June 13, 2009
Privacy May Be a Victim in Cyberdefense Plan
By THOM SHANKER and DAVID E. SANGER
WASHINGTON – A plan to create a new Pentagon cybercommand is raising significant privacy and diplomatic concerns, as the Obama administration moves ahead on efforts to protect the nation from cyberattack and to prepare for possible offensive operations against adversaries’ computer networks.
President Obama has said that the new cyberdefense strategy he unveiled last month will provide protections for personal privacy and civil liberties. But senior Pentagon and military officials say that Mr. Obama’s assurances may be challenging to guarantee in practice, particularly in trying to monitor the thousands of daily attacks on security systems in the United States that have set off a race to develop better cyberweapons.
Much of the new military command’s work is expected to be carried out by the National Security Agency, whose role in intercepting the domestic end of international calls and e-mail messages after the Sept. 11, 2001, attacks, under secret orders issued by the Bush administration, has already generated intense controversy.
There is simply no way, the officials say, to effectively conduct computer operations without entering networks inside the United States, where the military is prohibited from operating, or traveling electronic paths through countries that are not themselves American targets.
The cybersecurity effort, Mr. Obama said at the White House last month, “will not – I repeat, will not – include monitoring private sector networks or Internet traffic.”
But foreign adversaries often mount their attacks through computer network hubs inside the United States, and military officials and outside experts say that threat confronts the Pentagon and the administration with difficult questions.
Military officials say there may be a need to intercept and examine some e-mail messages sent from other countries to guard against computer viruses or potential terrorist action. Advocates say the process could ultimately be accepted as the digital equivalent of customs inspections, in which passengers arriving from overseas consent to have their luggage opened for security, tax and health reasons.
“The government is in a quandary,” said Maren Leed, a defense expert at the bipartisan Center for Strategic and International Studies who was a Pentagon special assistant on cyberoperations from 2005 to 2008.
Ms. Leed said a broad debate was needed “about what constitutes an intrusion that violates privacy and, at the other extreme, what is an intrusion that may be acceptable in the face of an act of war.”
In a recent speech, Gen. James E. Cartwright, vice chairman of the Joint Chiefs of Staff and a chief architect of the new cyberstrategy, acknowledged that a major unresolved issue was how the military – which would include the National Security Agency, where much of the cyberwar expertise resides – could legally set up an early warning system.
Unlike a missile attack, which would show up on the Pentagon’s screens long before reaching American territory, a cyberattack may be visible only after it has been launched in the United States.
“How do you understand sovereignty in the cyberdomain?” General Cartwright asked. “It doesn’t tend to pay a lot of attention to geographic boundaries.”
For example, the daily attacks on the Pentagon’s own computer systems, or probes sent from Russia, China and Eastern Europe seeking chinks in the computer systems of corporations and financial institutions, are rarely seen before their effect is felt inside the United States.
Some administration officials have begun to discuss whether laws or regulations must be changed to allow law enforcement, the military or intelligence agencies greater access to networks or Internet providers when significant evidence of a national security threat was found.
Ms. Leed said that while the Defense Department and related intelligence agencies were the only organizations that had the ability to protect against such cyberattacks, “they are not the best suited, from a civil liberties perspective, to take on that responsibility.”
Under plans being completed at the Pentagon, the new cybercommand will be run by a four-star general, much the way Gen. David H. Petraeus runs the wars in Afghanistan and Iraq from Central Command in Tampa, Fla. But the expectation is that whoever is in charge of the new command will also direct the National Security Agency, an effort to solve the turf war between the spy agency and the military over who is in charge of conducting offensive operations.
While the N.S.A.’s job is chiefly one of detection and monitoring, the agency also possesses what Michael D. McConnell, the former director of national intelligence, called “the critical skill set” to respond quickly to cyberattacks. Yet the Defense Department views cyberspace as its domain as well, a new battleground after land, sea, air and space.
The complications are not limited to privacy concerns. The Pentagon is increasingly worried about the diplomatic ramifications of being forced to use the computer networks of many other nations while carrying out digital missions – the computer equivalent of the Vietnam War’s spilling over the Cambodian border in the 1960s. To battle Russian hackers, for example, it might be necessary to act through the virtual cyberterritory of Britain or Germany or any country where the attack was routed.
General Cartwright said military planners were trying to write rules of engagement for scenarios in which a cyberattack was launched from a neutral country that might have no idea what was going on. But, with time of the essence, it may not be possible, the scenarios show, to ask other nations to act against an attack that is flowing through their computers in milliseconds.
“If I pass through your country, do I have to talk to the ambassador?” General Cartwright said. “It is very difficult. Those are the questions that are now really starting to emerge vis-à-vis cyber.”
Frida Berrigan, a longtime peace activist who is a senior program associate at the New America Foundation’s arms and security initiative, expressed concerns about whether the Obama administration would be able to balance its promise to respect privacy in cyberspace even as it appeared to be militarizing cybersecurity.
“Obama was very deliberate in saying that the U.S. military and the U.S. government would not be looking at our e-mail and not tracking what we do online,” Ms. Berrigan said. “This is not to say there is not a cyberthreat out there or that cyberterrorism is not a significant concern. We should be vigilant and creative. But once again we see the Pentagon being put at the heart of it and at front lines of offering a solution.”
Ms. Berrigan said that just as the counterinsurgency wars in Iraq and Afghanistan had proved that “there is no front line anymore, and no demilitarized zone anymore, then if the Pentagon and the military services see cyberspace as a battlefield domain, then the lines protecting privacy and our civil liberties get blurred very, very quickly.”