The New York Times

August 12, 2013

N.S.A. Leaks Make Plan for Cyberdefense Unlikely


WASHINGTON — Even while rapidly expanding its electronic surveillance around the world, the National Security Agency has lobbied inside the government to deploy the equivalent of a “Star Wars” defense for America’s computer networks, designed to intercept cyberattacks before they could cripple power plants, banks or financial markets.

But administration officials say the plan, championed by Gen. Keith B. Alexander, the director of the National Security Agency and head of the Pentagon’s Cyber Command, has virtually no chance of moving forward given the backlash against the N.S.A. over the recent disclosures about its surveillance programs.

Senior agency officials concede that much of the technology needed to filter malicious software, known as malware, by searching incoming messages for signs of programs designed to steal data, or attack banks or energy firms, is strikingly similar to the technology the N.S.A. already uses for surveillance.

”The plan was always a little vague, at least as Keith described it, but today it may be Snowden’s biggest single victim,” one senior intelligence official said recently, referring to Edward J. Snowden, the former N.S.A. contractor who released documents revealing details of many of the agency’s surveillance programs.

“Whatever trust was there is now gone,” the official added. “I mean, who would believe the N.S.A. when it insists it is blocking Chinese attacks but not using the same technology to read your e-mail?”

On Friday, the N.S.A. reported for the first time that it “touches about 1.6 percent” of all the traffic carried on the Internet each day. In a statement, it said it closely examines only a tiny fraction of that information. But General Alexander’s plan would put the agency, or Internet-service providers acting on its behalf, in the position of examining a far larger percentage of the world’s information flows.

Under this proposal, the government would latch into the giant “data pipes” that feed the largest Internet service providers in the United States, companies like A.T.&T. and Verizon. The huge volume of traffic that runs through those pipes, particularly e-mails, would be scanned for signs of anything from computer servers known for attacks on the United States or for stealing information from American companies. Other “metadata” would be inspected for evidence of malicious software.

“It’s defense at network speed,” General Alexander told a Washington security-research group recently, according to participants. “Because you have only milliseconds.”

This summer, the N.S.A. has begun assembling scores of new cyber “offense” and “defense” teams, the agency’s most concrete step toward preparing the Pentagon and intelligence agencies for a new era of computer conflict. Erecting a national cyberdefense is a key element of that plan. At an interagency meeting that discussed the flood of cyberattacks directed daily at American networks, from Chinese efforts to steal corporate secrets to Iranian efforts to cripple financial institutions, General Alexander said, “I can’t defend the country until I’m into all the networks,” according to other officials who were present.

The appeal of such a program is its seeming simplicity: The worst malware could be blocked before it reaches companies, universities or individual users, many of whom may be using outdated virus protections, or none at all. Normal commercial virus programs are always running days, or weeks, behind the latest attacks — and the protection depends on users’ loading the latest versions on their computers.

The government has been testing a model for a national defense against cyberattack with major defense contractors including Lockheed Martin, Boeing and Raytheon. Early results were disappointing, but participants in the program — the specific details of which are heavily classified — say they are getting significantly improved results. Each company in the defense industrial base program now shares data on the kinds of attacks it is seeing, anonymously, with other participating companies.

But for the N.S.A., which is building a target list of servers used by the most aggressive cyberattackers, monitoring all Internet traffic would also be an intelligence bonanza. It would give it a real-time way to watch computer servers around the world, and focus more quickly on those it suspects are the breeding ground for governments or private hackers preparing attacks.

Even before the Snowden revelations, General Alexander had encountered opposition. Top officials of the Department of Homeland Security, which is responsible for domestic defense of the Internet, complained that N.S.A. monitoring would overly militarize America’s approach to defending the Internet, rather than making sure users took the primary responsibility for protecting their systems.

The deputy secretary of defense, Ashton B. Carter, described in speeches over the past year an alternative vision in which the government would step in to defend America’s networks only as a last line of defense. He compares the Pentagon’s proper role in defending cyberattacks to its “Noble Eagle” operation, in which it intercepts aircraft that appear threatening only after efforts by the airlines to identify the passengers and by the Transportation Safety Administration to search passengers and luggage have failed.

It appears unlikely that, with the administration divided, and faced with a backlash against the N.S.A. in Congress, any proposal for a formal plan for national cyberdefense will be submitted soon. Members of the Intelligence Committees in the House and Senate said that they were only vaguely aware of General Alexander’s plan, but that it would almost certainly require Congressional approval.

That is a fight the White House is not interested in having while it struggles to get a much more modest cybersecurity bill through Congress after years of arguments over privacy concerns and corporate America’s fears that Washington will dictate how companies protect data and how much they must spend on new defenses. The bill failed last year, and passage this year appears in doubt.

Before the Snowden revelations, General Alexander’s idea appeared to be gaining some ground because of concerns over the cyber-enabled Chinese theft of critical corporate secrets, including some designs for the F-35 Joint Strike Fighter. Internal intelligence reports, based on N.S.A. analysis, attributed an attack on American banks to Iran’s cybercorps, a unit of the Revolutionary Guards.

“After the Iranian attacks, we were looking at these ideas pretty hard,” said a recently departed senior official in the Obama national security team, who like other officials declined to be identified because of the sensitivities of the government’s discussions about building Internet defenses.

But this summer, the mood in Congress has changed. The White House only narrowly avoided a House vote to cut off the collection of metadata about telephone calls in the country. Suddenly a national debate emerged; along the way the N.S.A. admitted that until 2011 it had collected about 1 percent of all e-mails in the United States, until the program was canceled after being judged ineffective.

“Cyberissues usually change so rapidly because of the advance of technology,” said Peter D. Feaver, a Duke University professor who worked in the National Security Council in the George W. Bush administration.

“But the biggest change in the last year has been political: Public skepticism about U.S. cyberoperations is dramatically higher today, and it could result in political constraints that were off the table even a year ago.”

Charlie Savage contributed reporting.