Now that large institutions like NATO and the United Nations have recognized cyberspace as the fifth domain for warfare (“after land, sea, air, and outer space”), and the Pentagon has brought its Cyber Command up to speed, the Obama administration has drawn up rules of engagement for America’s laptop legionnaires. In case of a major assault on the country’s computer networks, it seems, the Pentagon can operate on American soil.
This is a big deal. As a rule, the military deploys on enemy soil. The president can make exceptions for natural disasters, and now the White House has set up guidelines for exceptions in the case of computer warfare.
“The rules were deemed essential,” writes The New York Times, “because most of the government’s computer-network capabilities reside within the Pentagon — while most of the important targets are on domestic soil, whether within the government or in critical private operations like financial networks or a regional power grid.”
The trouble with this arrangement is that some ex-military types — like former Vice Adm. Michael McConnell, who served as director of national intelligence under President George W. Bush — have pushed for years for more military meddling in the civilian Internet.
McConnell now works for a consultancy, Booz Allen Hamilton, but before he left office he warned President Bush that the threat of cyberwarfare was dire enough that “the U.S. government should have unfettered and warrantless access to U.S. citizens’ Google search histories, private e-mails and file transfers,” according to Wired.com. Last spring, in The Washington Post, he warned that “we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable.”
McConnell wants the National Security Agency, in particular, to lead the way. He used to run the NSA, which is an arm of the Pentagon. As such, it has no business eavesdropping on Americans or operating within U.S. borders, but it has a history of doing so anyway. The warrantless wiretapping [http://www.eff.org/issues/nsa-spying] scandal under President Bush saw the NSA creating “secret rooms” where AT&T routed domestic e-mail and telephone traffic through illegal government filters.
The NSA already has a filtering system for e-mail and Internet traffic flowing into government networks to “anticipate intrusions,” as Deputy Secretary of Defense William Lynn told Wired’s Danger Room last spring. Einstein 2 and Einstein 3 are systems meant to read “threat signatures” on e-mail messages — not the e-mail content, in theory — looking for superficial hints that the messages might be part of an attack. The Wall Street Journal reported in July that the NSA would run similar filtering projects on private networks that belong to the nation’s “critical infrastructure.”
“The NSA,” McConnell wrote in The Washington Post in the spring, “is the only agency in the United States with the legal authority, oversight and budget dedicated to breaking the codes and understanding the capabilities and intentions of potential enemies.”
One obvious question is: Why? Why should the NSA be the only U.S. outfit with so much talent and authority? The new Cyber Command unit takes orders from the NSA; it’s housed in the same building in Fort Meade, Md. If L.A.’s Department of Water and Power came down with a Stuxnet-style infection and requested help from experts at the NSA and Cyber Command, then by all means there should be a legal path for the president to provide the help. But why should he have no other choice? That’s like saying we need the CIA to spy on Americans because we forgot to establish the FBI.
The solution in other nations with new military cybercommand centers is — naturally enough — to keep separate agencies responsible for domestic and foreign trouble. Last year in Germany, a controversy flared up over the so-called “BSI law,” which would let an agency skim domestic e-mail the way Einstein 2 and 3 do in America. Smart Germans complained the skimming would elevate the BSI, or “Federal Agency for IT Security,” to an intelligence-gathering bureau.
“What is this about?” one remarked trenchantly on an IT news site in January 2009. “The BSI as intelligence agency? I thought they were responsible for data protection. I don’t understand.”
He was lucky enough to be complaining about a domestic agency — separate in geography as well as law from the bunker full of military hackers outside Bonn. The offices are kept separate in Germany because of a keen cultural memory of military-state surveillance. In America, for now, they’re the same thing.