No Domestic Surveillance Authorities Needed, NSA Director Reiterates

National Security Agency and U.S. Cyber Command leader Gen. Paul Nakasone reiterated that he is not looking for new legal authorities for either organization to search for hacks within the United States during a hearing Wednesday before the Senate Select Committee on Intelligence.

The Worldwide Threats hearing was the first in more than two years and covered an array of issues including Afghanistan, domestic violent extremism, 5G and cybersecurity. As in previous hearings, Nakasone remained adamant that he wants to keep the focus of NSA on external threats, and he and other intelligence community leaders, including FBI Director Christopher Wray, emphasized public-private partnerships as the primary solution to “blind spots” in the U.S. cyber posture. 

“I'm not seeking legal authorities either for NSA, for U.S. Cyber Command,” Nakasone said. “My intent in my discussions has always been, though, is to state that with an adversary that has increased its scope, scale and sophistication, we have to understand that there are blind spots in our nation today.”

Those blind spots include critical infrastructure, which Wray noted is controlled primarily by private industry in the U.S. But neither NSA nor Cyber Command can surveil domestically, and the FBI needs warrants in order to do so. 

For Wray and Nakasone, the logical solution is for greater ties between the government and industry, particularly with respect to notification when cyber activity is detected. The SolarWinds hack that affected multiple federal agencies was discovered after cybersecurity firm FireEye told the government it had been hacked. 

But Sen. Ron Wyden, D-Ore., said he was “deeply concerned” about suggestions that the government’s ability to detect and respond to the SolarWinds intrusion was hampered by the need to get a warrant before conducting surveillance of the domestic internet because the government already has the ability to monitor everything happening on its own networks. 

“And yet the hacking of nine federal agencies somehow went unnoticed,” Wyden said. 

Wyden added he believes the U.S. government needs to look up ways to “shore up our own house first” before looking into new authorities that may represent a greater threat to privacy and civil liberties. 

Wray also told senators he viewed the proposal from the Cyberspace Solarium Commission of a law requiring notification when companies suffer data breaches with enthusiasm. 

“One company reaching out to us promptly after they've been compromised means that all the rest of the companies that are likely to be the next ones hit, we might be able to get in front of it,” Wray said. “And so if you think about the scale of the dots that are in the private sector that's why I think that's the piece of this. It doesn't mean that there aren't other tweaks here and there in terms of authorities, administrative subpoena authority, things like that, but ultimately for the United States, which doesn't have state-owned enterprises all over the place to protect against this problem, we really have to solve this public-private partnership issue.”