NSA chief seeks more data from private sector in sharing offer
While some experts welcome the move, another sees it as a Trojan horse for more access to Americans' communications
September 26, 2013 — CSO — Gen. Keith Alexander, head of the embattled National Security Agency (NSA), says he is willing to share cyberattack information with the private sector -- an offer seen as a Trojan horse by at least one expert.
On Wednesday, Alexander told attendees of his keynote at the Billington Cybersecurity Summit that the NSA, the FBI, the Department of Homeland Security (DHS) and the CIA are ready to pass information back and forth with a select group of private organizations, provided they get the authorization from Congress.
"We need the authority for us to share with them and them to share with us," Alexander said, reported Kaspersky Labs' ThreatPost security website.
Alexander's comments came a day after U.S. Sen. Dianne Feinstein, chairwoman of the Senate Intelligence Committee, told The Hill newspaper that she planned to move forward with a draft of the Senate's version of the Cyber Intelligence Sharing and Protection Act (CISPA). The House version passed in April.
In general, CISPA would remove the threat of privacy lawsuits companies face in sharing cyberattack data with each other and the government. The legislation would also set the rules for the government to share sensitive information.
Most experts agree that information sharing would bolster the defenses of the nation's financial institutions and critical infrastructure providers, such as utilities, water facilities and oil and gas pipelines. The disagreement is over how the transfer of data to the government can be done without compromising privacy.
Revelations of massive NSA data gathering from telecom and Internet companies has sparked a fierce national debate on whether the spy agency's antiterrorism activities have gone too far in collecting information on innocent Americans.
In claiming the NSA has done nothing illegal, Alexander blamed calls from Capitol Hill to restrict government surveillance on "sensationalized" reporting and "media leaks," Politico reported from he said in his speech.
[Also see: CISPA enjoys wide backing from enterprises]
Instead of less information, the NSA needs more from the private sector to stop cyberattacks against key industries before they start. "Right now, what happens is the attack goes on and we're brought in after the fact," ThreatPost reports Alexander as saying. "And I can guarantee you 100 percent of the time we cannot stop and attack after the fact."
However, Jerry Brito, senior research fellow with the Mercatus Center at George Mason University, said the NSA already had the authority to share data if it really wanted to. The agency could declassify information on its own and pass it along to companies.
"There's nothing stopping them today from sharing data from the NSA to these companies," said Brito, who heads Mercatus' Technology Policy Program. "What they really want is more information about the communications of Americans under the rubric of cybersecurity information sharing."
Kevin Coleman, strategic management consultant at SilverRhino, was supportive of Alexander, saying information from the NSA and other federal agencies would help companies take the "proactive approach" needed to improve their cyberdefenses.
"This is a great step forward and if properly used by the nation's critical infrastructure providers will substantially improve their ability to defend against cyber threats that are growing in frequency and complexity," Coleman said. SilverRhino provides cybersecurity services to government agencies.
Alexander defended U.S. Internet companies including Google, Facebook and Microsoft, whose images have been tainted by media reports of them sharing user information with the NSA. While referring to the companies only as the "industry," he said they "have taken a beating on this, and it's wrong."
Read more about data privacy in CSOonline's Data Privacy section.
Other stories by Antone Gonsalves