[Infowarrior] - OpEd: NSA's cyber overkill

Richard Forno rforno at infowarrior.org
Tue Jul 14 11:54:50 UTC 2009 

NSA's cyber overkill
A project to safeguard governmental computers, run by the NSA, is too  
big a threat to Americans' privacy.
By Jesselyn Radack
July 14, 2009
http://www.latimes.com/news/printedition/opinion/la-oe-radack14-2009jul14,0,6845797.story


Cyber security is a real issue, as evidenced by the virus behind July  
4 cyber attacks that hobbled government and business websites in the  
United States and South Korea. It originated from Internet provider  
addresses in 16 countries and targeted, among others, the White House  
and the New York Stock Exchange.

Unfortunately, the Obama administration has chosen to combat it in a  
move that runs counter to its pledge to be transparent. The  
administration reportedly is proceeding with a Bush-era plan to use  
the National Security Agency to screen government computer traffic on  
private-sector networks. AT&T is slated to be the likely test site.  
This classified pilot program, dubbed "Einstein 3," is developed but  
not yet rolled out. It takes two offenders from President Bush's  
contentious secret surveillance program and puts them in charge of  
scrutinizing all Internet traffic going to or from federal government  
agencies.

Despite its name, the Einstein 3 program is more genie than genius --  
an omnipotent force (run by the NSA via AT&T's "secret rooms") that  
does the government's bidding -- spying. The last time around, this  
sort of scheme was known as the "special access" program -- "special"  
being code for "unconstitutional."

Einstein 3 purportedly is meant to protect government networks from  
hackers. But cyber-security experts -- such as Babak Pasdar, who blew  
the whistle on a mysterious "Quantico Circuit" while working for a  
major service provider -- agree that Einstein 3 offers no intrinsic  
security value. The program is implemented where servers exchange  
traffic between one another -- in the heart of a network system rather  
than at the perimeter, which interfaces with the outside world. This  
is similar to a home security system that only monitors the central  
interior of a house, rather than keeping an eye on the actual doors  
(and the purpose of hackers may simply be to enter).

Furthermore, Einstein 3 focuses on collecting, processing and  
analyzing all person-to-person communications content rather than  
looking for hacker and malicious software attack patterns directed at  
government sites and installations -- which should raise eyebrows.

The prospect of NSA involvement in secret surveillance should set off  
alarm bells. The intelligence community lost any benefit of the doubt  
the last time it collected and read Americans' domestic e-mail  
messages without court warrants. Einstein 3 is based primarily on  
covert technologies developed by the NSA for the purposes of  
wiretapping.

The telecom companies also have lost their privacy cred. In a tacit  
admission that the proposed new program is problematic and possibly  
illegal, AT&T has sought written assurances from the administration  
that it will not be legally liable for participating in the program.  
The company was sued over its role in aiding Bush's electronic  
eavesdropping on Americans and, along with other telecoms, received  
retroactive immunity from Congress.

Earlier incarnations of the Einstein program observe predetermined  
signatures (specific patterns of network traffic), but Einstein 3  
would look at the content of e-mails and other messages sent over  
government systems.

Moreover, while Einstein 1 and Einstein 2 passively observe  
information, Einstein 3 technology plans to use "active sensors." This  
is a tactic used by malware developers and is a popular feature of  
spyware that clogs up the Internet, slows down PCs and tips off  
hackers by emitting signals.

And most disturbingly, according to the Department of Homeland  
Security's 2008 "Privacy Impact Assessment," while earlier iterations  
of Einstein implemented signatures based on malicious computer codes,  
Einstein 3 could include signatures based on personally identifiable  
information. The privacy implications are great. Any citizen logging  
on to a ".gov" website would trigger this.

The IRS and other governmental agencies collect sensitive personal  
information for legitimate and limited purposes. However, strict  
confidentiality rules apply to that information. Although the  
Department of Homeland Security, which is managing the program,  
insists that the "main focus is to identify malicious code," we've  
heard such empty reassurances before.

Media reports indicate that government officials recently acknowledged  
during closed meetings of the House and Senate Intelligence and  
Judiciary committees that Americans' e-mails that were improperly  
gathered or read during Bush's warrantless wiretapping program -- even  
under the relaxed 2008 intelligence surveillance law -- were not just  
an "incidental byproduct." According to a former NSA analyst and two  
intelligence analysts interviewed by the New York Times, the e-mails  
could number in the millions.

Further, a government review of the Bush wiretapping program, released  
Friday, questioned the effectiveness of the surveillance efforts.

President Obama's federalization of many private systems and his  
adoption of the Bush administration's spying tactics are on a  
collision course that would expose many Americans' private data and  
communications to government scrutiny. I suspect that the public would  
be appalled that a taxpayer's financial information or a patient's  
medical records would be available to, much less perused by, the NSA.  
There are far less invasive network defenses that can secure  
government computing environments, such as upgrading good old- 
fashioned firewalls and filtering routers.

Obama came into office vested with vast new surveillance powers, which  
he voted for as a senator. Atty. Gen. Eric H. Holder Jr., while  
strenuously avoiding the word "illegal," called the original Bush  
snooping "unwise." But instead of trying to put the genie back in the  
bottle, Obama is considering expanding its power.

This is antithetical to basic civil liberties and privacy protections  
that are the core of a democratic society. Perhaps we can draw a  
lesson from the real Einstein, who ultimately regretted his role in  
urging the development of dangerous technology -- the atomic bomb --  
and spent the rest of his life advocating against it.

Jesselyn Radack is the homeland security director of the Government  
Accountability Project in Washington.

More information about the Infowarrior mailing list