More
- Classifieds
- Cars
- Deals
- Real Estate
- Rentals
- Photos
- Blogs

National Security

White House, NSA weigh cybersecurity, personal privacy

By Ellen Nakashima,February 27, 2012

The National Security Agency has pushed repeatedly over the past year to expand its role in protecting private-sector computer networks from cyberattacks but has been rebuffed by the White House, largely because of privacy concerns, according to administration officials and internal documents.

The most contentious issue was a legislative proposal last year that would have required hundreds of companies that provide such critical services as electricity generation to allow their Internet traffic to be continuously scanned using computer threat data provided by the spy agency. The companies would have been expected to turn over evidence of potential cyberattacks to the government.

NSA officials portrayed such measures as unobtrusive ways to protect the nation’s vital infrastructure from what they said are increasingly dire threats of devastating cyberattacks.

But the White House and Justice Department argued that the proposal would permit unprecedented government monitoring of routine civilian Internet activity, according to documents and officials familiar with the debate. They spoke on the condition of anonymity to describe administration deliberations. Internal documents reviewed by The Washington Post backed these descriptions.

White House officials cautioned the NSA that President Obama has opposed cybersecurity measures that weaken personal privacy protections. They also warned the head of the spy agency, Army Gen. Keith Alexander, to restrain his public comments after speeches in which he argued that more expansive legal authority was necessary to defend the nation against cyberattacks, according to several officials.

“We have had to remind him to at least be cognizant of what the administration’s policy positions are, so if he’s openly advocating for something beyond that, that is undermining the commander in chief,” an administration official said.

The debate, which is surfacing as Congress considers landmark cyber-legislation, turns on what means are necessary and appropriate to protect vital private-sector systems from attack by China, Russia or other potential adversaries. Even some criminal gangs and hackers, such as the self-styled activist group Anonymous, increasingly may acquire the tools to mount major assaults on the nation’s computer systems, U.S. officials say.

NSA officials said that they have issued warnings about such threats but that they have not sought to establish policy.

“As a major source of the nation’s technical expertise on cyber and cybersecurity, we have a responsibility to ensure our leaders are informed and aware of what is happening in the cyber-realm,” NSA spokeswoman Judith Emmel said. “We also work diligently to team with other agencies, industry and academia to find solutions to protecting our nation’s critical infrastructure.”

Protecting key industries

The proposal was intended to supplement an administration legislative package, unveiled in May, that NSA officials thought did not go far enough in protecting critical industries such as nuclear power, according to administration officials. The proposal was put forth by the Defense Department, which includes the NSA, and the Department of Homeland Security.

The proposal drew on a Pentagon pilot program launched last year in which Internet service providers used the NSA’s library of threat data to scan e-mails and other computer traffic flowing to and from the nation’s top defense contractors . That program was a response to fears that foreign spy services were using cyber-technology to steal corporate or U.S. military secrets.

A Pentagon-commissioned report in November validated the concept but said the effectiveness of such an approach remained uncertain.

The NSA, however, saw the program as a model for expanding its role in protecting other potentially significant targets of cyberattacks. The proposed legislation would have made participation in an expanded program mandatory for designated industries that didn’t reach certain security benchmarks on their own after one year, according to a draft copy of the legislation and officials.

The reason, NSA officials said in internal administration discussions, is that the companies have not shown that they are capable of defeating the rapidly evolving universe of cyberthreats. By the time a major attack on a water system or nuclear plant is discovered, it might be too late to thwart it.

“In order to stop it, you have to see it in real time, and you have to have those authorities,” Alexander, who is also head of the U.S. military’s Cyber Command, said in remarks at Fordham University in New York last month. “Those are the conditions that we have put on the table. Now, how and what the administration and Congress choose, that will be a policy issue.”