NSA Chief: Agency Wants to Provide Malware Signatures, Not Enter Private Networks

Col. Todd Wood, commander of 1st Stryker Brigade Combat Team, 25th Infantry Division, gives Gen. Keith Alexander, director of the NSA, an operational update at Forward Operating Base Masum Ghar in southern Kandahar Province, Afghanistan. Photo: U.S. Army/Sgt. Michael Blalack, 1/25 SBCT Public Affairs.

The NSA continued to downplay its role in the cyberdefense of private networks when Gen. Keith Alexander told a Senate committee Tuesday that his intelligence agency absolutely did not want to be lurking in private networks monitoring data for threats.

Instead, he said the NSA should only play a role in providing malware signatures to private industry to help them monitor their networks on their own in order to detect threats. Companies could then tell the government about those attacks in real time so that the government could analyze and help stop them.

“The information sharing … would allow industry, armed with signatures that we can provide, signatures that they have … to provide a better defense,” he said.

Alexander, head of the National Security Agency and the U.S. Cyber Command, told the Senate Armed Services Committee that the NSA should also play a role in providing the president and other branches of the military with support for developing the appropriate response to cyberattacks.

Alexander was not questioned about NSA domestic wiretapping as he was last week in regards to a Wired cover story about the NSA’s growing infrastructure and power.

Alexander’s statement about monitoring civilian networks comes a month after the Washington Post reported that the NSA had pushed repeatedly over the past year to expand its role in protecting private-sector networks, but had been rebuffed by the White House because the administration felt the NSA’s proposal would “permit unprecedented government monitoring of routine civilian Internet activity.”

Alexander’s statement also comes after he told an audience at Fordham University earlier this year that in order to stop a cyberthreat “you have to see it in real time, and you have to have those authorities. Those are the conditions that we have put on the table. Now, how and what the administration and Congress choose, that will be a policy issue.”

His remarks at the university had been interpreted to mean the NSA wanted increased authority to conduct real-time monitoring to protect private networks. But Alexander disputed this interpretation in his remarks to the Senate.

“What we’re not talking about is putting NSA or the military into our networks to see the attack,” he said. “What we’re talking about … is we have to have the ability to work with industry, our partners, so that when they are attacked or see an attack they can share that with us immediately.”

He likened it to a missile attack that would go unnoticed without radar detection in place to see it.

“If we have a cyber attack coming in and no one tells us that that cyberattack is going on, we can’t stop it,” he said. “Today, we’re in the forensics mode – what that means is an attack or exploit normally occurs we’re told about it after the fact. I think we should be in the prevention mode in stopping that… I think that industry should have the ability to see these and share that with government in real time.”

But the NSA’s role in defending private networks has been harshly debated in Washington. According to the Washington Post the proposal the NSA had unsuccessfully pushed for at the White House would have required critical infrastructure companies – such as utilities, telecoms, ISPs, transportation and financial services companies – to allow their e-mail and other internet traffic to be scanned using threat signatures provided by the NSA and to turn over any evidence of a suspected attack to the government for analysis. The NSA felt the government needed an expanded role because private firms had failed to demonstrate that they were capable of defending themselves against cyber threats.

The proposal could have required some 300 to 500 firms to let their ISP or a private company scan their computer networks for malware using the government’s threat signatures and other data. DHS would have been responsible for designating which companies had to participate in the scanning program, based on whether they had achieved certain security benchmarks.

The NSA argued that the scanning would have been automated and would have been conducted by non-government entities, to protect personal privacy, and would only have involved government analysis if a potential threat were identified.

But the White House and the Justice Department rejected the proposal, according to the Post, on grounds that large ISPs could be designated critical entities and therefore be forced to have all the internet traffic they processed be scanned on behalf of the government, providing the government with an extensive window into the behavior of U.S. citizens online.

The proposal was meant to expand on a Pentagon pilot project that the government had launched last year that involved providing internet carriers that handled internet traffic for private defense firms to use malware signatures from the NSA to scan the traffic for possible cyber threats.

But a Carnegie Melon University report on the pilot project showed that the signatures the NSA provided did not noticeably affect the carrier’s ability to defend against attacks. The report found that in many cases the signatures did not prevent intrusions that the companies could not have blocked themselves, and that most of the signatures were not ones that the companies, or the security firms that worked with them, didn’t already possess, calling into question the value that NSA signatures would have on protecting private networks.