Does NSA's cybersecurity mission extend to the dot-com domain?

The National Security Agency appears to be suffering a case of mission creep.

For years, NSA, the Defense Department’s lead agency for information gathering and protection, has said that it has its hands full with protecting military networks and has no interest in networks outside the .mil domain. The .gov domain is the responsibility of Homeland Security, NSA said, and the .com and other private-sector domains are the responsibility of the private sector, with DHS help.

Of course, NSA would also be willing to lend a hand if needed, but it has no direct responsibility for non-military networks.

These statements have been taken with a grain of salt by many in the security world, especially with the revelation of wholesale illegal wiretaps that were discovered sweeping up traffic from commercial networks during the Bush administration. Now, DOD is admitting the obvious by saying that its interests extend beyond .mil.

“The military networks do not exist in a vacuum,” Deputy Defense Secretary William Lynn said last week in outlining DOD’s strategy for defending against and responding to cyberattacks. The third pillar of that strategy is to extend DOD protection to critical infrastructure in the civilian government and private sectors. “We cannot just protect only the .mil world.”

Related stories:

The cyberattacks that awakened the Pentagon

NSA Perfect Citizen program sparks Big Brother fears

DHS is the lead agency in this civilian mission, Lynn said. Asked how far NSA is prepared to go in defending civilian critical infrastructure, he reiterated that DHS would call the shots. “We would follow the Homeland Security [Department's] lead,” he said.

It is hard to imagine NSA sitting back during a crisis and waiting for orders from the same department that was responsible for the government’s response to Hurricane Katrina. DHS simply does not have the expertise or the authority to effectively defend critical infrastructure within the .gov domain, let alone in the much larger .com and other private-sector domains.

This is not necessarily DHS' fault. The nation does not have an overarching policy or strategy for defending an unregulated, decentralized but interconnected critical infrastructure. Each entity is expected to be responsible for protecting those segments of the infrastructure it controls, but outside of government there are few standards that must be met or best practices to be implemented. Even within government, DHS is not equipped to audit and monitor agency compliance, enforce regulations or respond to incidents.

NSA and DOD’s new U.S. Cyber Command are the government’s most effective and powerful federal cybersecurity actors, said Paul Rosenzweig, former deputy assistant secretary for policy at DHS and now a visiting fellow at the Heritage Foundation’s Center for Legal and Judicial Studies. If other provisions are not made to establish a framework of authority and responsibility for protecting critical infrastructure, they will fill the power vacuum with military or pseudo-military control, Rosenzweig warned during a recent discussion on cybersecurity.

Proposals already have surfaced calling for NSA to establish monitoring capabilities within Internet service providers in order to extend its protection to defense contractors in the dot-com domain.

Arguments can be made whether or not NSA should have the job of protecting our civilian critical infrastructure. Many security experts and civil libertarians would argue that this job should not be given to an agency cloaked in secrecy and with a record of surveillance abuses. But absent another agency with the authority and responsibility to do the job, we can expect DOD and NSA to become the de facto defenders of our networks.