The Complex

What type of cybersecurity information does the government want?

U.S. government officials this week laid out exactly what type of information they want to be able to collect in order to defend banks, utilities, transportation companies and other "critical infrastructure" providers against cyber attacks.

Given the heated opposition to several proposed cybersecurity laws over concerns that the government would access private data online, Killer Apps thought it would be useful to have the people involved at the highest levels of crafting and, potentially implementing, cybersecurity laws or regulations on the record as to precisely what type of information the government wants.

Both lawmakers and Defense Department officials insist that the government is only interested in looking at digital signatures that indicate the presence of malicious code, not information about people's identities of private lives.

"The so called digital signatures that we're talking about here are ones and zeros in various patterns, they aren't the contents of emails, they are being used to identify dangerous malware or attacks that are coming into the system," said Sen. Susan Collins (R-Maine) yesterday during a panel discussion on cybersecurity at the Wilson Center in Washington. Collins along with Sen. Joe Lieberman (I-Ct) co-sponsored last summer's failed Cybersecurity Act of 2012. "Our bill specifically makes sure that any information the private sector gives to the government related to cybersecurity is, and this is a horrible word for it, but it's something like anonymized."

This means that any information that "would help you identify the individual would not be transmitted" to the government, added Collins.

Gen. Keith Alexander (shown above), commander of both the National Security Agency and U.S. Cyber Command elaborated on this, saying that even in cases when a private citizen's email has been hijacked for malicious purposes, the government will not be looking at the content of their emails (as long as these messages are being sent by an American citizen within the United States, anyway).

"We're arguing over a bad guy putting something in your email, sending it to somebody else to do something to him that you didn't know was going on, so ironically, both of you want to know that  that's occurring," said Alexander during the same panel. "What happens is, the machines can [automatically] see signatures, they can see those go by and" send out an alert that a bad signature has been spotted.

"There is nothing about the traffic or the communications that the government will get," said Alexander. And by nothing, the general meant "no content."

"If signature A goes by, all the government needs to know -- DHS, FBI, NSA and Cyber Command -- is that an event occurred, we don't need to know anything more about the communications than A occurred" and that the signature went "from one point to another."

Alexander went on to reiterate his endorsement of a civilian agency such as the Department of Homeland Security having the lead on protecting critical infrastructure from an attack due to the fact that civilian agencies are easier to keep an eye on than the military is with its culture of intense secrecy.

"The reason I really believe that DHS is in there is so that you all know that we're [the government] doing this right, it's transparent," said Alexander. "You want us [the military] to defend the country against an attack, you don't want us to be in the middle over here, operating in the country, trying to stop this thing or trying to set something up with industry when we should be defending the nation [from external attack], I would rather be defending the nation."

DoD, Glenn Fawcett

Comments

Load More Comments