More Surveillance Isn’t the Answer to the SolarWinds Hack
An extensive hacking campaign, purportedly conducted by Russian hackers, has infected the computer systems of numerous U.S. government agencies, critical infrastructure companies, and other businesses that were running an insecure version of network management software distributed by the SolarWinds company. The widespread hack went undetected for months. Predictably, in response to the hack, current and former government officials are putting out feelers to gauge public receptivity to a favorite, all-purpose, government go-to proposal: more surveillance.
The head of the National Security Agency and Cyber Command, General Paul Nakasone, has asserted that the U.S. was handicapped in finding malicious traffic on government systems because intelligence agencies cannot liberally conduct warrantless surveillance on domestic networks. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger has claimed that respecting privacy rights enables hackers who launch attacks from inside the United States. And Glenn Gerstell, former general counsel for the NSA, has suggested that Congress should give the agency new authority to comb through domestic networks when there’s suspected foreign activity.
We don’t need even more surveillance. The existing surveillance apparatus is already expansive and especially dangerous to communities of color, Muslims, and immigrants. What we do need is for government agencies to stop making excuses and get their own security practices in order. Why should we believe that even more spying on the public internet will help uncover attacks when the government failed to find and catch the hackers on its own sensitive networks? Experts say more spying isn’t the answer. As Katie Moussouris, founder and CEO of Luta Security points out, “The NSA capabilities failed to detect [the attack] in government systems where they’re supposed to be looking.” She’s right. The problem isn’t that the government needs the power to roam through private networks, but that it needs to look more closely at its own systems. The call is coming from inside the house.
The overarching problem is weaknesses in the government’s own cybersecurity practices. For example, its multi-billion-dollar Einstein system scans network traffic for known malicious activity, but isn’t designed to detect previously unknown malware, such as the trusted-but-backdoored SolarWinds code. The Government Accountability Office pointed this out along with other problems with Einstein as far back as 2016, but the problems haven’t been fixed. Federal agencies aren’t taking basic security precautions or managing security risks posed by compromises of the companies they do business with. This and other weaknesses in the government’s network defenses have been identified for years.
The problem isn’t that NSA’s network defense activities stop once an attacker moves the operation entirely inside the United States. There is already substantial collaboration between federal agencies on domestic cybersecurity. The Department of Homeland Security already has authority to combat cybersecurity attacks on domestic networks in coordination and collaboration with the private companies that operate those networks, using information provided by the NSA under its existing surveillance programs.
Nor is the problem inadequate surveillance, considering how much surveillance the government already does. According to news reports, the NSA has attempted to intercept Microsoft’s data center traffic. The agency also secretly broke into the main communications links that connect Yahoo and Google data centers around the world. These are just two examples, hardly the entire output of the NSA’s network attack team, called the Tailored Access Operations unit.
Nor have surveillance proponents convincingly made the case that the government should be entrusted with even more spying powers. History shows that laws meant to regulate foreign intelligence collection are typically broad and vague — and therefore prone to abuse. The government’s interpretations of its power are rarely reviewed by a judge, never mind by Congress or the public. The U.S. government has repeatedly exploited legal ambiguities like these. Rather than go to courts or Congress to ask permission for novel surveillance techniques or programs, intelligence agencies have usually assumed that anything not expressly prohibited is allowed. They have concocted in secret justifications for programs they wanted to pursue — such as the now-defunct Section 215 phone record dragnet and bulk collection of American’s internet traffic — and then pursued those policies, preferring to ask for forgiveness rather than permission. That is assuming they are ever caught.
Against the fledgling cries for increased surveillance, the Biden administration reportedly does not currently plan to ask Congress for new cybersecurity authorities. Hopefully that is because the administration realizes that it needs to dramatically improve the country’s network defenses using all the powerful tools already at its disposal. Our response to the “more surveillance” trial balloons should be “no.” The American public should not be seduced by this false, dangerous promise.