CYBEREYE

Does NSA's cybersecurity mission extend to the dot-com domain?

Interrelated nature of Internet leads DOD security arm outside of military networks

The National Security Agency appears to be suffering a case of mission creep.

For years, NSA, the Defense Department’s lead agency for information gathering and protection, has said that it has its hands full with protecting military networks and has no interest in networks outside the .mil domain. The .gov domain is the responsibility of Homeland Security, NSA said, and the .com and other private-sector domains are the responsibility of the private sector, with DHS help.

Of course, NSA would also be willing to lend a hand if needed, but it has no direct responsibility for non-military networks.

These statements have been taken with a grain of salt by many in the security world, especially with the revelation of wholesale illegal wiretaps that were discovered sweeping up traffic from commercial networks during the Bush administration. Now, DOD is admitting the obvious by saying that its interests extend beyond .mil.

“The military networks do not exist in a vacuum,” Deputy Defense Secretary William Lynn said last week in outlining DOD’s strategy for defending against and responding to cyberattacks. The third pillar of that strategy is to extend DOD protection to critical infrastructure in the civilian government and private sectors. “We cannot just protect only the .mil world.”


Related stories:

The cyberattacks that awakened the Pentagon

NSA Perfect Citizen program sparks Big Brother fears


DHS is the lead agency in this civilian mission, Lynn said. Asked how far NSA is prepared to go in defending civilian critical infrastructure, he reiterated that DHS would call the shots. “We would follow the Homeland Security [Department's] lead,” he said.

It is hard to imagine NSA sitting back during a crisis and waiting for orders from the same department that was responsible for the government’s response to Hurricane Katrina. DHS simply does not have the expertise or the authority to effectively defend critical infrastructure within the .gov domain, let alone in the much larger .com and other private-sector domains.

This is not necessarily DHS' fault. The nation does not have an overarching policy or strategy for defending an unregulated, decentralized but interconnected critical infrastructure. Each entity is expected to be responsible for protecting those segments of the infrastructure it controls, but outside of government there are few standards that must be met or best practices to be implemented. Even within government, DHS is not equipped to audit and monitor agency compliance, enforce regulations or respond to incidents.

NSA and DOD’s new U.S. Cyber Command are the government’s most effective and powerful federal cybersecurity actors, said Paul Rosenzweig, former deputy assistant secretary for policy at DHS and now a visiting fellow at the Heritage Foundation’s Center for Legal and Judicial Studies. If other provisions are not made to establish a framework of authority and responsibility for protecting critical infrastructure, they will fill the power vacuum with military or pseudo-military control, Rosenzweig warned during a recent discussion on cybersecurity.

Proposals already have surfaced calling for NSA to establish monitoring capabilities within Internet service providers in order to extend its protection to defense contractors in the dot-com domain.

Arguments can be made whether or not NSA should have the job of protecting our civilian critical infrastructure. Many security experts and civil libertarians would argue that this job should not be given to an agency cloaked in secrecy and with a record of surveillance abuses. But absent another agency with the authority and responsibility to do the job, we can expect DOD and NSA to become the de facto defenders of our networks.

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.