Hayden Urges Congress to Let NSA Monitor Public Networks for Threats

Former NSA and CIA Director Michael Hayden at CIA headquarters in Langley, Va., in 2009. (AP Photo/Luis M. Alvarez)

Former NSA and CIA director Michael Hayden revived a controversial meme on Tuesday when he urged Congress to allow his former agency to monitor public networks in order to defend against malicious activity coming from nation states and others.

“We’ve got capability on the sidelines wanting policy guidance,” he told the House Intelligence Committee, referring to the NSA. “And when we can enrich that guidance and get them in the field, the better — the safer — we are.”

Hayden’s remarks echoed what Director of National Intelligence Admiral Dennis Blair told the same committee in 2009 when he said that the NSA, rather than the Department of Homeland Security, which currently oversees cybersecurity issues on government networks and liaisons with the public sector about securing critical infrastructure networks, was the only agency with the skills needed to secure cyberspace.

“The National Security Agency has the greatest repository of cyber talent,” Blair said. “[T]here are some wizards out there at Fort Meade who can do stuff.”

The NSA’s role in the Bush Administration’s secret and warrantless domestic spying program, however, has raised concerns among civil libertarians that the agency couldn’t be trusted to monitor networks without violating the privacy of citizens.

Hayden acknowledged to lawmakers that there was “a natural political cultural allergy to letting NSA” monitor private networks, but he said there were ways the spy agency could do so without reading the content of communications or otherwise intruding on the civil liberties of private citizens.

“We want NSA to protect us, but we don’t want NSA out there being present where our own communications are flowing,” he said. “And we’re just going to have to have a serious chat [about that]. I think we can do that — both the technology and the ethic at NSA would allow us to do that. But it will require some convincing before the agency is given that authority.”

Hayden also said there were still some people who didn’t have a proper appreciation of the threat the U.S. was facing from foreign attackers. Speaking about recent spates of attacks on U.S. companies and government agencies that appeared to come from China, Hayden said that “as a professional intelligence officer, I step back in awe at the breadth, depth, sophistication and persistence of the Chinese espionage effort against the United States of America.”

Also appearing before the committee on Tuesday was Art Coviello, executive chairman of RSA Security, which was targeted in a serious attack earlier this year that forced the company to re-issue security tokens to customers after intruders compromised a system used to generate secret codes for RSA SecurID tokens.

Coviello told lawmakers the attack on RSA’s network “could not have been perpetrated by anyone other than a nation state.” He also supported Hayden’s assertion that the NSA should be more involved in protecting U.S. systems.

“We ought to be able to figure out a way for the NSA, which has so much expertise, to work their way in an ethical way to protect us,” he said. “To me it’s a tragedy that we can’t get them more heavily involved working with Homeland Security to a point where they can be more effective protecting American organizations.”

Kevin Mandia, CEO of Mandiant, also spoke at the hearing. Mandia, whose company has investigated numerous headline-making breaches since its founding in 2004, said that in more than 90 percent of the intrusion cases his company has investigated, the victims didn’t know they had been breached until a government agency told them them so.

“In our last 50 incidents, 48 of the victim companies learned they were breached from the Federal Bureau of Investigation, the Department of Defense or some other third party,” Mandia said.

“With virtually every other crime, the victim is the first to know that they have been violated,” Mandia said in a prepared statement. “Here, however, we have the government in the unique position of informing victims that they are, in fact, victims.”

He told Threat Level that as the FBI and law-enforcement divisions of the DoD are called in by victims to investigate known breaches, they often uncover additional victims in the course of gathering forensic evidence and are the first to then notify those entities that they’ve been breached.

Mandia and the other witnesses testified that to better protect networks, there needs to be better sharing of information between the government and private companies to help everyone understand the current threats they’re facing and how to protect against them. To encourage companies to share information about breaches they’ve experienced, the witnesses urged the government to look at providing limited immunity from liability so that companies don’t have to be afraid that customers and others will use the shared information to punish them.

Mandia was also in favor of a safe-harbor program that would separate information-sharing about breaches from the kind of information disclosure that is required under the data breach disclosure laws that exist in most states. Companies would still be required to disclose a breach if it involved personally identifiable information — as the breach laws require — but they would also be able to disclose additional details about the breach to the government in a way that wouldn’t expose their identity.

Currently companies provide only limited details about breaches, because they don’t want to face ridicule or additional liability if the details disclose a failure on the company’s part to adequately secure its network. Mandia says this works against the greater good by holding back information that could help other companies learn from mistakes and protect their own networks.

“The public shaming and the stigma that goes along with it isn’t helping,” he told Threat Level. “No one’s getting smarter from [information disclosed from] the Sony breach.”

Supreme Court Declines Music Download Case

The Supreme Court is declining to decide whether downloading a song is a public performance requiring artists to get paid additional royalties.

The American Society of Composers, Authors and Publishers, known as ASCAP, asked the justices to review a lower court decision that said downloading songs from iTunes, Amazon, eMusic or even music-sharing services do not count as public performances, and hence additional royalties are unwarranted. On Monday, the court let stand that decision without comment.

The group, with 400,000 members, maintained in its petition to the justices that the Copyright Act demanded the extra royalties, which could amount to tens of millions of dollars in extra revenue annually. The appeals court said that downloading a music file is more aptly characterized as “reproducing” that file, and not subject to performance rights.

The 2nd U.S. Circuit Court of appeals, ruling against ASCAP, said “perform,” as outlined in Section 101 of the Copyright Act, means to “recite, render, play, dance or act it either directly or by means of any device or process.”

ASCAP licenses the right to perform publicly the musical works of its members to a diverse array of music users, including internet and network-based sites and services, television and radio stations, restaurants, hotels and sports arenas.

The artists, represented by Theodore Olson, a former U.S. solicitor general, told the justices in their petition that the case was of “vital importance.” (.pdf)

“If the Second Circuit’s decision stands, songwriters and music publishers across the nation will be denied their statutory right to receive royalties for public performances when their works are downloaded over the internet — which is already one of the most prevalent means for the dissemination of copyrighted musical works,” Olson wrote.

The government, backed by Solicitor General Donald Verrilli Jr., a former Recording Industry Association of America attorney, urged the justices to reject ASCAP’s petition.

“Because the download itself involves no dancing, acting, reciting, rendering, or playing of the musical work encoded in the digital transmission, it is not a performance of that work,” the government wrote the justices.

See SCOTUSblog for documents in the case.

Photo: Phil Dokas/Flickr

GPS Inventor Urges Supreme Court to Reject Warrantless Tracking

President George W. Bush presents the National Medal of Technology to GPS inventor Roger L. Easton in 2006. The award is the nation's highest honor for technology achievements. (AP Photo/Pablo Martinez Monsivais)

The principal inventor of the Global Positioning System is asking the U.S. Supreme Court to renounce the Obama administration’s position that it may affix GPS devices to vehicles and track their every move without a court warrant.

Roger L. Easton, awarded the National Medal of Technology in 2006, joined the Center for Democracy & Technology, the Electronic Frontier Foundation and other academics in a friend-of-the-court brief lodged Monday in one of the biggest Fourth Amendment cases in a decade — one weighing the collision of privacy, technology and the Constitution. The justices are scheduled to argue the case Nov. 8.

Easton, now 90 and the principal inventor and developer of the Timation Satellite Navigation System at the Naval Research Laboratory more than five decades ago, and the others are telling the high court that its precedent on the topic is outdated, and the government’s reliance on it should be rejected.

One of the Obama administration’s main arguments in support of warrantless GPS tracking is the high court’s 1983 decision in United States v. Knotts, in which the justices said it was OK for the government to use beepers known as “bird dogs” to track a suspect’s vehicle without a warrant. Unlike beeper-assisted surveillance, which requires human “visual” surveillance, “GPS tracking is an automated process wholly divorced from human observation,”  (.pdf) the amicus brief said.

A beeper enhances the effectiveness of real-time visual surveillance by enabling police officers to confirm that the vehicle that they see is the vehicle being tracked and providing a means of re-establishing visual surveillance. If officers become separated from the vehicle by more than a few miles, however, they must criss-cross the area until they pick up the beeper signal again. GPS tracking, by contrast, does not require any visual surveillance by police officers after the receiver has been installed. Instead, the receiver automatically calculates its location once every ten seconds. A police computer receiving that information through a cell phone connection then uses a mapping program to plot the receiver’s — and therefore the vehicle’s — location. The technology enables the police to monitor and record the vehicle’s location without ever observing or following the car themselves.

Beeper-assisted surveillance, the brief continues, “requires a police officer to follow the targeted vehicle, for the duration of the surveillance, in order to ascertain the vehicle’s location. That is because the beeper and receiver function only as directional finders, indicating the vehicle’s direction relative to the receiver, and thereby aiding in visual surveillance by pointing the police in the direction of the vehicle. The vehicle’s actual location can be determined only through the police officer’s observations.”

What’s more, “a beeper’s signal could be monitored from a distance of two to four miles on an open road and up to twenty miles in the air. In congested urban areas, the range could drop to about two blocks.” However, GPS pinpoints targets within “centimeters,” the brief said.

Among other arguments, the government told the justices that “Knotts, like this case, involved the use of a tracking device to monitor the movements of a vehicle on public roads. The tracking device in that case — a beeper — enabled officers to maintain surveillance of the vehicle’s movements when visual observations failed.”

The friend-of-the-court brief, written by Jeffrey Meyer of the Yale Law School Supreme Court Clinic and and Andrew Pincus and Charles Rothfeld of the law firm Mayer Brown in Washington, D.C., goes into great detail about how beepers and GPS devices work.

The (GPS) receiver calculates its latitude, longitude, and altitude based on transmissions from the four nearest satellites using a process called trilateration. This process is best illustrated by imagining a GPS receiver located on the ground and four satellites (Satellites A, B, C, and D) located in the sky. The GPS receiver calculates that it is 10 miles away from Satellite A. Therefore, the receiver knows it is located somewhere on the surface of a sphere with a 10-mile radius, with the center of the sphere being Satellite A. Next, the receiver calculates it is located 15 miles away from Satellite B, which again means that it is located somewhere on the surface of a sphere with a 15-mile radius, centered on Satellite B. By repeating these calculations with Satellites C and D, the receiver can calculate where all four spheres intersect with each other, which will be one discrete point on the Earth’s surface. A GPS receiver also can compute its speed and the direction it is traveling with the data it receives from the satellites.

Ten years ago, the justices ruled that the authorities must obtain search warrants to employ thermal-imaging devices to detect indoor marijuana-growing operations, saying the imaging devices carry the potential to “shrink the realm of guaranteed privacy.”

In the case now before the justices, the Obama administration is demanding the high court reinstate the conviction and life sentence of a cocaine dealer whose vehicle was tracked via GPS for a month without a court warrant. A federal appeals court had reversed the conviction, saying such monitoring amounted to an illegal search of defendant Antoine Jones in violation of the Fourth Amendment. The conviction was based on court warrants to search and find drugs in the locations where Jones had traveled.

The justices accepted the government’s petition to hear the case to clear conflicting lower-court rulings on when warrants are required for GPS tracking. The government told the justices that GPS devices have become a common tool in crime fighting.

Easton declined comment.