NSA’s Cyber Overkill
A project to safeguard governmental computers, run by the NSA, is too big a threat to Americans’ privacy
By Jesselyn Radack
Los Angeles Times, July 14, 2009
Cyber security is a real issue, as evidenced by the virus behind July 4 cyber attacks that hobbled government and business websites in the United States and South Korea. It originated from Internet provider addresses in 16 countries and targeted, among others, the White House and the New York Stock Exchange.
Unfortunately, the Obama administration has chosen to combat it in a move that runs counter to its pledge to be transparent. The administration reportedly is proceeding with a Bush-era plan to use the National Security Agency to screen government computer traffic on private-sector networks. AT&T is slated to be the likely test site. This classified pilot program, dubbed “Einstein 3,” is developed but not yet rolled out. It takes two offenders from President Bush’s contentious secret surveillance program and puts them in charge of scrutinizing all Internet traffic going to or from federal government agencies.
Despite its name, the Einstein 3 program is more genie than genius — an omnipotent force (run by the NSA via AT&T’s “secret rooms”) that does the government’s bidding — spying. The last time around, this sort of scheme was known as the “special access” program — “special” being code for “unconstitutional.”
Einstein 3 purportedly is meant to protect government networks from hackers. But cyber-security experts — such as Babak Pasdar, who blew the whistle on a mysterious “Quantico Circuit” while working for a major service provider — agree that Einstein 3 offers no intrinsic security value. The program is implemented where servers exchange traffic between one another — in the heart of a network system rather than at the perimeter, which interfaces with the outside world. This is similar to a home security system that only monitors the central interior of a house, rather than keeping an eye on the actual doors (and the purpose of hackers may simply be to enter).
Furthermore, Einstein 3 focuses on collecting, processing and analyzing all person-to-person communications content rather than looking for hacker and malicious software attack patterns directed at government sites and installations — which should raise eyebrows.
The prospect of NSA involvement in secret surveillance should set off alarm bells. The intelligence community lost any benefit of the doubt the last time it collected and read Americans’ domestic e-mail messages without court warrants. Einstein 3 is based primarily on covert technologies developed by the NSA for the purposes of wiretapping.
The telecom companies also have lost their privacy cred. In a tacit admission that the proposed new program is problematic and possibly illegal, AT&T has sought written assurances from the administration that it will not be legally liable for participating in the program. The company was sued over its role in aiding Bush’s electronic eavesdropping on Americans and, along with other telecoms, received retroactive immunity from Congress.
Earlier incarnations of the Einstein program observe predetermined signatures (specific patterns of network traffic), but Einstein 3 would look at the content of e-mails and other messages sent over government systems.
Moreover, while Einstein 1 and Einstein 2 passively observe information, Einstein 3 technology plans to use “active sensors.” This is a tactic used by malware developers and is a popular feature of spyware that clogs up the Internet, slows down PCs and tips off hackers by emitting signals.
And most disturbingly, according to the Department of Homeland Security’s 2008 “Privacy Impact Assessment,” while earlier iterations of Einstein implemented signatures based on malicious computer codes, Einstein 3 could include signatures based on personally identifiable information. The privacy implications are great. Any citizen logging on to a “.gov” website would trigger this.
The IRS and other governmental agencies collect sensitive personal information for legitimate and limited purposes. However, strict confidentiality rules apply to that information. Although the Department of Homeland Security, which is managing the program, insists that the “main focus is to identify malicious code,” we’ve heard such empty reassurances before.
Media reports indicate that government officials recently acknowledged during closed meetings of the House and Senate Intelligence and Judiciary committees that Americans’ e-mails that were improperly gathered or read during Bush’s warrantless wiretapping program — even under the relaxed 2008 intelligence surveillance law — were not just an “incidental byproduct.” According to a former NSA analyst and two intelligence analysts interviewed by the New York Times, the e-mails could number in the millions.
Further, a government review of the Bush wiretapping program, released Friday, questioned the effectiveness of the surveillance efforts.
President Obama’s federalization of many private systems and his adoption of the Bush administration’s spying tactics are on a collision course that would expose many Americans’ private data and communications to government scrutiny. I suspect that the public would be appalled that a taxpayer’s financial information or a patient’s medical records would be available to, much less perused by, the NSA. There are far less invasive network defenses that can secure government computing environments, such as upgrading good old-fashioned firewalls and filtering routers.
Obama came into office vested with vast new surveillance powers, which he voted for as a senator. Atty. Gen. Eric H. Holder Jr., while strenuously avoiding the word “illegal,” called the original Bush snooping “unwise.” But instead of trying to put the genie back in the bottle, Obama is considering expanding its power.
This is antithetical to basic civil liberties and privacy protections that are the core of a democratic society. Perhaps we can draw a lesson from the real Einstein, who ultimately regretted his role in urging the development of dangerous technology — the atomic bomb — and spent the rest of his life advocating against it.
Jesselyn Radack is the homeland security director of the Government Accountability Project in Washington.