Posted by: David Schneier
Information Security Threats, Laws, Investigations and Ethics
The United States’ public and private networks are under constant attack by both foreign governments and other groups, and that trend is likely to continue. That’s the net takeaway of the cybersecurity section of the Annual Threat Assessment of the Director of National Intelligence for the Senate Select Committee on Intelligence, a report issued this week by DNI Michael McConnell. If you’re looking for the cogent analysis in that section, keep looking. McConnell spends less than a page assessing the current threats to the country’s computer networks, and essentially all of the information contained in that assessment is common knowledge anyone who has been paying even a little bit of attention to the security landscape since, say, 1999. To wit:
We assess that nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection. Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector. Terrorist groups—including al-Qa’ida, HAMAS, and Hizballah—have expressed the desire to use cyber means to target the United States. Criminal elements continue to show growing sophistication in technical capability and targeting, and today operate a pervasive, mature on-line service economy in illicit cyber capabilities and services available to anyone willing to pay.
The assessment goes on to say that the government can’t afford to sit back and worry about attacks only after they occur; it needs to stop them from happening in the first place. Not to put too fine a point on it, but isn’t that precisely the job of the national intelligence community, not just with regard to cybersecurity, but in the physical world as well?
Perhaps just as worrisome as this outdated view of information security is the opening section of the report, in which McConnell implores the committee to extend the provisions of the infamous Protect America Act. He uses the classic fear, uncertainty and doubt argument, saying that without an extension of the act’s far-reaching warrantless wiretapping provisions–and the retroactive protections for ISPs that participate in these operations–the intelligence community will be severely hampered.
Expiration of the Act would lead to the loss of important tools the Intelligence Community relies on to discover the plans of our enemies. As reflected in your Committee report, merely extending the PAA without addressing retroactive liability protection for the private sector will likely have far reaching consequences for the Intelligence Community…Over the past several weeks, proposals to modify the Senate Intelligence committee bill have been discussed and I would ask Members to consider the impacts of such proposals on our Nation’s Intelligence Community and its ability to warn leaders of threats to our Homeland and our interests. As my testimony will describe, the threats we face are global, complex, and dangerous; we must have the tools to enable the detection and disruption of terrorist plots and other threats.
In other words, if you mess with our ability to tap communications on domestic networks, very bad things will happen. The problem here is that proponents of this line of thinking have a powerful trump card that they love to play whenever this argument arises. It goes something like this: Since 2001, Congress and the courts have granted the government sweeping new surveillance and wiretapping powers and there haven’t been any more terrorist attacks, so therefore those powers are preventing terrorist attacks. This is as flawed as logic gets, but it’s worked like the Jedi mind trick for several years now, and there’s little chance the government will be abandoning it anytime soon.