White House Picks DHS Over NSA to Help Private Sector Cybersecurity
Will Homeland Security really be any better at protecting privacy?
By Constantine von Hoffman, CIO
It looks like the White House thinks DHS bureaucracy can help private-sector cybersecurity more than the NSA’s technology.
For the past year, the National Security Agency has been pushing for a big role in protecting private-sector computer networks from cyber attacks, according to published reports. The Obama Administration said it blocked these efforts out of privacy concerns.
The most contentious issue was a legislative proposal last year that would have required hundreds of companies that provide critical services such as electricity generation to allow their Internet traffic be continuously scanned using computer threat data provided by the spy agency. The companies would have been expected to turn over evidence of potential cyberattacks to the government.
Although the NSA argued these were unobtrusive measures, the Justice Department and the White House said it would permit unprecedented government monitoring of routine civilian Internet activity. The plan was based on a pilot program run by the NSA under which Internet service providers used the NSA’s library of threat data to scan computer traffic to and from top defense contractors.
The proposal “would have required an estimated 300 to 500 companies with a role in critical infrastructure systems to allow their Internet carrier or some other company to scan their computer networks for malicious software using government threat data.”
NSA officials said this would have been an automated procedure and that its personnel would have only become involved when a scan identified a potential threat. They also said identifying information on specific internet users would have been blocked.
The administration is clearly nervous about anything resembling government monitoring of the internet. The White House blocked draft legislation that would have let any government agency monitor private computer networks for cyber threats and to take measures to counter those threats. Under the legislation now being considered by Congress only private-sector entities will be able to monitor networks and operate the countermeasures.
While I’m all in favor of protecting privacy I have to wonder how independent these “private sector entities” will be from the government. There have been far too many cases where this separation was nothing more than a fig leaf giving the government a certain level of plausible deniability.
Also, we’re still stuck with legislation giving the Department of Homeland Security “oversight” over network security for industries deemed to be critical to the nation’s infrastructure. Has DHS worked out the problems with the “Do Not Fly” list yet?