The private sector’s distrust of the National Security Agency following domestic spying revelations could undermine efforts to secure systems running utilities and other vital U.S. industries, former federal civilian and military officials say.
NSA, maker of arguably the best encryption tools to protect data, now is attracting more attention for decrypting everyone else’s data, after disclosures by ex-NSA contractor Edward Snowden of massive Internet surveillance.
"NSA has postured itself as a neutral arbiter who could provide these capabilities to the private sector and really didn't necessarily want much in return," said Christopher Finan, a former White House and Pentagon official who, until July, was involved in a Defense Department cyber offense research program called Plan X. "I don’t know if they can present themselves as the same honest broker now that we’re seeing the enormous quantities of data that they are actually taking in."
Traditionally, private industry has counted on NSA's cybersecurity expertise for incident response, even though a 2003 presidential directive assigned the Homeland Security Department the primary job of securing key U.S. sectors.
Now, many of those critical infrastructure firms might shun any government help, former officials said. Going forward, private cyber forensics firms and nonprofit research institutes could see increased demand.
"Part of the fallout from the NSA revelations is that the private sector has somewhat less confidence in government to manage its information and its networks. I think that neither DHS nor DoD grow in stature in the eyes of industry because government, generally, is viewed with increased scrutiny,” said Alec Ross, a former senior State Department Internet policy adviser for the Obama administration.
He added, “Ironically, any decreased confidence in government by industry comes in no small measure because of wariness of government contractors. The fact that such a screwed up kid as Edward Snowden was able to access extremely sensitive content does not build confidence."
James Lewis, a fellow at the Center for Strategic and International Studies who advises agencies and Congress on cybersecurity, said there definitely will be reluctance to turn to NSA for protection -- and that is unfortunate.
The degree of government involvement in regulating cybersecurity and facilitating the exchange of information about threats will remain status quo, he said. "If anything we’re just a little further back because NSA playing a larger role is definitely out of the question, but that doesn't mean that we’ll do something else. It just that it means that we’ll do less of what we’re doing now."
Cybersecurity legislation, which had been under negotiation for years, now is on indefinite hold because floor debate would hyperfocus on NSA to the detriment of everything else, most cyber observers say.
It might be a good time for Homeland Security to step up and assume the cyber leadership it was granted a decade ago, Finan said.
Is DHS ready for the challenge?
Former McAfee executive Phyllis Schneck this month will take over as the second-ever DHS cyber chief with the title deputy undersecretary for cyber, following the departure of Mark Weatherford, who served for a year-and-a-half before becoming a private consultant.
"I think DHS is well postured to assist the private sector as an agency that can coordinate across the interagency and critical infrastructure sectors, and serve as a clearinghouse for aggregated cybersecurity threat information without the stigma of intrusive data collection and retention efforts,” Finan said. “I also think there are some really talented cybersecurity people in DHS and the team there keeps getting stronger. Companies are going to want to work with them because they're good.”
Some government advisers suggest industry will wait and see what department personnel can offer. Lewis said, "The problem for them is, what cards do they have to put on the table? And the card, ‘We’re not NSA’ -- somehow that’s not going to be enough.”
Homeland Security officials say, every day, they actively collaborate and share information with public and private sector organizations.
During the past four and a half years, "cybersecurity has emerged as a top priority for the Department of Homeland Security in our efforts to secure unclassified federal civilian government networks, work with critical infrastructure owners and operators, combat cybercrime, build a national capacity to promote responsible cyber behavior and cultivate the next generation of frontline cybersecurity professionals -- while keeping a steady focus on safeguarding the public’s privacy, civil rights and civil liberties," DHS spokesman SY Lee said. A 24-hour DHS-led crisis center called the National Cybersecurity & Communications Integration Center has responded to almost half a million incident reports since 2009, he added.
NSA, for its part, continues to share intelligence on computer vulnerabilities with companies, agency officials say. "We believe NSA has not lost any credibility as a neutral arbiter and technical capability adviser. We continue to partner with federal organizations, private industry and academia," NSA spokeswoman Vanee Vines said.
Before Snowden revealed secret data to the press, the intelligence community, including NSA, had publicly discussed the challenge of protecting critical networks from such insider threats, she noted. Previous and ongoing intelligencewide initiatives "will provide for greater granularity of data access control -- supported with strong cryptographic enforcement," Vines said, adding the activities also will improve oversight. "These initiatives were in place before the media leaks occurred, and our commitment has not changed."
Attacks against the private sector will persist, and companies that appreciate working with the government to thwart hackers will keep on going to the NSA for technical assistance, said Jacob Olcott, a former cybersecurity aide for Sen. John D. Rockefeller IV, D-W.V., chairman of the Commerce Committee. "I do not see that there will be any significant change in the way that they want to work with NSA in the future because the NSA is still very good at what they are doing... NSA is not losing its capabilities anytime soon," added Olcott, now a principal at Good Harbor Security Risk Management.
That said, there are lots of other businesses that conduct cyber forensics and incident response, such as CrowdStrike and Mandiant. "Will those companies see increased revenue because companies having to respond to crises do not want to work with the NSA anymore? Yes," he said.
There’s also been discussion of a national or international nongovernment organization acting as an exchange for cyber information and support, perhaps the SANS Institute, which is a research and education center.
"Certainly I think third parties like SANS are only going to increase in credibility as compared to the government which I do believe has lost some credibility with the people as a neutral arbiter and technical capability provider when it’s been very clear that there is this enormous amount of data that the government is actively seeking to collect, for better or worse,” Finan said.
This story has been updated for precision.