Nationwide ‘Suspicious Activity’ Files Now Document Sketchy Online Activity

A view of the National Cybersecurity and Communications Integration Center in Arlington, Va., Tuesday, Jan. 13, 2015.

A view of the National Cybersecurity and Communications Integration Center in Arlington, Va., Tuesday, Jan. 13, 2015. Evan Vucci/AP

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Aliya Sternstein By Aliya Sternstein,
Senior Correspondent

By Aliya Sternstein

|

The post-9/11 counterterrorism surveillance program is now collecting reports of suspicious activity across the Internet.

In April 2013, an intrusion at the PG&E power substation in Silicon Valley knocked out local 911 services and cell phone service in the area. A team of gunmen who opened fire at the plant late at night and damaged 17 transformers was to blame.

But an intelligence community program manager warns a hack attack possibly could have had the same effect. 

Now, a counterterrorism surveillance program that logs reports of suspicious behavior from spots across the country is also documenting reports of suspicious activity across the Internet. 

The director of national intelligence in 2008 stood up the "suspicious activity reporting," or SAR, program as a post-Sept. 11 national security initiative. Authorities were trained to monitor for certain behaviors at airports, train stations and large events that might indicate a security threat. Local authorities currently send reports of sketchy behavior to Department of Homeland Security-funded, regional fusion centers, where analysts make sense of the narratives.

Today, as physical systems become connected to the Internet of Things, and federal watchdogs warn of plane hacking, authorities also are filing suspicious online activity reports.

"Just south of San Jose, a high-power transformer was shot at by somebody with a rifle, and it caused a power failure," said Kshemendra Paul, program manager of the DNI Information Sharing Environment, in an interview with Nextgov. "That same equipment can potentially be SCADA-controlled over the Internet, or vulnerable to cyber outages, so they need to have an integrated view" of threats, he said, referring to supervisory control and data acquisition systems that control industrial operations. 

At fusion centers in New Jersey and Missouri, among other locales, physical security experts are comparing notes with cybersecurity engineers. 

"They have crime analysts, cyber analysts, terrorism analysts. They are all working together," Paul said. "Think about it. You have a threat to critical infrastructure: Is it a traditional physical threat? Is it a cyber threat? You want to have an integrated view of the threats and be effectively able to collaborate." 

The suspicious cyber activity reporting system is operational, he said. Partners include the DHS National Cybersecurity and Communications Integration Center and the nonprofit Multi-State Information Sharing and Analysis Center. 

"We're talking about dozens to hundreds of analysts that have gone through training” across the networks, at the Secret Service or the FBI," he said. "DHS is sharing lots of products."

Meanwhile, the Senate as early as this week could debate the Cybersecurity Information Sharing Act, a bill that would make it easier for businesses to exchange, with the government, details about hacks. The data divulged could include customer IP addresses, email headers, timestamps and other metadata that amount to "indicators" of a particular threat -- but also amount to too much personal information in the eyes of privacy advocates. 

Civil rights groups generally oppose the cyber information-sharing legislation for this reason. And they have consistently depicted suspicious activity reporting as a tactic that nets more innocents than terrorist leads. In 2014, the American Civil Liberties Union sued the government, arguing the program places people on watchlists for merely taking photos of tourist sites and other harmless behavior. 

A 'Flood of Useless Information?'

According to a September 2015 DNI Information Sharing Environment report to Congress, there is a greater need to use tools for sharing cyber information across institutions as malicious digital activity increases. One such tool is the "Cyber Integration for Fusion Centers," a guidebook released in May for state intelligence facilities on how to characterize cyber threats while still protecting privacy. 

At fusion centers, cyber information consists of indicators, IP addresses, domains, aliases, and file hashes, according to the guidelines. 

Whether a particular cyber suspicious activity report “is linked to terrorism and subject to being shared," depends on how analysts apply their training, the strategy states. Factors that need to be considered in making that call include the targeted IT infrastructure, likely consequences and historical background.

Decision-making also takes into account civil liberties.

"The same privacy policies that govern information sharing against terrorism -- work for cybersecurity-related information sharing," Paul said. "That's a big win for transparency" because the rules have been in place for years, and "analysts, operators and investigators are trained on them. There are compliance audits and performance metrics." 

But ACLU officials seem unconvinced that suspicious cyber reporting will preserve constitutional rights.

“The low threshold for reporting SARs that let loose a flood of useless information on innocent or First Amendment-protected conduct will also result in the reporting of cyber activity that is either innocuous or protected,” said Hugh Handeyside, staff attorney for the ACLU National Security Project. “The targets of those SARs will likely be subject to intrusive surveillance and monitoring, even if the government lacks reasonable suspicion that they are involved in any criminal activity.”

The new tool offers a three-page instruction sheet on how to label the severity of cyberspace incidents. 

Some of the directions:

  • A "significant incident" would be a situation likely to impact public safety, national security, economic security, foreign relations, privacy or public confidence. An "emergency incident" would pose an "imminent threat" to large-scale critical infrastructure, the stability of the U.S. government, or people's lives. 
  • If the target of the threat is a small business, that episode would rank as a low-security level situation, whereas a hack aimed at a United Nations special event would be a high-security-level episode.
  • The defacing of a website or knocking a website offline with a denial-of-service attack would be of lower consequence than a hack that inflicts damage on the real word or steals data.
  • Foreign policy issues factor into the description of the attacker. If it is an ally who is compromising U.S. information, that intruder would be called a low-threat actor. A dramatic change in a foreign country's intentions would be considered a high-threat adversary. 
     

NEXT STORY: ‘Inconsistent’ Scores Mar Annual Cyber Report Card, GAO Says

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.