Cyber Security. Do we really want an all-or nothing approach?
After 9/11, when the government designated DHS to coordinate the security of the nation’s cyber-supported critical infrastructure, they forgot one important thing — it takes more than wishful thinking to transfer budget and power in DC. Although the Homeland Security Act (HSA) supposedly positioned DHS to direct the nation’s cyber security structure, the department has encountered well-documented resistance from other government agencies and the private sector that owns the critical infrastructures.
The resistant private sector has argued that, although the government has designated their facilities as national critical infrastructure, the systems are private property and not subject to government regulation or interference. Their arguments have proven to be quite the roadblock to DHS’ ideas since Americans tend to agree with the Constitutional protection of private property. Currently, despite all of DHS’s best efforts, there appears to be no appetite within the government to utilize regulators to force private industry compliance as has been done in other countries. As a consolation prize, DHS has focused their operations on developing defensive technology, sharing information and offering assistance or support if the private system owners make an official request.
But most surprisingly, DHS has been politically outmaneuvered and beaten up through political attacks launched by the military (DoD) and intelligence community (IC), conveniently acting as one entity. A few years back, through shrewd political maneuvering, the NSA Director’s job (IC) was “dual hatted” to concurrently serve as the Commander of USCYBERCOM (DoD). This dual job allows the 2 agencies, often acting in concert, to decide which operational guidelines they want to use on a given operation — which should cause concern for any American who is paying attention. Somehow that IC/DoD monster has managed to guide the political discourse and define any attack against the nation’s cyber-supported critical infrastructure as a “national security event”. What’s the big deal you ask?
Well, remember that most of those cyber supported critical infrastructures are located within the US. And, considering that the 16 CIKR includes the nation’s financial and communication systems, this national security definition arguably allows the IC and DoD to operate within domestic systems where, conveniently, they can collect citizen’s personal information without any judicial oversight.
These days, few citizens realize that domestic operation of the IC and military violates the Posse Comitatus Act and the findings of the Church Commission, which was held following widespread civil rights abuses by the Intelligence Community. Both of these guidelines clearly prohibit the DoD and the IC from domestic operations. In fact, the Church Commission resulted in the passage of the FISA Act, which solely authorizes the FBI to conduct domestic intelligence collection operations with specific judicial oversight on their operations.
But don’t take my word for it. Perhaps we should listen to the architect of this effective re-defining of authorities, NSA Director / CYBERCOM General Keith Alexander. Unfortunately, Gen. Alexander publically admitted that CYBERCOM lacks the authority to operate domestically except within DoD networks while defending them. However, in the same interview, he described all of the great work being done by his NSA “information assurance” directorate as it secures privately owned domestic systems. Something about that just doesn’t sound right since he runs them both. I guess we should just trust him that his two-cyber attack and intelligence agencies don’t speak or share system access and information.
I think it’s time American’s start paying attention an take control of their privacy again. To take the first step to protect our civil rights, the government must clearly define the various types of cyber activity and the agency that will lead the security efforts. It’s really not as hard as some would have you think.
As defined by the US Federal Legal Code, Title 18 USC 1030 — any intrusion into a protected computer system is a violation of federal criminal law expressly designated to be investigated by the Federal Bureau of Investigation (FBI) or the United States Secret Service (USSS). So, in line with that law, intruders seeking financial gain through the theft of financial data or personal identity information (PII) should be responded to by US law enforcement. Alternatively, few would argue that an attack involving the intrusion into or theft of information from a US government system or a defense/industrial contractor should be considered cyber-espionage, which is solely mandated to be the operational domain of the FBI National Security/Counter Intelligence units.
Likewise, government offensive cyber attack forces and intelligence agencies (NSA and CYBERCOM) should be deployed against nation state targets to conduct foreign espionage for information collection and military uses. Most importantly, the Homeland Security Act (HSA) must be updated to provide DHS with binding legal authorities to direct the nation’s defensive efforts through as budgetary oversight of the government’s cyber security mission.
