[Infowarrior] - Bush Order Expands Network Monitoring

[Richard Forno]

Bush Order Expands Network Monitoring
Intelligence Agencies to Track Intrusions
http://www.washingtonpost.com/wp-dyn/content/article/2008/01/25/AR2008012503
261_pf.html

By Ellen Nakashima
Washington Post Staff Writer
Saturday, January 26, 2008; A03

President Bush signed a directive this month that expands the intelligence
community's role in monitoring Internet traffic to protect against a rising
number of attacks on federal agencies' computer systems.

The directive, whose content is classified, authorizes the intelligence
agencies, in particular the National Security Agency, to monitor the
computer networks of all federal agencies -- including ones they have not
previously monitored.

Until now, the government's efforts to protect itself from cyber-attacks --
which run the gamut from hackers to organized crime to foreign governments
trying to steal sensitive data -- have been piecemeal. Under the new
initiative, a task force headed by the Office of the Director of National
Intelligence (ODNI) will coordinate efforts to identify the source of
cyber-attacks against government computer systems. As part of that effort,
the Department of Homeland Security will work to protect the systems and the
Pentagon will devise strategies for counterattacks against the intruders.

There has been a string of attacks on networks at the State, Commerce,
Defense and Homeland Security departments in the past year and a half. U.S.
officials and cyber-security experts have said Chinese Web sites were
involved in several of the biggest attacks back to 2005, including some at
the country's nuclear-energy labs and large defense contractors.

The NSA has particular expertise in monitoring a vast, complex array of
communications systems -- traditionally overseas. The prospect of aiming
that power at domestic networks is raising concerns, just as the NSA's role
in the government's warrantless domestic-surveillance program has been
controversial.

"Agencies designed to gather intelligence on foreign entities should not be
in charge of monitoring our computer systems here at home," said Rep. Bennie
Thompson (D-Miss.), chairman of the House Homeland Security Committee.
Lawmakers with oversight of homeland security and intelligence matters say
they have pressed the administration for months for details.

The classified joint directive, signed Jan. 8 and called the National
Security Presidential Directive 54/Homeland Security Presidential Directive
23, has not been previously disclosed. Plans to expand the NSA's role in
cyber-security were reported in the Baltimore Sun in September.

According to congressional aides and former White House officials with
knowledge of the program, the directive outlines measures collectively
referred to as the "cyber initiative," aimed at securing the government's
computer systems against attacks by foreign adversaries and other intruders.
It will cost billions of dollars, which the White House is expected to
request in its fiscal 2009 budget.

"The president's directive represents a continuation of our efforts to
secure government networks, protect against constant intrusion attempts,
address vulnerabilities and anticipate future threats," said White House
spokesman Scott Stanzel. He would not discuss the initiative's details.

The initiative foreshadows a policy debate over the proper role for
government as the Internet becomes more dangerous.

Supporters of cyber-security measures say the initiative falls short because
it doesn't include the private sector -- power plants, refineries, banks --
where analysts say 90 percent of the threat exists.

"If you don't include industry in the mix, you're keeping one of your eyes
closed because the hacking techniques are likely the same across government
and commercial organizations," said Alan Paller, research director at the
SANS Institute, a Bethesda-based cyber-security group that assists companies
that face attacks. "If you're looking for needles in the haystack, you need
as much data as you can get because these are really tiny needles, and bad
guys are trying to hide the needles."

Under the initiative, the NSA, CIA and the FBI's Cyber Division will
investigate intrusions by monitoring Internet activity and, in some cases,
capturing data for analysis, sources said.

The Pentagon can plan attacks on adversaries' networks if, for example, the
NSA determines that a particular server in a foreign country needs to be
taken down to disrupt an attack on an information system critical to the
U.S. government. That could include responding to an attack against a
private-sector network, such as the telecom industry's, sources said.

Also, as part of its attempt to defend government computer systems, the
Department of Homeland Security will collect and monitor data on intrusions,
deploy technologies for preventing attacks and encrypt data. It will also
oversee the effort to reduce Internet portals across government to 50 from
2,000, to make it easier to detect attacks.

"The government has taken a solid step forward in trying to develop
cyber-defenses," said Paul B. Kurtz, a security consultant and former
special adviser to the president on critical infrastructure protection.
Kurtz said the initiative's purpose is not to spy on Americans. "The thrust
here is to protect networks."

One of the key questions is whether it is necessary to read communications
to investigate an intrusion.

Ed Giorgio, a former NSA analyst who is now a security consultant for ODNI,
said, "If you're looking inside a DoD system and you see data flows going to
China, that ought to set off a red flag. You don't need to scan the content
to determine that."

But often, traffic analysis is not enough, some experts said. "Knowing the
content -- that a communication is sensitive -- allows proof positive that
something bad is going out of that computer," said one cyber-security expert
who spoke on the condition of anonymity because of the initiative's
sensitivity.

Allowing a spy agency to monitor domestic networks is worrisome, said James
X. Dempsey, policy director of the Center for Democracy and Technology.
"We're concerned that the NSA is claiming such a large role over the
security of unclassified systems," he said. "They are a spy agency as well
as a communications security agency. They operate in total secrecy. That's
not necessary and not the most effective way to protect unclassified
systems."

A proposal last year by the White House Homeland Security Council to put the
Department of Homeland Security in charge of the initiative was resisted by
national security agencies on the grounds that the department, established
in 2003, lacked the necessary expertise and authority. The tug-of-war lasted
weeks and was resolved only recently, several sources said.

Staff researcher Richard Drezen contributed to this report.