The Complex

What type of cybersecurity information does the government want?

U.S. government officials this week laid out exactly what type of information they want to be able to collect in order to defend banks, utilities, transportation companies and other "critical infrastructure" providers against cyber attacks.

Given the heated opposition to several proposed cybersecurity laws over concerns that the government would access private data online, Killer Apps thought it would be useful to have the people involved at the highest levels of crafting and, potentially implementing, cybersecurity laws or regulations on the record as to precisely what type of information the government wants.

Both lawmakers and Defense Department officials insist that the government is only interested in looking at digital signatures that indicate the presence of malicious code, not information about people's identities of private lives.

"The so called digital signatures that we're talking about here are ones and zeros in various patterns, they aren't the contents of emails, they are being used to identify dangerous malware or attacks that are coming into the system," said Sen. Susan Collins (R-Maine) yesterday during a panel discussion on cybersecurity at the Wilson Center in Washington. Collins along with Sen. Joe Lieberman (I-Ct) co-sponsored last summer's failed Cybersecurity Act of 2012. "Our bill specifically makes sure that any information the private sector gives to the government related to cybersecurity is, and this is a horrible word for it, but it's something like anonymized."

This means that any information that "would help you identify the individual would not be transmitted" to the government, added Collins.

Gen. Keith Alexander (shown above), commander of both the National Security Agency and U.S. Cyber Command elaborated on this, saying that even in cases when a private citizen's email has been hijacked for malicious purposes, the government will not be looking at the content of their emails (as long as these messages are being sent by an American citizen within the United States, anyway).

"We're arguing over a bad guy putting something in your email, sending it to somebody else to do something to him that you didn't know was going on, so ironically, both of you want to know that  that's occurring," said Alexander during the same panel. "What happens is, the machines can [automatically] see signatures, they can see those go by and" send out an alert that a bad signature has been spotted.

"There is nothing about the traffic or the communications that the government will get," said Alexander. And by nothing, the general meant "no content."

"If signature A goes by, all the government needs to know -- DHS, FBI, NSA and Cyber Command -- is that an event occurred, we don't need to know anything more about the communications than A occurred" and that the signature went "from one point to another."

Alexander went on to reiterate his endorsement of a civilian agency such as the Department of Homeland Security having the lead on protecting critical infrastructure from an attack due to the fact that civilian agencies are easier to keep an eye on than the military is with its culture of intense secrecy.

"The reason I really believe that DHS is in there is so that you all know that we're [the government] doing this right, it's transparent," said Alexander. "You want us [the military] to defend the country against an attack, you don't want us to be in the middle over here, operating in the country, trying to stop this thing or trying to set something up with industry when we should be defending the nation [from external attack], I would rather be defending the nation."

DoD, Glenn Fawcett

National Security

Sen. Collins is no fan of the White House's cyber security executive order

Sen. Susan Collins (R-Maine), co-author of last summer's failed Cyber Security Act of 2012, reiterated her stance that the White House should hold off on a planned executive order that many analysts expect will authorize near-real time information sharing between private businesses and the government on cyber security threats.

"The executive order is a big mistake," said Collins in response to Killer Apps questions during a panel discussion on cyber security at the Wilson Center in Washington today. "First of all, the executive order cannot grant the liability protections that are needed in order to encourage more participation by the private sector, so the executive order simply cannot accomplish what legislation can. In addition, an executive order is not lasting and it doesn't reflect a consensus by Congress on what should be done."

Collins went on to say that she worries that the order will "lull people into a false sense of security that we've taken care of cyber security; and the executive order cannot do that."

American Civil Liberties Union Executive Director Anthony Romero chimed in, saying that the ACLU is against the order since it could be used by future administrations to abuse civil liberties. The ACLU supported the Cyber Security Act of 2012 because it limited the government's ability to collect data about cyber security threats from private companies. The organization had strongly opposed previous cybersecurity bills.   

As for the executive order, "Any action by any occupant of the White House on an executive order that mandates the collection of data across federal agencies worries me," said Romero. "It's not going to be President Obama forever, and we've had President Bush, and when you use executive order powers for good reasons, you'll find them used and turned right on us for bad reasons."

Romero went on to say that the order is a "misguided" short-term solution to a long-term problem.

The White House's order is being drafted after Republican senators sank Collins' White House-backed bill -- co authored with Joe Lieberman (I-Ct) -- over their concerns that even the minimal cybersecurity standards that it required of privately owned banks, utilities, and other so-called critical infrastructure providers would be stifling to business. The White House will not discuss the order or say when it will be released.

This comes as the Defense Department is working to expand existing programs whereby defense contractors and Internet service providers share and receive information on cyber attacks and threats with DoD and intelligence agencies. Pentagon officials are now working with the Department of Homeland Security to implement similar practices between DHS and critical-infrastructure providers.

When asked why legislation was still needed despite these programs and the executive order, U.S. Cyber Command chief Gen. Keith Alexander said that these programs represent "a great step forward" that offer a glimpse of what could be achieved via legislation.

However, he added, "I believe there still is a need [for legislation]. The Defense Industrial Base Pilot [the name of one of the programs aimed at sharing information between DoD and defense contractors] is a way of exchanging information but not in real time and without liability protection and it's between the defense" companies and the government at a low classification level. He said, "It doesn't give us the ability to work with the Internet service providers and allow that to benefit the rest of the critical-infrastructure providers and the rest of government."

One of the key provisions in Collins' legislation gave private companies protection against being sued for wrongly sharing private citizens' information with the government in the name of security. Cyber security advocates see this type of liability protection as key to getting private companies to share information on cyber threats.

Collins added that, although she is also in favor of expanding the Pentagon's current information sharing programs, "there's no way that it will have the breadth that will be brought about by our legislation."

White House, Pete Souza