DHS, Not NSA, Should Lead Cybersecurity, Pentagon Official Says

NSA headquarters in Fort Meade, Maryland. Photo: Courtesy NSA

In the midst of an ongoing turf battle over how big a role the National Security Agency should play in securing the nation’s critical infrastructure, a Defense Department official asserted on Wednesday that the military’s controversial intelligence agency should take a backseat to the Department of Homeland Security in this regard.

“Obviously, there are amazing resources at NSA, a lot of magic that goes on there,” said Eric Rosenbach, deputy assistant secretary of Defense for Cyber Policy in the Department of Defense. “But it’s almost certainly not the right approach for the United States of America to have a foreign intelligence focus on domestic networks, doing something that throughout history has been a domestic function.”

Rosenbach, who was speaking at the RSA Security conference in San Francisco, was adamant that the DHS, a civilian agency, should take the lead for domestic cybersecurity, with the FBI taking a strong role as the country’s domestic law enforcement agency.

“But that doesn’t mean that DoD and NSA don’t play in the game,” he said. “We’re more the supporting effort.”

Current and former Defense Department officials have been asserting in the last several years that the NSA should have a more leading role, and specifically should be allowed to monitor network traffic to detect and thwart malicious attacks before they occur. In addition to its role in spying on other governments and threats to the U.S., the NSA has responsibility for securing the government’s classified networks, and its defensive skills are highly regarded in the security community.

But the agency’s involvement in the government’s warrantless wiretapping program following the Sept. 11 terrorist attacks has caused critics to question whether the agency could be trusted to monitor traffic for computer security reasons without at the same time recording and data-mining the contents of communications for intelligence purposes. Recent reports note that the White House has pushed back against the NSA’s efforts to gain a more leading role in securing the civilian internet.

The issue is expected to be at the forefront of congressional battles around cybersecurity legislation introduced in the House and Senate, which some Republicans have asserted don’t give the NSA a strong enough role in the nation’s cybersecurity defense.

Two Senate bills have proposed different approaches to the problem. Two weeks ago Sen. Joe Lieberman (I-Conn.), along with Sen. Susan Collins (R-Maine) and Sen. Jay Rockefeller (D-W.Va.), introduced the Cybersecurity Act of 2012 (.pdf).

The bill gives the Department of Homeland Security regulatory authority over the private companies that control designated critical infrastructure systems — such as telecommunications networks and electric grids — and would require owners and operators of critical infrastructure to meet security standards established by the National Institute of Standards and Technology, the National Security Agency and other designated entities, or face unspecified civil penalties. A second bill introduced on Thursday by Sen. John McCain (R-Arizona) focuses on information sharing to secure systems, rather than regulation.

The government’s increasing focus on cybersecurity can be seen in DHS’s 2013 budget request, which asks for $769 million for cybersecurity efforts – 74 percent higher than 2012′s budget request. The Defense Department’s budget for security is counted in billions, though the precise amount is classified.

Rosenbach was speaking on a panel at the conference, moderated by Dmitri Alperovitch, co-founder of a newly-launched cybersecurity firm called CrowdStrike. The panel included Adam Segal, senior fellow for counterterrorism and national security studies at the Council on Foreign Relations; Jim Lewis, senior fellow and program director with the Center for Strategic and International Studies, and Martin Libicki, a senior scientist with the RAND Corporation think tank.

The panelists also discussed whether U.S. adversaries actually had the ability to conduct a destructive attack against the nation’s critical infrastructure. Despite recent rhetoric from government officials and intelligence agencies that Anonymous, Iran, Al Qaeda and others are bent on destroying U.S. critical infrastructure in a cyberattack, they lack the capability to do so, the panelists said.

“There are not that many good hackers out there among the jihadists,” Libicki said. He noted that “It’s one thing to hack into a system and do damage to it, it’s another to hack into a system and get everything to go off at exactly the right time [to cause real destruction]. That requires a degree of command and control . . . a degree of being able to hide a lot of things for a certain length of time that is really very difficult.”

And others who do have the capability to successfully attack critical infrastructure, such as China and other nation states, lack the intent to do so, since they recognize that they are equally susceptible to such attacks.

Lewis said a Chinese military officer, in speaking about cybersecurity, once told him, “Look, America has big stones in its hand… but it also has plate glass windows. China has stones in its hand, but we also have plate glass windows. … They have an understanding there are shared vulnerabilities,” he said.

He added, however, that this doesn’t mean China and other countries that are capable of such attacks aren’t already routinely doing the necessary reconnaissance to be ready to conduct such attacks.

“Everybody is ready to do what they need to do,” he said. “We don’t want to make the mistake of underestimating our opponents, in particular the high-end opponents. . . . They’re doing the reconnaissance and they have capabilities.”

The panelists also addressed the issue of economic espionage and the leading role that China appears to be playing in hacking U.S. company systems to steal trade secrets.

“The Chinese are inside virtually every major company here in the U.S. and in other western countries,” Alperovitch said. “They’re stealing everything we’ve got, and literally vacuuming it off.”

Segal saw three reasons the Chinese might eventually taper off this activity, though he wasn’t convinced they would actually do so.

As the Chinese economy modernized and became more dependent on IT, and the People’s Liberation Army becomes more net-centric like the U.S. military, he said the Chinese would become more vulnerable to the same types of attack and would therefore re-calculate the usefulness of conducting such attacks against others.

He also thought espionage might decrease because of its threat to important bilateral relations with the United States and the European Union, who are becoming more vocal in their condemnation of China over the attacks.

And finally, he pointed out, the Chinese don’t like being positioned as pariahs, outside the globally accepted norms. He noted that China’s stance on nuclear proliferation has improved since the 1980s, due in part to outside pressure to conform with the positions of other nations.

Rosenbach noted that the U.S. had taken unprecedented steps in recent months by publicly condemning China for espionage, referring to an unclassified report released several months ago that explicitly named China among nation states that were perpetrating economic espionage against the United States. “As funny as it sounds, that’s a big step forward for the United States government,” he said.

But he noted that there are major constraints when dealing with the espionage threat from China. “They have a lot of economic leverage against the United States, and that’s something we have to think very seriously about, weighing all of our national interests.”

Alperovitch said that while the U.S. has an explicit policy against economic espionage, many of our allies are doing the same thing China is doing. He wondered if it wasn’t hypocritical to complain about China when our allies were also committing economic espionage.

Rosenbach insisted it wasn’t hypocritical of the U.S., but didn’t elaborate other than to say that he didn’t know how economic espionage would work in the U.S. should the U.S. decide to engage in it.

“Can you imagine the horde of lawyers that would descend on D.C. to try to pick which companies were going to get the R&D we had stolen from the Chinese?”