NSA allies with Internet carriers to thwart cyber attacks against defense firms

[Eugen Leitl]

(what a great excuse to put up even more network probes -- oh, and 'cyber')

http://www.washingtonpost.com/national/major-internet-service-providers-cooperating-with-nsa-on-monitoring-traffic/2011/06/07/AG2dukXH_print.html

NSA allies with Internet carriers to thwart cyber attacks against defense
firms

By Ellen Nakashima, Published: June 16

The National Security Agency is working with Internet service providers to
deploy a new generation of tools to scan e-mail and other digital traffic
with the goal of thwarting cyberattacks against defense firms by foreign
adversaries, senior defense and industry officials say.

The novel program, which began last month on a voluntary, trial basis, relies
on sophisticated NSA data sets to identify malicious programs slipped into
the vast stream of Internet data flowing to the nationbs largest defense
firms. Such attacks, including one last month against Bethesda-based Lockheed
Martin, are nearly constant as rival nations and terrorist groups seek access
to U.S. military secrets.

bWe hope the .b	.b	. cyber pilot can be the beginning of something bigger,b
Deputy Defense Secretary William J. Lynn III said at a global security
conference in Paris on Thursday. bIt could serve as a model that can be
transported to other critical infrastructure sectors, under the leadership of
the Department of Homeland Security.b

The prospect of a role for the NSA, the nationbs largest spy agency and a
part of the Defense Department, in helping Internet service providers filter
domestic Web traffic already had sparked concerns among privacy activists.
Lynnbs suggestion that the program might be extended beyond the work of
defense contractors threatened to raise the stakes.

James X. Dempsey, vice president for public policy at the Center for
Democracy & Technology, a civil liberties group, said that limiting the NSAbs
role to sharing data is ban elegant solutionb to the long-standing problem of
how to use the agencybs expertise while avoiding domestic surveillance by the
government. But, he said, any extension of the program must guarantee
protections against government access to private Internet traffic.

bWe wouldnbt want this to become a backdoor form of surveillance,b Dempsey
said.

Officials say the pilot program does not involve direct monitoring of the
contractorsb networks by the government. The program uses NSA-developed
bsignatures,b or fingerprints of malicious code, and sequences of suspicious
network behavior to filter the Internet traffic flowing to major defense
contractors. That allows the Internet providers to disable the threats before
an attack can penetrate a contractorbs servers. The trial is testing two
particular sets of signatures and behavior patterns that the NSA has detected
as threats.

The Internet carriers are AT&T, Verizon and CenturyLink. Together they are
seeking to filter the traffic of 15 defense contractors, including Lockheed,
Falls Church-based CSC, McLean-based SAIC and Northrop Grumman, which is
moving its headquarters to Falls Church. The contractors have the option, but
not the obligation, to report the success rate to the NSAbs Threat Operations
Center.

All three of the Internet carriers declined to comment on the pilot program.
Several of the defense contractors declined to comment as well.

Partnering with the major Internet providers bis probably the technically
quickest way to go and the best way to gob to defend dot-com networks, said
Gen. Keith B. Alexander, who heads the NSA and the affiliated U.S. Cyber
Command at Fort Meade, testifying before Congress in March.

The premise of this strategy is that combining the providersb ability to
filter massive volumes of traffic b a large Internet carrier can monitor up
to 100 gigabits per second b with the NSAbs expertise will provide a greater
level of protection without violating privacy laws.

But the initiative stalled for months because of numerous concerns, including
Justice Department worries that the program would run afoul of privacy laws
forbidding government surveillance of private Internet traffic. Officials
have, at least for now, allayed that concern by saying that the government
will not directly filter the traffic or receive the malicious code captured
by the Internet providers. The Department of Homeland Security is a partner
in the pilot program.

bThe U.S. government will not be monitoring, intercepting or storing any
private-sector communications,b Lynn said. bRather, threat intelligence
provided by the government is helping the companies themselves, or the
Internet service providers working on their behalf, to identify and stop
malicious activity within their networks.b

But civil liberties advocates are worried that a provision in the White
Housebs recent legislative proposal on cybersecurity could open the way to
government surveillance through public-private partnerships such as this one.
They are concerned that the proposal would authorize companies to share vast
amounts of communications data with the federal government.

bThe government needs to make up its mind about whether it wants to protect
networks or collect intelligence,b Dempsey said.

Although this NSA technology is more sophisticated than traditional
anti-virus programs, it still can screen only for known threats. Developing
detection and mitigation strategies for emerging new threats is more
difficult.

The program also does not protect against insider threats or employees who
deliberately leak material. Nor will it protect a network from penetration by
hackers who have compromised security software, enabling them to log in as if
they were legitimate users. That is what happened recently when security firm
RSAbs SecurID tokens were compromised, enabling hackers to penetrate Lockheed
Martinbs computers. Lockheed said no customer, program or employee personal
data were compromised.

The pilot program has been at least a year in the making. Providers and
companies were concerned that they would be vulnerable to lawsuits or other
sanctions if they allowed the government to filter the traffic or shared
network data with the government. The NSA, meanwhile, was concerned about the
classified data getting into the hands of adversaries.

The Internet carriers that are part of the pilot are not being paid to
prepare their systems for it, an effort that industry officials said costs
millions of dollars. The providers will work with the companies they
currently serve. In some cases, they already provide a similar service of
filtering for malicious traffic using their own threat data.

Lynnbs speech also appeared to outline key elements of the Pentagonbs
cybersecurity strategy, an unclassified version of which is due out soon. The
strategy, said experts and analysts who have been briefed on it, focuses on
building defenses and a framework for deterrence. It also makes clear the
militarybs prerogative to use cyberwarfare and other traditional military
means if the United States is attacked or becomes engaged in hostilities with
an adversary.

bFirst we must raise the level of protection in government and military
networks,b Lynn said Thursday. bWe must ready our defense institution to
confront cyberthreats, because it is clear any future conflict will have a
cyber dimension.b