[Infowarrior] - Privacy May Be a Victim in Cyberdefense Plan

Richard Forno rforno at infowarrior.org
Sat Jun 13 03:07:38 UTC 2009 

June 13, 2009
Cyberwar
Privacy May Be a Victim in Cyberdefense Plan
By THOM SHANKER And DAVID E. SANGER

http://www.nytimes.com/2009/06/13/us/politics/13cyber.html?_r=2&hp=&pagewanted=print

WASHINGTON — A plan to create a new Pentagon cybercommand is raising  
significant privacy and diplomatic concerns, as the Obama  
administration moves ahead on efforts to protect the nation from  
cyberattack and to prepare for possible offensive operations against  
adversaries’ computer networks.

President Obama has said that the new cyberdefense strategy he  
unveiled last month will provide protections for personal privacy and  
civil liberties. But senior Pentagon and military officials say that  
Mr. Obama’s assurances may be challenging to guarantee in practice,  
particularly in trying to monitor the thousands of daily attacks on  
security systems in the United States that have set off a race to  
develop better cyberweapons.

Much of the new military command’s work is expected to be carried out  
by the National Security Agency, whose role in intercepting the  
domestic end of international calls and e-mail messages after the  
Sept. 11, 2001, attacks, under secret orders issued by the Bush  
administration, has already generated intense controversy.

There is simply no way, the officials say, to effectively conduct  
computer operations without entering networks inside the United  
States, where the military is prohibited from operating, or traveling  
electronic paths through countries that are not themselves American  
targets.

The cybersecurity effort, Mr. Obama said at the White House last  
month, “will not — I repeat, will not — include monitoring private  
sector networks or Internet traffic.”

But foreign adversaries often mount their attacks through computer  
network hubs inside the United States, and military officials and  
outside experts say that threat confronts the Pentagon and the  
administration with difficult questions.

Military officials say there may be a need to intercept and examine  
some e-mail messages sent from other countries to guard against  
computer viruses or potential terrorist action. Advocates say the  
process could ultimately be accepted as the digital equivalent of  
customs inspections, in which passengers arriving from overseas  
consent to have their luggage opened for security, tax and health  
reasons.

“The government is in a quandary,” said Maren Leed, a defense expert  
at the bipartisan Center for Strategic and International Studies who  
was a Pentagon special assistant on cyberoperations from 2005 to 2008.

Ms. Leed said a broad debate was needed “about what constitutes an  
intrusion that violates privacy and, at the other extreme, what is an  
intrusion that may be acceptable in the face of an act of war.”

In a recent speech, Gen. James E. Cartwright, vice chairman of the  
Joint Chiefs of Staff and a chief architect of the new cyberstrategy,  
acknowledged that a major unresolved issue was how the military —  
which would include the National Security Agency, where much of the  
cyberwar expertise resides — could legally set up an early warning  
system.

Unlike a missile attack, which would show up on the Pentagon’s screens  
long before reaching American territory, a cyberattack may be visible  
only after it has been launched in the United States.

“How do you understand sovereignty in the cyberdomain?” General  
Cartwright asked. “It doesn’t tend to pay a lot of attention to  
geographic boundaries.”

For example, the daily attacks on the Pentagon’s own computer systems,  
or probes sent from Russia, China and Eastern Europe seeking chinks in  
the computer systems of corporations and financial institutions, are  
rarely seen before their effect is felt inside the United States.

Some administration officials have begun to discuss whether laws or  
regulations must be changed to allow law enforcement, the military or  
intelligence agencies greater access to networks or Internet providers  
when significant evidence of a national security threat was found.

Ms. Leed said that while the Defense Department and related  
intelligence agencies were the only organizations that had the ability  
to protect against such cyberattacks, “they are not the best suited,  
from a civil liberties perspective, to take on that responsibility.”

Under plans being completed at the Pentagon, the new cybercommand will  
be run by a four-star general, much the way Gen. David H. Petraeus  
runs the wars in Afghanistan and Iraq from Central Command in Tampa,  
Fla. But the expectation is that whoever is in charge of the new  
command will also direct the National Security Agency, an effort to  
solve the turf war between the spy agency and the military over who is  
in charge of conducting offensive operations.

While the N.S.A.’s job is chiefly one of detection and monitoring, the  
agency also possesses what Michael D. McConnell, the former director  
of national intelligence, called “the critical skill set” to respond  
quickly to cyberattacks. Yet the Defense Department views cyberspace  
as its domain as well, a new battleground after land, sea, air and  
space.

The complications are not limited to privacy concerns. The Pentagon is  
increasingly worried about the diplomatic ramifications of being  
forced to use the computer networks of many other nations while  
carrying out digital missions — the computer equivalent of the Vietnam  
War’s spilling over the Cambodian border in the 1960s. To battle  
Russian hackers, for example, it might be necessary to act through the  
virtual cyberterritory of Britain or Germany or any country where the  
attack was routed.

General Cartwright said military planners were trying to write rules  
of engagement for scenarios in which a cyberattack was launched from a  
neutral country that might have no idea what was going on. But, with  
time of the essence, it may not be possible, the scenarios show, to  
ask other nations to act against an attack that is flowing through  
their computers in milliseconds.

“If I pass through your country, do I have to talk to the ambassador?”  
General Cartwright said. “It is very difficult. Those are the  
questions that are now really starting to emerge vis-à-vis cyber.”

Frida Berrigan, a longtime peace activist who is a senior program  
associate at the New America Foundation’s arms and security  
initiative, expressed concerns about whether the Obama administration  
would be able to balance its promise to respect privacy in cyberspace  
even as it appeared to be militarizing cybersecurity.

“Obama was very deliberate in saying that the U.S. military and the  
U.S. government would not be looking at our e-mail and not tracking  
what we do online,” Ms. Berrigan said. “This is not to say there is  
not a cyberthreat out there or that cyberterrorism is not a  
significant concern. We should be vigilant and creative. But once  
again we see the Pentagon being put at the heart of it and at front  
lines of offering a solution.”

Ms. Berrigan said that just as the counterinsurgency wars in Iraq and  
Afghanistan had proved that “there is no front line anymore, and no  
demilitarized zone anymore, then if the Pentagon and the military  
services see cyberspace as a battlefield domain, then the lines  
protecting privacy and our civil liberties get blurred very, very  
quickly.”

More information about the Infowarrior mailing list