Balancing Cybersecurity And Citizen Freedom

There is a very interesting discussion of the protection of Federal Networks and the Fourth Amendment in “Cybersecurity, Selected Legal Issues,” Congressional Research Service (CRS) Report for Congress (3 May 2012).

The Department of Homeland Security (DHS) in conjunction with the National Security Agency (NSA) rolled out EINSTEIN, an intrusion detection system (IDS) in early iterations, and later an intrusion prevention system (IPS) at all Internet points of presence (POPs) for the government.

The system works through copying, storage, and deep packet inspection of not only the metadata for addressing information, but also the actual contents of the flow. This handling is necessary in order to identify suspicious malware signatures and behavior and alert the United States Computer Emergency Response Team (US-CERT) in order to block, quarantine, clean, and respond to the attacks and share information about these.

However, the civil liberties and privacy issue with EINSTEIN is that according to the Fourth Amendment, we are protected from unreasonable search and seizures. Thus, there are concerns about the violation of the Fourth Amendment, when DHS monitors and inspects addressing and content of all email and Internet communications to and from federal agency employees and the public–including not only from government email accounts and systems, but also from private email accounts such as Yahoo and Gmail and social media sites like Facebook and Twitter.

The justification for the use of EINSTEIN includes:

1. The government cannot reasonably get warrants in real time in order to safeguard the federal network and systems at the speed that the attacks are occurring.

2. The government places banners and user agreements on all Federal networks notifying users of monitoring, so there is no expectation of privacy in the communications.

3. The monitoring is conducted only for malicious computer activity and not for other unlawful activities—so “clean” traffic is promptly removed the system.

4. Privacy protections are ensured though review mechanisms, including Attorney General and Director of National Intelligence (DNI) reporting to Congress every six months and a sunset provision requiring monitoring reauthorization every four years.

This tension between monitoring of Federal networks and traffic and civil liberties and privacy is a re-occurring issue when it comes to cybersecurity. On one hand, we want cybersecurity, but on the other hand, we are anxious about this security infringing on our freedoms—whether freedom of expression, from search and seizure, from surveillance, or from potentially costly regulation, stifling innovation, and so forth. It is this tension that has stalled many cybersecurity bills such as the Stop Online Privacy Act (SOPA), Cyber Intelligence Sharing and Protection Act (CISPA), The Computer Security Act of 2012 and more.

In the absence of a clear way forward with legislation to regulate and enforce, or incentivize, standards and best practices for cybersecurity, particularly for critical infrastructure protection, as well as information sharing, the White House released Presidential Policy Directive/PDD-21 on Critical Infrastructure Security and Resilience to establish DHS and other federal agency roles in cybersecurity and to manage these on a risk-based model, so that critical infrastructure is identified, prioritized, assessed, and secured accordingly.

While PDD-21 is a step in the right direction, it is an ongoing challenge to mediate a balance between maintaining our values and constitutional freedoms, while at the same time securing cyberspace.

One thought is that perhaps we can model cybersecurity after the Posse Comitatus Act of 1878 that separated federal military from domestic national guard and law enforcement powers. Using this model, we can create in cyberspace a separation of cybersecurity from our borders outward by the federal government, and within the domestic private networks by our national guard and law enforcement.

Thus, we can create stronger security radiating out at the national periphery, while maintaining our important freedoms within, but always working together to identify and neutralize any and all threats to cyberspace. 😉

(Source Photo: Andy Blumenthal)

Which Big Brother

About a decade ago, after the events of 9/11, there was a program called Total Information Awareness (TIA) run out the Defense Advanced Research Projects Agency (DARPA).

The intent was develop and use technology to capture data (lots of it), decipher it, link it, mine it, and present and use it effectively to protect us from terrorists and other national security threats.

Due to concerns about privacy–i.e. people’s fear of “Big Brother”–the program was officially moth-balled, but the projects went forward under other names.

This month Wired(April 2012) reports that the National Security Agency (NSA) has almost achieved the TIA dream–“a massive surveillance center” capable of analyzing yottabytes (10 to the 24th bytes) of data that is being completed in the Utah desert.

According to the article, the new $2 billion Utah Data (Spy) Center is being built by 10,000 construction workers and is expected to be operational in a little over a year (September 2013), and will capture phone calls, emails, and web posts and process them by a “supercomputer of almost unimaginable speed to look for patterns and unscramble codes.”

While DOD is most interested in “deepnet”–“data beyond the reach of the public” such as password protected data, governmental communications, and other “high value” information, the article goes on to describe “electronic monitoring rooms in major US telecom facilities” to collect information at the switch level, monitor phone calls, and conduct deep packet inspection of Internet traffic using systems (like Narus).

Despite accusations of massive domestic surveillance at this center, Fox News(28 March 2012) this week reported that those allegations have been dismissed by NSA. The NSA Director himself, General Keith Alexander provided such assurances at congressional hearings the prior week that the center was not for domestic surveillance purposes, but rather “to protect the nation’s cyber security,” a topic that he is deeply passionate about.

Certainly new technologies (especially potentially invasive ones) can be scary from the perspective of civil liberties and privacy concerns.

However, with the terrorists agenda very clear, there is no alternative, but to use all legitimate innovation and technology to our advantage when it comes to national security–to understand our enemies, their networks, their methods, their plans, to stop them, and take them down before they do us harm.

While, it is true that the same technologies that can be used against our enemies, can also be turned against us, we must through protective laws and ample layers of oversight ensure that this doesn’t happen.

Adequate checks and balances in government are essential to ensure that “bad apples” don’t take root and potentially abuse the system, even if that is the exception and not the rule.

There is a difference between the big brother who is there to defend his siblings from the schoolyard bully or pulls his wounded brother in arms off the battlefield, and the one who takes advantage of them.

Not every big brother is the Big Brother from George Orwell’s “1984” totalitarian state, but if someone is abusing the system, we need to hold them accountable.

Protecting national security and civil liberties is a dual responsibility that we cannot wish away, but which we must deal with with common sense and vigilance.

(Source Photo: here)