Nationwide ‘Suspicious Activity’ Files Now Document Sketchy Online Activity

A view of the National Cybersecurity and Communications Integration Center in Arlington, Va., Tuesday, Jan. 13, 2015.

A view of the National Cybersecurity and Communications Integration Center in Arlington, Va., Tuesday, Jan. 13, 2015. Evan Vucci/AP

The post-9/11 counterterrorism surveillance program is now collecting reports of suspicious activity across the Internet.

In April 2013, an intrusion at the PG&E power substation in Silicon Valley knocked out local 911 services and cell phone service in the area. A team of gunmen who opened fire at the plant late at night and damaged 17 transformers was to blame.

But an intelligence community program manager warns a hack attack possibly could have had the same effect. 

Now, a counterterrorism surveillance program that logs reports of suspicious behavior from spots across the country is also documenting reports of suspicious activity across the Internet. 

The director of national intelligence in 2008 stood up the "suspicious activity reporting," or SAR, program as a post-Sept. 11 national security initiative. Authorities were trained to monitor for certain behaviors at airports, train stations and large events that might indicate a security threat. Local authorities currently send reports of sketchy behavior to Department of Homeland Security-funded, regional fusion centers, where analysts make sense of the narratives.

Today, as physical systems become connected to the Internet of Things, and federal watchdogs warn of plane hacking, authorities also are filing suspicious online activity reports.

"Just south of San Jose, a high-power transformer was shot at by somebody with a rifle, and it caused a power failure," said Kshemendra Paul, program manager of the DNI Information Sharing Environment, in an interview with Nextgov. "That same equipment can potentially be SCADA-controlled over the Internet, or vulnerable to cyber outages, so they need to have an integrated view" of threats, he said, referring to supervisory control and data acquisition systems that control industrial operations. 

At fusion centers in New Jersey and Missouri, among other locales, physical security experts are comparing notes with cybersecurity engineers. 

"They have crime analysts, cyber analysts, terrorism analysts. They are all working together," Paul said. "Think about it. You have a threat to critical infrastructure: Is it a traditional physical threat? Is it a cyber threat? You want to have an integrated view of the threats and be effectively able to collaborate." 

The suspicious cyber activity reporting system is operational, he said. Partners include the DHS National Cybersecurity and Communications Integration Center and the nonprofit Multi-State Information Sharing and Analysis Center. 

"We're talking about dozens to hundreds of analysts that have gone through training” across the networks, at the Secret Service or the FBI," he said. "DHS is sharing lots of products."

Meanwhile, the Senate as early as this week could debate the Cybersecurity Information Sharing Act, a bill that would make it easier for businesses to exchange, with the government, details about hacks. The data divulged could include customer IP addresses, email headers, timestamps and other metadata that amount to "indicators" of a particular threat -- but also amount to too much personal information in the eyes of privacy advocates. 

Civil rights groups generally oppose the cyber information-sharing legislation for this reason. And they have consistently depicted suspicious activity reporting as a tactic that nets more innocents than terrorist leads. In 2014, the American Civil Liberties Union sued the government, arguing the program places people on watchlists for merely taking photos of tourist sites and other harmless behavior. 

A 'Flood of Useless Information?'

According to a September 2015 DNI Information Sharing Environment report to Congress, there is a greater need to use tools for sharing cyber information across institutions as malicious digital activity increases. One such tool is the "Cyber Integration for Fusion Centers," a guidebook released in May for state intelligence facilities on how to characterize cyber threats while still protecting privacy. 

At fusion centers, cyber information consists of indicators, IP addresses, domains, aliases, and file hashes, according to the guidelines. 

Whether a particular cyber suspicious activity report “is linked to terrorism and subject to being shared," depends on how analysts apply their training, the strategy states. Factors that need to be considered in making that call include the targeted IT infrastructure, likely consequences and historical background.

Decision-making also takes into account civil liberties.

"The same privacy policies that govern information sharing against terrorism -- work for cybersecurity-related information sharing," Paul said. "That's a big win for transparency" because the rules have been in place for years, and "analysts, operators and investigators are trained on them. There are compliance audits and performance metrics." 

But ACLU officials seem unconvinced that suspicious cyber reporting will preserve constitutional rights.

“The low threshold for reporting SARs that let loose a flood of useless information on innocent or First Amendment-protected conduct will also result in the reporting of cyber activity that is either innocuous or protected,” said Hugh Handeyside, staff attorney for the ACLU National Security Project. “The targets of those SARs will likely be subject to intrusive surveillance and monitoring, even if the government lacks reasonable suspicion that they are involved in any criminal activity.”

The new tool offers a three-page instruction sheet on how to label the severity of cyberspace incidents. 

Some of the directions:

  • A "significant incident" would be a situation likely to impact public safety, national security, economic security, foreign relations, privacy or public confidence. An "emergency incident" would pose an "imminent threat" to large-scale critical infrastructure, the stability of the U.S. government, or people's lives. 
  • If the target of the threat is a small business, that episode would rank as a low-security level situation, whereas a hack aimed at a United Nations special event would be a high-security-level episode.
  • The defacing of a website or knocking a website offline with a denial-of-service attack would be of lower consequence than a hack that inflicts damage on the real word or steals data.
  • Foreign policy issues factor into the description of the attacker. If it is an ally who is compromising U.S. information, that intruder would be called a low-threat actor. A dramatic change in a foreign country's intentions would be considered a high-threat adversary.