CYBEREYE

Does NSA's cybersecurity mission extend to the dot-com domain?

Interrelated nature of Internet leads DOD security arm outside of military networks

The National Security Agency appears to be suffering a case of mission creep.

For years, NSA, the Defense Department’s lead agency for information gathering and protection, has said that it has its hands full with protecting military networks and has no interest in networks outside the .mil domain. The .gov domain is the responsibility of Homeland Security, NSA said, and the .com and other private-sector domains are the responsibility of the private sector, with DHS help.

Of course, NSA would also be willing to lend a hand if needed, but it has no direct responsibility for non-military networks.

These statements have been taken with a grain of salt by many in the security world, especially with the revelation of wholesale illegal wiretaps that were discovered sweeping up traffic from commercial networks during the Bush administration. Now, DOD is admitting the obvious by saying that its interests extend beyond .mil.

“The military networks do not exist in a vacuum,” Deputy Defense Secretary William Lynn said last week in outlining DOD’s strategy for defending against and responding to cyberattacks. The third pillar of that strategy is to extend DOD protection to critical infrastructure in the civilian government and private sectors. “We cannot just protect only the .mil world.”


Related stories:

The cyberattacks that awakened the Pentagon

NSA Perfect Citizen program sparks Big Brother fears


DHS is the lead agency in this civilian mission, Lynn said. Asked how far NSA is prepared to go in defending civilian critical infrastructure, he reiterated that DHS would call the shots. “We would follow the Homeland Security [Department's] lead,” he said.

It is hard to imagine NSA sitting back during a crisis and waiting for orders from the same department that was responsible for the government’s response to Hurricane Katrina. DHS simply does not have the expertise or the authority to effectively defend critical infrastructure within the .gov domain, let alone in the much larger .com and other private-sector domains.

This is not necessarily DHS' fault. The nation does not have an overarching policy or strategy for defending an unregulated, decentralized but interconnected critical infrastructure. Each entity is expected to be responsible for protecting those segments of the infrastructure it controls, but outside of government there are few standards that must be met or best practices to be implemented. Even within government, DHS is not equipped to audit and monitor agency compliance, enforce regulations or respond to incidents.

NSA and DOD’s new U.S. Cyber Command are the government’s most effective and powerful federal cybersecurity actors, said Paul Rosenzweig, former deputy assistant secretary for policy at DHS and now a visiting fellow at the Heritage Foundation’s Center for Legal and Judicial Studies. If other provisions are not made to establish a framework of authority and responsibility for protecting critical infrastructure, they will fill the power vacuum with military or pseudo-military control, Rosenzweig warned during a recent discussion on cybersecurity.

Proposals already have surfaced calling for NSA to establish monitoring capabilities within Internet service providers in order to extend its protection to defense contractors in the dot-com domain.

Arguments can be made whether or not NSA should have the job of protecting our civilian critical infrastructure. Many security experts and civil libertarians would argue that this job should not be given to an agency cloaked in secrecy and with a record of surveillance abuses. But absent another agency with the authority and responsibility to do the job, we can expect DOD and NSA to become the de facto defenders of our networks.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Aug 31, 2010

In as much anti-trust law is designed to prevent monopolization of American industries, regulating the dot.com network by a capable organization like the NSA makes sense to prevent cannibalization.

Tue, Aug 31, 2010 Przemek Klosowski

I understand the sentiment to avoid regulation in the name of a 'free market' but lack of regulation cannot mean lack of responsibility and accountability. It is one thing to be against direct government participation, but it's irresponsible to also reject broad-based requirements and regulations that apply equally to all market participants, preserving a level playing field.

As the recent history of financial turmoil and other industry disasters such as the oil spill and the food contamination show, lack of any accountability is not good for the public and in the end hurts the businesses themselves (ask BP how they like their stock price now). Lack of accountability is a myopic strategy, whose only beneficiaries are short-term investors who hope to flip the stock before the inevitable controversy happens.

Tue, Aug 31, 2010 Former DHS Washington, DC

There is no doubt that a cyber attack on US critical infrastructure would have to be countered by DOD. In the previous administration, protection of critical infrastructure was in the hands of an organization (Office of Infrastructure Protection) with zero technical competence at the senior leadership level. Consequently, the organization was forced to focus almost entirely on physical protection (guards and barriers) and to ignore what should have been a critical and vibrant role in cyber protection. The legacy of that leadership failure lives on today in the form of an ineffective and musclebound bureaucratic entanglement with the private sector.

Tue, Aug 31, 2010 Bill the Pill Beltway

The DoD has ALWAYS had an interest in protecting the Defense Industrial Base, including its networks (which are .com) because of the military IP within them. Many programs have been tasked with providing network and now cyber security for contractors. Just look at http://www.bis.doc.gov/defenseindustrialbaseprograms/index.htm and http://www.acq.osd.mil/ip/ among many others.

Tue, Aug 31, 2010 Michael D. Long Knoxville, TN

The argument over which agency should "have the job of protecting" private commercial assets is simple - NONE OF THEM. Any regulations imposed would have the effect of creating yet another hidden tax on industry, which stifles innovation, efficiency, competitiveness, and ultimately leads to loss of American jobs to foreign competitors. In a "free market" system it is imperative that each business be able to implement practices which make it as efficient as possible in order to maximize its competitve position. The natural order is for the efficient to thrive and the inefficient to fail. We've burdened all businesses with excessive regulations, thus favoring the larger and longer established organizations who can spread the cost of compliance across a larger allocation base resulting in a lower percentage cost of operations. These excessive regulations yield the result that most small businesses are not in compliance with the various federal, state and local implementing guidance, and as businesses increase their levels of compliance (whether as a result of due diligence or having been caught and forced to comply) the costs increase. If the market will bear this burden, then the cost of goods and services is passed on to the consumer, driving inflation; if not, then the company must absorb the costs out of anticipated profits. As is all too often the case, the market will not bear the cost and the profits are insufficient to cover them, leading businesses to cease operations. The primary "winners" out of all this (at least in the short term) are the government bureaucrats who are well compensated for their "service" to America. Tearing down the American economy is a service we can all live without.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above