NSA In Charge of U.S. Government Cyber Security

Last month, President Bush signed a classified directive putting all cyber-defense and counter-offensive activity for government networks under the aegis of the National Security Agency. As one might expect, this generated some comment in cyberspace (e.g. see the Slashdot coverage). Part of that of course is due to the well earned distrust of the Bush administration's attitudes towards civil liberties.

I don't really know enough about cybersecurity to offer an opinion. Clearly attacks on the government and other information infrastructure are a serious threat, both in terms of the ease of mounting them and their potential impact. Equally clearly, protecting against such threats is a large and complex, evolving task which requires a highly-professional, well-equipped, well-organized staff.

I suspect there ought to be a government agency that provides protection for the national information infrastructure -- which is primarily non-governmental. The federal government has as one of its most important functions the protection of this country from foreign threats. It is also our major source of protection from interstate crime. Thus, I look to the federal government to protect the national information infrastructure from both foreign and domestic threats. So perhaps one concern is that the President's initiative has not gone far enough.

By reputation, the National Security Agency is the strongest government agency in terms of technical capacity to deal with cyberspace. Thus, at least initially, there would seem to be a reasonable argument for the NSA to be asked to provide protection.

My guess is that it takes time to figure out whether an attack in cyberspace is being made from a source within the United States or in a foreign country. Moreover, many attacks would seem likely to involve servers both here and abroad. Even assuming that one could figure out the source of a malicious attack, it might be too late to respond when that information was developed. This might be especially true if, say, the NSA determined an attack was domestic, and then tried to turn over responsibility for responding to a domestic agency. So again, there seems to be an argument that a single agency be designated to be responsible for all cybersecurity.

Of course, there is a concern that an agency charged with protecting the nation's information infrastructure might be misused to spy on our own citizens and residents. (I am not sure that we should not also be concerned about inappropriate spying on foreign nationals. Some of the reports of past bugging of friendly governments suggest that we need strong controls on surveillance abroad as well as at home.) I suggest, however, that such risks can be managed, and made small enough to accept in order to improve our cybersecurity.

Perhaps what we need is a strong agency to take responsibility for cybersecurity nationwide, including for both governments and the private sector. I suppose the Transportation Safety Administration could be a conceptual model for such an agency.

There is a major split in the U.S. Government between domestic and foreign policy functions. Nonetheless as globalization continues, more and more functions have to cross that artificial boundary. The Federal Aviation Administration has to deal with airplanes crossing our borders all the time. The Food and Drug Administration monitors the manufacture of pharmaceuticals outside the United States when they are to be shipped here. Still, it might be as well to have a single agency protecting our infrastructure against domestic and foreign attack, and to eventually allow the NSA to go back to its primary function of gathering information for the intelligence community. Or not!