Opinion | Theres a Big Gap in Our Cyber Defenses. Heres How to Close It. – POLITICO

The problem is well known. The difficulty lies in resolving deeply felt concerns over any increase in government surveillance authority, no matter how important the purpose. We are also paralyzed by a sense of fatalism that cyber vulnerabilities are simply the price we pay for being online, and an erroneous belief that the Constitution stands in the way of any solution.

Most cybersecurity experts agree an effective public-private cyber information-sharing system is essential in stopping foreign cyber maliciousness before it causes too much damage. But information sharing isnt enough; it would be hamstrung from the start if the government cannot seamlessly and quickly track malicious cyber activity from its foreign source to its intended domestic victims. If some government agency had that legal power, then it could, for example, quickly check out a domestic IP address after an alert from the NSA that the address was communicating with a suspicious overseas server. If that IP address showed questionable activity, the government and the private sector jointly could take steps to reconfigure firewalls or otherwise curtail the hack. Admittedly, this wouldnt prevent hacks and attacks that were based on previously unknown software bugs (so called zero-day exploits). But the reality is that most large-scale hacks by foreign countries rely on already known software imperfections and hardware deficiencies.

The issue is that almost any kind of domestic cyber inspection, even in hot pursuit of a foreign adversary, would be considered a search within the Constitutions Fourth Amendment, which requires searches and seizures by the government to be not unreasonable and in many (but by no means all) cases to be based on a search warrant issued by a judge. The notion that searches could possibly be electronic was of course not in the framers minds when adopting the amendment in 1792, but the reasonableness standard has allowed courts over the years to apply it to new techniques and technologies, including cyber surveillance.

To track foreign cyber malevolence in a new domestic legal framework, we would need a cyber monitoring capability that was so limited and safeguarded that it didnt trigger the Constitutions warrant requirement. The judicial cases tell us this should be possible. After all, for over half a century, courts have approved a range of not unreasonable warrantless electronic surveillance under the Fourth Amendment, taking into account various subjective factors, including the exigency of the surveillance, whether the information had already been revealed to third parties, the level of personal sensitivity of the data, whether the surveillance is broad or tailored, how likely it is that information about nontargets will be scooped up in the surveillance, and whether there are effective oversight mechanisms.

Like a property owner who has put up a fence a few feet inside his property line just to be safe, Congress has established more restrictive structures and rules in our current system than what the Constitution would require for reasonable, warrantless monitoring. The task is to see whether a legislative solution can be crafted in that intervening space. The goal is to not change the property line; there should be no weakening of the Fourth Amendments limits.

Heres what an effective new legal authority, fully consistent with the Constitution, might look like:

Any domestic inspection or monitoring would be expressly limited by the type of both target and information collected. It would be restricted to specifically identified IP addresses or other communications equipment located in the United States that was linked (by the U.S. intelligence community or the FBI) to a foreign person or country suspected of specific cyber wrongdoing. No other targets could be examined; there would be no bulk or indiscriminate collection of data. The activity might be limited to simply a traffic analysis seeing which U.S. or foreign IP addresses were communicating with the target or examining its logbook to look at historic connections. The government would not be allowed to look at emails or otherwise collect the substance of communications, except in the rare case (perhaps with additional approvals) when it was actually necessary for cybersecurity purposes.

Internal governmental approvals would be needed, with a senior official certifying the underlying facts as to why the domestic inspection was required. The requirement would depend on the circumstances, but would need to be explicit. For example, there could be evidence that a server known to be controlled by a foreign nation was communicating with a U.S. IP address, or that certain malware or techniques that the intelligence community knew were unique to foreign cyber malefactors were being tracked to U.S. internet servers.

Housing the legal authority in the FBI, rather than the NSA, might make sense. The countries with values closest to ours, such as the United Kingdom, Australia, Canada and New Zealand, have all placed their domestic cyber monitoring authorities within their foreign signals intelligence agencies (or in new affiliates). Locating this new legal authority in the NSA would follow that pattern, but the political reality is that this would be problematic. The FBI, which sits within the Department of Justice and already investigates malicious foreign cyber activity seems like a logical and acceptable alternative. Whichever agency is chosen, a governmental partnership is critical, with the NSA supplying technical expertise and foreign intelligence insights, the FBI bringing its longtime relationships with internet service providers and other communications infrastructure owners, and the Department of Homeland Security assisting with coordination and communications with the private sector, which should be equally engaged in the process.

The domestic monitoring would be limited in time. After an initial period of 72 hours, the monitoring should end, unless further corroborating information or a demonstrated need to do deeper analysis warranted a limited extension.

The resulting data could be used by the government only for cybersecurity purposes. Those purposes would, however, include thorough investigation into exactly what the foreign cyber malefactor did and with whom it was in contact. The data would have to be deleted after some period and couldnt be searched for general foreign intelligence or law enforcement purposes, or shared with other government agencies (presumably with some limited exceptions such as discovery of actual evidence of a federal crime).

Oversight should be required and modeled on the largely successful compliance scheme for the Foreign Intelligence Surveillance Act. For example, the attorney general or the Foreign Intelligence Surveillance Court could receive periodic reports of the legal authoritys use and audit the activity, and the Privacy and Civil Liberties Oversight Board could independently verify compliance. DHS could consult with the private sector and issue annual assessments of whether the authority was indeed effective in curtailing cyber hacks and attacks.

The private sector will be required to cooperate, and not simply shut down suspect accounts. Any meaningful understanding of compromised domestic networks will likely require the assistance of owners of the affected servers or cloud service providers, so they should be required under this new legal authority to cooperate with the government, much like the way telephone companies are obligated under current law to assist the FBI with lawful wiretaps.

This proposal is by no means the only solution; its merely one way to balance the need for more cyber visibility while preserving our constitutional freedoms. After all, the Constitution is designed to protect our liberties, not to provide authoritarian regimes with no use for such liberties a means to exploit our vital online systems with virtual impunity.

View original post here:
Opinion | Theres a Big Gap in Our Cyber Defenses. Heres How to Close It. - POLITICO