CYBEREYE

Can NSA be trusted to oversee public networks?

One of the debates in cybersecurity right now — one of many — is who should be in charge of overseeing the security of privately owned critical infrastructure. That role now nominally belongs to the Homeland Security Department by virtue of a patchwork of executive order and policy, but with little legislative authority.

Some argue that the job should go to the National Security Agency, which has been in charge of securing government communications and snooping on foreign communications since before there was an Internet. They have the expertise, the argument goes.

Others are wary of inviting a military agency charged with foreign spying into our domestic networks. Without public oversight of NSA operations, that is a valid fear.


Related story:

DOD wants in on protecting civilian infrastructure


It is a difficult issue because of the blurred lines between national security on one hand and privacy and civil liberties on the other. The Defense Department relies heavily on the privately owned infrastructure that makes up the bulk of global communications networks. Deputy Defense Secretary Aston Carter, speaking Feb. 28 at the RSA Conference in San Francisco, said threats to civilian critical infrastructure are seen as a threat to the DOD. “We want to have a role in defending that as well,” he said.

And the NSA already is playing a cooperative role in domestic security. “DHS and NSA are already working together,” Jenny Menna of the DHS National Protection and Programs Directorate said at the conference. “There is a strong working relationship.”

But the thought of allowing the NSA unfettered access to domestic networks and systems is scary. And because of the secrecy in which the NSA operates, “unfettered” is unfortunately the only way access could be allowed.

Meaningful oversight is public oversight — the people themselves have a say, either directly or indirectly, in what an agency does and how it is done. In our political system, the hands-on work is done by Congress, representing the people. But this only is meaningful if the public is informed of what is happening and has an opportunity to respond, both by feedback to representatives and at the ballot box. It is often a messy and inefficient process, but it’s the one we have.

This crucial link is missing in NSA oversight. A handful of chosen senators and representatives are briefed in secret and the information stops there. The public does not know what the NSA is doing or what their representatives are doing about it. Without transparency the oversight has little meaning. Without this oversight, we have no way of knowing what information is being gathered by whom, who has access to it or what is being used for.

We could just trust the government. But if blind trust were an adequate protection, the Founding Fathers would not have built a system of checks and balance into our government. Trust is more meaningful when it is not blind.

Of course, in a real sense this argument is moot. Since we don’t have any assurance what the NSA does, it might already be monitoring domestic networks in the name of national security. But if it is not given this authority in a law, we at least have the assurance that such domestic snooping is illegal.

Recent history has shown that this assurance is not really worth much, but right now it is all we have.

 

Reader Comments

Tue, Mar 6, 2012

Gov, Mil, and critical safety systems in public sector, should have been cleaved from public internet when ARPANET became the Internet. Hard to attack through an air gap. If they can't see it, they can't attack it. Sure, it would cost more. But how much are we spending on these endless competing security agencies and response centers?

Tue, Mar 6, 2012 PerfectIP

We live in a country that assures that people have the freedom to express thier opinions - that is the true value of both the article and the reactions to the article.

Mon, Mar 5, 2012

I would assume that the various agencies who are collectively charged with surveillance already have all the information. I would assume that google and yahoo do not operate in a vacuum. What I find troubling is not that they have it since information collection isn't anything new. What I find troubling is what they do with it. For example, DoJ looking for programs to "connect the dots" and DHS maintaining various watchlists which they use to prevent travel. Or the latest excursion of DHS into social media surveillance. What originally seemed like a good idea -- prevent threats from materializing into something harmful -- is now becoming investigation and evidence itself. In the law enforcement world, you don't investigate until you have cause. In this world, it is all investigation to find cause. And in the digital world, you can pretty much take anything and make it into what you want. I don't know that innocense is any longer prevention or defense.

Mon, Mar 5, 2012 Richard

I think the other reason that NSA is unsuitable as the Command overseeing networks is basic competency. The WWW is not, first and foremost, a collection platform which is how NSA fundamentally views it. Networks are a means to an end and not an end to themselves. There is a way of thinking that is endemic to SigInt folks that sees collection as the telos of a network. In fact, Federal and Civilian networks exist to facilitate business and command and control. Without the larger *purpose* of a network, the network would not be there. CIO's and IT professionals have long understood that they are a *supporting* arm to larger business processes. Processes, procedures, and tools to securely and efficiently operate, maintain and defend a network are the *first* thing that IT professionals are concerned about. When you have good control of your network you are in a good position to defend it. NSA has not lived in this environment and the attitude of Gen Alexander is telling where he assumes away 99.9% of the effort in Network Operations and focuses on the kind of things that SigInt folks know. What they know is SigInt and not networks and, until that changes, they will utterly fail at their mission of being a functional command in *support* of combatant commanders while simultaneously be unsuitable to understand the business needs that networks facilitate.

Mon, Mar 5, 2012

The previous comment is silly. Oversight by the Department of Injustice? Eric Holder's 3 ring circus can't even get a gun sting right (Fast & Furious)!

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above