I'm surprised no one has yet posted anything on this. I must admit it made me pause when I saw it as the top headline picking up my paper this morning...

http://www.washingtonpost.com/wp-dyn/content/article/2010/02/03/AR2010020304057_pf.html

From a policy perspective, it does show the current weakness from a government prospective on how to handle cybersecurity and cyberwarfare. We currently have a sort of piecemeal approach with a lot of fuzz on policies. As a bonus question for this article, what are your thoughts on how the nation and the government should handle this emerging area of concern?

Quote :

"Google to enlist NSA to help it ward off cyberattacks By Ellen Nakashima Thursday, February 4, 2010; A01 The world's largest Internet search company and the world's most powerful electronic surveillance organization are teaming up in the name of cybersecurity. Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack. Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google's policies or laws that protect the privacy of Americans' online communications. The sources said the deal does not mean the NSA will be viewing users' searches or e-mail accounts or that Google will be sharing proprietary data. The partnership strikes at the core of one of the most sensitive issues for the government and private industry in the evolving world of cybersecurity: how to balance privacy and national security interests. On Tuesday, Director of National Intelligence Dennis C. Blair called the Google attacks, which the company acknowledged in January, a "wake-up call." Cyberspace cannot be protected, he said, without a "collaborative effort that incorporates both the U.S. private sector and our international partners." But achieving collaboration is not easy, in part because private companies do not trust the government to keep their secrets and in part because of concerns that collaboration can lead to continuous government monitoring of private communications. Privacy advocates, concerned about a repeat of the NSA's warrantless interception of Americans' phone calls and e-mails after the Sept. 11, 2001, terrorist attacks, say information-sharing must be limited and closely overseen. "The critical question is: At what level will the American public be comfortable with Google sharing information with NSA?" said Ellen McCarthy, president of the Intelligence and National Security Alliance, an organization of current and former intelligence and national security officials that seeks ways to foster greater sharing of information between government and industry. On Jan. 12, Google took the rare step of announcing publicly that its systems had been hacked in a series of intrusions beginning in December. The intrusions, industry experts said, targeted Google source code -- the programming language underlying Google applications -- and extended to more than 30 other large tech, defense, energy, financial and media companies. The Gmail accounts of human rights activists in Europe, China and the United States were also compromised. So significant was the attack that Google threatened to shutter its business operation in China if the government did not agree to let the firm operate an uncensored search engine there. That issue is still unresolved. Google approached the NSA shortly after the attacks, sources said, but the deal is taking weeks to hammer out, reflecting the sensitivity of the partnership. Any agreement would mark the first time that Google has entered a formal information-sharing relationship with the NSA, sources said. In 2008, the firm stated that it had not cooperated with the NSA in its Terrorist Surveillance Program. Sources familiar with the new initiative said the focus is not figuring out who was behind the recent cyberattacks -- doing so is a nearly impossible task after the fact -- but building a better defense of Google's networks, or what its technicians call "information assurance." One senior defense official, while not confirming or denying any agreement the NSA might have with any firm, said: "If a company came to the table and asked for help, I would ask them . . . 'What do you know about what transpired in your system? What deficiencies do you think they took advantage of? Tell me a little bit about what it was they did.' " Sources said the NSA is reaching out to other government agencies that play key roles in the U.S. effort to defend cyberspace and might be able to help in the Google investigation. These agencies include the FBI and the Department of Homeland Security. Over the past decade, other Silicon Valley companies have quietly turned to the NSA for guidance in protecting their networks. "As a general matter," NSA spokeswoman Judi Emmel said, "as part of its information-assurance mission, NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers." Despite such precedent, Matthew Aid, an expert on the NSA, said Google's global reach makes it unique. "When you rise to the level of Google . . . you're looking at a company that has taken great pride in its independence," said Aid, author of "The Secret Sentry," a history of the NSA. "I'm a little uncomfortable with Google cooperating this closely with the nation's largest intelligence agency, even if it's strictly for defensive purposes." The pact would be aimed at allowing the NSA help Google understand whether it is putting in place the right defenses by evaluating vulnerabilities in hardware and software and to calibrate how sophisticated the adversary is. The agency's expertise is based in part on its analysis of cyber-"signatures" that have been documented in previous attacks and can be used to block future intrusions. The NSA would also be able to help the firm understand what methods are being used to penetrate its system, the sources said. Google, for its part, may share information on the types of malicious code seen in the attacks -- without disclosing proprietary data about what was taken, which would concern shareholders, sources said. Greg Nojeim, senior counsel for the Center for Democracy & Technology, a privacy advocacy group, said companies have statutory authority to share information with the government to protect their rights and property. "

2/4/2010 11:45:24 AM

On the one hand you'd like the NSA to secure our personal data from the "bad guys", but on the other hand you dont want the NSA looking into that data.

In this case google is asking for help, rather than the NSA forcing the issue. I wouldn't really call it a weak approach by to government, because if they really wanted to put it on lock down they could sniff all traffic passing through major telco routes. Not exactly great for privacy. It would be possible to determine attacks in progress by looking at traffic patterns without looking at content, but thats reactionary instead of preventative.

I'd be more concerened with the ammount of control google has over data they collect on everyone from all ends of the internet. They are an advertising company at heart, and everything they do exists to serve you the most relevent ad possible. That, plus their effective monopoly on search and web advertising, allows them to charge the highest ammount to advertisers.

If the NSA wants to create standard practices for information storage and protection thats fine. I think having them come in to run regular penetration testing against the larger information stockpiles is probably a good idea too. I would stop before we get into installing NSA sniffers in everyones data centers.

It might also be good to look into legislation regarding what google and others are allowed to keep without direct user consent. Gmail is one thing, but these days almost every website uses google analytics. If you've got a google cookie they can associate your account to your analytics data without you doing anything. Thats probably something that should be ended.

2/4/2010 12:04:09 PM

I should have clarified: when I said 'weak' approach, I meant it more at a high level on how the government responds to issues of cybersecurity. It's becoming messy because while the assets may be owned by private entities, their information networks are becoming important parts of our national infrastructure. What is the threshold that turns mere cyber vandalism into a legal issue or even a security threat that justifies the use of kinetic force? What sort of coordination and standards should there be, if any? Who takes the lead? NSC? NSA? USAF? FBI? DoJ? Just some thoughts.

2/4/2010 12:39:40 PM

If there was clear proof that a foreign government knowingly engadged in cyberterrorism against US interests it should be treated the same as a physical attack on us interests. The problem is its much harder to determine if another nation had a role in a cyber attack vs a physical one.

To sum it up by task:

Passive Cyber defense (standards/practices/testing): NSA
Active Cyber defense (halting ongoing attacks): NSA/Air force
Cyber offence: CIA(/maybe air force?)
General intelligence: CIA

NSA should continually update best practices. Then when an attack is detected, either the NSA (in case of unknown enemies/peacetime) or the airforce (in the case of known enemies/wartime) should do what it takes to stop the attack depending on priority. For example, if google is getting hacked by chinese the NSA should step in to help google terminate the traffic or to harden certain points of contact. If we were at war and china was attacking national defense targets, then the air force should probably step in and maybe even start disconnecting parts of the internet or defense networks to stop the attacks.

During peactime, the CIA should be responsible for discovering potential attacks, finding those responsible for on going/previous attacks, and whatever covert offensive cyber attacks need to happen in persuit of information. During wartime the air force would probably be responsible for attacking foreign networks.

As far as coordination, I'm not sure. Peacetime stuff would probably fall under DHS and wartime would be DoD.

2/4/2010 1:02:03 PM

Quote :

"The partnership strikes at the core of one of the most sensitive issues for the government and private industry in the evolving world of cybersecurity: how to balance privacy and national security interests"

how is this an issue? a private company requested the aid of the federal government. they came up with a contract, to which both agree, and are proceeding... and it was stated that users' private information would not be shared....

2/4/2010 2:46:06 PM

you guys remember that scene in Dark Knight where Morgan Freeman is showing off the system tracks cell phone communications and whatnot to Batman, and he's all, "oh shit we done went and done it now!"

well, extrapolate that shit. we haven't had any major attacks since 911 not because every rogue piece of hazardous material has been secured, or that the will of all those who wish us harm has been devitalized. we've been this safe so far beause they're monitoring everything. they might not know exactly what you posted on your grandmothers facebook profile regarding her pumpkin pie recipe, but they've got enough artificial intelligence out there to keep a good enough eye out for potential bad guys.

2/4/2010 2:56:50 PM

What if I told you this rock kept all the tigers away? You don't see any tigers do you?

2/4/2010 3:29:09 PM

I would like to purchase your rock.

2/4/2010 3:32:30 PM

i wouldn't care - not really a tiger problem in Raleighwood, NC.

now, were i somewhere in Bengal, depending on the price i just might buy that rock.

2/5/2010 10:36:54 PM

what if I told you this stimulus package kept the depression away? you don't see any depressions do you?

2/5/2010 11:00:09 PM