8 June 2015

Experts: NSA efforts part of the battle in cyber-proxy war


Elizabeth Weise

SAN FRANCISCO — The United States is engaged in a proxy war with its enemies, a war where cyber-space is the battlefield, cyber experts say.

Because of that, the National Security Agency's expansion of warrantless surveillance of American's international Internet traffic is necessary, said Tom Kellermann, chief cybersecurity officer with Trend Micro, a Texas-based computer security company.

"Let's be fair. The National Security Agency's role is to protect national security. This is not about violating American's privacy, this is about spy hunting," Kellermann said.

The revelation Thursday of NSA's broad program to scoop up Americans' Internet activities coincided with the government's disclosure that Chinese hackers had breached the computer system of the Office of Personnel Management, potentially compromising the data of 4 million current and former federal workers.

"The cyber civilization of the United States is being undermined, not just by criminal hackers but also by nation-states that have literally burrowed into our companies, our cities and our networks," Kellerman said.

The type of proactive surveillance the NSA was conducting is crucial, according to Jasper Graham, vice president for cybertechnology and analytics with Darktrace, a Washington, D.C.-based cyber-security firm.

"Sometimes hunting is the only way you can catch people. Otherwise you're always in response mode, waiting for something to strike you," said Graham, who worked as a technical director at NSA for 15 years.

Black-and-white distinction between criminal hackers and the intelligence wings of other countries can be difficult to make. It's common in some nations for hackers to be allowed to operate with impunity as long as they don't hack anything within their own country, experts say. They're also expected to share information they come across that might be useful to their nation, and to be "patriotic" and aid the state when called upon, Kellerman said.

Intrusions often have multiple targets and happen on multiple levels. Graham offered a hypothetical example: If a government wanted information about specific types of employees at the Defense Department, it could hire or encourage a hacking group to attack a financial institution or health care system in the Washington, D. C., area. That would get them personal information about hundreds of thousands of individuals, some of whom may work at the Defense Department.

"They're hiding one attack in the noise of another, and everybody writes it off as cyber-crime," Graham said.

That's where looking at hacking activity broadly can pay off, Graham said. "You don't know until you work your way up the food chain if they're working independently or they're a small hacking group working with a government."

For Herbert Lin, a Stanford University cyber-policy expert, whether the NSA program was an effective strategy for detecting and stopping hacking by foreign governments is the wrong question.

"The question is really if the NSA program was helpful enough that it is worth the expense and the cost," Lin said. "Personally I wish we didn't have to do it, but I think it's an understandable response" given the current threat environment, he said.

Other experts have their doubts about whether the NSA program is helpful.

"One need only open up a newspaper" to see that it's not working, said Amit Yoran, CEO of the computer security company RSA.

The needs of the intelligence and law enforcement communities are often at odds with what businesses want and need, he said.

"Intelligence wants to monitor, to learn about the threat and how they work. Law enforcement wants to collect information so they can prosecute," Yoran said.

Victims of hacks want to rush in and clean up their system. "So there's a very powerful divide," he said.

In the end, he said, "if you were serious about protecting the United States from these external cyber threats, then absolutely this is the sort of thing you'd consider doing."

While Yoran doesn't think the potential ethical issues represent "a serious compromise," he knows that others might come to different conclusions if they don't trust the U.S. government to do what's right.

"If you fundamentally don't trust, you fundamentally don't trust. I can't prove a negative," he said.

For privacy advocate Marc Rotenberg, with the Electronic Privacy Information Center inWashington D.C., trust and oversight form the crux of the matter.

"The cost of government secrecy will always be the lack of public trust," he said. "In the absence of meaningful oversight, the NSA will push its surveillance authority beyond what the law allows."

No comments: