With little fanfare, the U.S. Cyber Command (CYBERCOM) has officially begun operation this week. The entity is a collection of personnel from the National Security Agency (NSA), Army, Navy, Marine, Air Force and policy makers (read that politicians). The stated purpose is to protect the vital interests of the United States in relation to the Internet. The entity is not just defensive in nature but can also engage in preemptive “strikes” intended to disrupt threats. Because this was an internal reorganization within the Department of Defense, the creation of CYBERCOM did not require congressional approval.
Even though the primary purpose of CYBERCOM is to protect government and military networks, there is incredible pressure to extend that “protection” to civilian and business networks as well. In fact, the second highest official at the Pentagon, William Lynn III – Deputy Secretary of Defense, recently announced that the Department of Defense might start a protective program for civilian networks. Defense Secretary Robert Gates stated the same thing in June 2009.
Policies are being finalized that will allow the Department of Homeland Security (DHS) to request help from CYBERCOM to protect government and civilians networks. Unfortunately there isn’t any clarity on what the criteria would be to initiate a request for help. An official at CYBERCOM stated: “From our perspective the threshold is really easy: it’s when we get a request from DHS,” the official noted. “What’s their threshold? I couldn’t tell you what their threshold is.”
On the surface this may sound benign, but it is actually quite insidious. The NSA is completing work on threat monitoring systems called EINSTEIN 2 and EINSTEIN 3. According to declassified documents, the stated purposes of these two systems are as follows:
DHS (Department of Homeland Security) is deploying, as part of its EINSTEIN 2 activities, signature-based sensors capable of inspecting Internet traffic entering Federal systems for unauthorized accesses and malicious content. The EINSTEIN 2 capability enables analysis of network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity using signature-based intrusion detection technology…. EINSTEIN 2 is capable of alerting US-CERT in real time to the presence of malicious or potentially harmful activity in federal network traffic and provides correlation and visualization of the derived data….
The EINSTEIN 3 system will also support enhanced information sharing by US-CERT with Federal Departments and Agencies by giving DHS the ability to automate alerting of detected network intrusion attempts and, when deemed necessary by DHS, to send alerts that do not contain the content of communications to the National Security Agency (NSA) so that DHS efforts may be supported by NSA exercising its lawfully authorized missions.
Deputy Secretary of Defense William Lynn stated that private companies who operate critical infrastructure (electrical grid, telecommunication networks, Internet service providers, the banking and financial industry, etc) should install EINSTEIN monitoring agents or else they will face the “wild, wild west of the Internet”. He went on to state that failing to protect these critical infrastrutures ”could lead to physical damage and economic disruption on a massive scale.”
In other words:
Private companies are not capable of protecting their own networks
The government is the only one who is capable of protecting the infrastructure
Disaster will strike unless government intercedes to protect us
Words matter and the usage of them need to be analyzed in order to determine what someone is saying (or not saying) to fully assess a situation:
Lynn stated: ““I think it’s gonna have to be voluntary,” he added. “People could opt into protection – or choose to stay out. Individual users may well choose to stay out. But in terms of protecting the nation’s security, it’s not the individual users [that matter most]. I mean, they have to worry about their individual [data], their credit rating, and all that. But it’s the vulnerability of certain critical infrastructure – power, transportation, finance. This starts to give you an angle at doing that.”
Essentially, Lynn is stating that individual citizens can opt out of EINSTEIN but critical entities will not have a choice.
In summary, we have a new government entity created without congressional approval whose purpose is to monitor (read that spy on) all Internet traffic in the United States, and to take unspecified preemptive strikes when something happens that the agency deems is not acceptable…
Obviously privacy organizations are deeply troubled by CYBERCOM’s ability to monitor the content of all internet communication. No information has been presented to date on the privacy implications of EINSTEIN 3 and limited information has been provided on an early 2008 versions of EINSTEIN 2.
Fortunately, we have many recent examples worldwide that we can examine to see how governments use these protective powers to defend their citizens in cyberspace:
China does an amazing job in shutting down sites (or blocking access to them altogether) that are critical of their communist government
Pakistan recently blocked access to YouTube because of content deemed “offensive” to Islam
Bangladesh also blocked access to YouTube because of images deemed “obnoxious” of the country’s leaders
Thailand blocked sites back in 2008 when protesters were demonstrating against the government
“Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety” – Benjamin Franklin