WASHINGTON - Early last year, as Edward Snowden was secretly purloining classified documents from National Security Agency computers in Hawaii, the agency’s director, Gen. Keith Alexander, was gearing up to sell Congress and the public on a proposal for the National Security Agency to defend private U.S. computer networks against cyberattacks.
Alexander wanted to use the agency’s powerful tools to scan Internet traffic for malicious software code. He insisted the agency could kill the viruses and other digital threats without reading consumers’ private emails, texts and Web searches.
The National Security Agency normally protects military and other national security computer networks. Alexander also wanted authority to prevent hackers from penetrating U.S. banks, defense industries, telecommunications systems and other institutions to crash their networks or to steal intellectual property worth billions of dollars.
But after Snowden began leaking National Security Agency systems for spying in cyberspace last June, Alexander’s proposal was seen as a political nonstarter.
It was one of several initiatives by President Barack Obama’s administration, in Congress and in diplomacy, that experts say have been stopped cold or set back by the Snowden affair. As a result, U.S. officials have struggled to respond to the daily onslaught of attacks from Russia, China and elsewhere, a vulnerability that U.S. intelligence agencies now rank as a greater threat to national security than terrorism.
“All the things [the NSA] wanted to do are now radioactive, even though they were good ideas,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a nonpartisan think tank in Washington.
Snowden “has slowed everything down,” said U.S. Rep. Mike Pompeo, R-Kan., who serves on the House Intelligence Committee.
At town-hall meetings in Wichita, Kan., Pompeo said, voters stated that the National Security Agency already is reading their emails - which it staunchly denies - and they aren’t sympathetic to giving the agency more authority.
The Obama administration has said it plans to release this year a list of voluntary best practices in cybersecurity for critical infrastructure, including electric utilities and chemical plants. And the State Department’s cybercoordinator, Christopher Painter, has achieved some little-noticed successes, including agreements with Russia designed to smooth communications about cyberissues.
But Obama’s warnings last summer to Chinese President Xi Jinping to halt what U.S. officials describe as state-sponsored hacking of U.S. corporations mostly have gone unheeded. The official U.S. position - that governments hacking governments for military and other official secrets is permissible, but governments hacking businesses for trade secrets is not - is a tougher sell these days.
Leaked documents showing that the National Security Agency spied on Brazil’s largest energy corporation, Petrobras, among other targets, have convinced many overseas that the U.S. government “engages in significant espionage related to economic affairs,” Harvard law professor Jack Goldsmith, a former legal adviser to President George W. Bush, wrote in an email.
Although Washington insists governments shouldn’t spy on businesses, “the rest of the world ignores us because the U.S. position has no basis in international law, it is obviously self-serving, and it seems trite in the context of its massive surveillance in other contexts,” he added.
U.S. Attorney General Eric Holder told a Senate hearing Wednesday that the Justice Department is investigating the cybertheft of 110 million Target customers’ data during a two-week breach in December, including debit and credit card numbers of 40 million customers along with names, addresses, email addresses and phone numbers of 70 million others.
Similarly, CrowdStrike, a security technology and services company based in Irvine, Calif., said it recently identified a successful Russian campaign to steal data from hundreds of American, European and Asian companies, including energy and technology companies. CrowdStrike did not name the purported victims, citing confidentiality agreements.
Many companies and institutions, which rely on a free flow of information, do too little to protect their networks. They also often are constrained from tipping off the government or other companies about computer attacks, or malicious software, because of potential shareholder suits or other legal liability.
The FBI, National Security Agency and Homeland Security Department, in turn, are barred by law from sharing malware signatures obtained from classified systems with the public. The problem, experts say, is akin to disease specialists not being allowed to share information about bacterial strains.
White House-backed legislation to legalize such sharing - the Cyber Intelligence Sharing and Protection Act - always faced an uphill fight in Congress because of concern that companies would give too much customer information to the government. But after Snowden revealed that major telecommunications and technology companies were transferring vast amounts of Americans’ data to the National Security Agency, the bill was shelved.
A Homeland Security Department operation called Einstein monitors Internet traffic to search for attacks and intrusions on networks used by federal agencies. It uses deep-packet inspection technology to scan for malicious code headed the government’s way.
Alexander, who is retiring as National Security Agency chief in March, had hoped last year to adopt a similar model for the entire Web, not just the government portion. Instead, he has spent the past seven months defending the National Security Agency against criticism of the programs Snowden exposed, and seeking to repair the damage.
Front Section, Pages 1 on 02/03/2014