s interesting to note that a bad guy sent that attack in there. Now the issue is what about all the good people that are sending their information in there, are you reading all those. And the answer is we don’t need to see any of those. Only the ones that had the malware on it. Everything else — and only the fact that that malware was there — so you didn’t have to see any of the original emails. And only the ones that had the malware on it did you need to know that something was going on.

It might be interesting to get information about who sent malware, but General Alexander said he wanted to know attack signatures, originating IP address, and destination. That’s it.

Now take a look at what CISPA, the Cybersecurity Information Sharing and Protection Act (H.R. 624), allows companies to share with the government provided they can’t be proven to have acted in bad faith:

information directly pertaining to—

(i) a vulnerability of a system or network of a government or private entity or utility;

(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;

(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or

(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.

That’s an incredible variety of subjects. It can include vast swaths of data about Internet users, their communications, and the files they upload. In no sense is it limited to attack signatures and relevant IP addresses.

What is going on here? Why has General Alexander’s claim to need attack signatures and IP addresses resulted in legislation that authorizes wholesale information sharing and that immunizes companies who violate privacy in the process? One could only speculate. What we know is that CISPA is a vast overreach relative to the problem General Alexander articulated. The House is debating CISPA Wednesday and Thursday this week.

Daily news service TechLawJournal (subscription) reports that the U.S. District Court (DC) has granted summary judgment to the National Security Agency in EPIC v. NSA, a federal Freedom of Information Act (FOIA) case regarding the Electronic Privacy Information Center’s request for records regarding Google’s relationship with the NSA.

EPIC requested a wide array of records regarding interactions between Google and the NSA dealing with information security. Reports TLJ:

The NSA responded that it refused to confirm or deny whether it had a relationship with Google, citing Exemption 3 of FOIA (regarding records “specifically exempted from disclosure by statute”) and Section 6 of the National Security Agency Act of 1959 (which prohibits disclose of information about the NSA).

The FOIA merits of EPIC’s suit are one thing. It’s another for Google to have an intimate relationship with a government agency this secretive.

This would be a good time to not be evil. Google should either sever ties with the NSA or be as transparent (or more) than federal law would require the NSA to be in the absence of any special protection against disclosure.

Reliable national security reporter Siobhan Gorman at the Wall Street Journal has broken a story about an Internet surveillance program called “Perfect Citizen” to be managed by the National Security Agency.

Reading about it is frustrating, and for me blame quickly settles on Congress. Our legislature is utterly supine before the national security bureaucracy, which exaggerates cybersecurity threats and consistently uses the secrecy trump card to defy oversight.

If there is to be a federal government role in securing the Internet from cyberattacks, there is no good reason why its main components should not be publicly known and openly debated. Small parts, like threat signatures and such—the unique characteristics of new attacks—might be appropriately kept secret, but no favor is done to any potential attackers by revealing that there is a system for detecting their activities.

A cybersecurity effort that is not tested by public oversight will be weaker than ones that are scrutinzed by private-sector experts, academics, security vendors, and watchdog groups.

Benign intentions do not control future results, and governmental surveillance of the Internet for “cybersecurity” purposes may warp over time to surveillance for ideological and political purposes.

These abstract criticisms of “Project Citizen” are all that publicly available information allows. Far better would come from me and others more qualified if Congress were to do its job.

Congress owes it to us, the United States’ true citizens, to have public hearings on “Perfect Citizen.” Congress should reject broad assertions of secrecy so that the whole body politic can participate in securing our country from all threats.

Congressional and public oversight—searching oversight that tests assumptions and asks hard questions—would strenghten any government cybersecurity effort we find warranted. It would also ameliorate the threat of such programs to our civil liberties, democratic processes, and privacy.

San Antonio too.

Declan McCullagh has done some great reporting this morning on an ITU plan to trace the source of all Internet communications. Meaning: no more anonymous speech online.

The U.S. National Security Agency is also participating in the “IP Traceback” drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

Read the whole thing.

It’s particularly interesting to note the role of VeriSign in developing this surveillance capability for the ‘net. McCullagh quotes Tony Rutkowski of VeriSign stepping up to defend the plan. Rutkowski published a summary of the plan in May.

Great reporting by McCullagh. Not a great thing for VeriSign to be doing.