By Joseph Menn and Deborah Charles
SAN FRANCISCO, March 21 The U.S. government is
expanding a cybersecurity program that scans Internet traffic
headed into and out of defense contractors to include far more
of the country's private, civilian-run infrastructure.
As a result, more private sector employees than ever before,
including those at big banks, utilities and key transportation
companies, will have their emails and Web surfing scanned as a
precaution against cyber attacks.
Under last month's White House executive order on
cybersecurity, the scans will be driven by classified
information provided by U.S. intelligence agencies - including
data from the National Security Agency (NSA) - on new or
especially serious espionage threats and other hacking attempts.
U.S. spy chiefs said on March 12 that cyber attacks have
supplanted terrorism as the top threat to the country.
The Department of Homeland Security will gather the secret
data and pass it to a small group of telecommunication companies
and cybersecurity providers that have employees holding security
clearances, government and industry officials said. Those
companies will then offer to process email and other Internet
transmissions for critical infrastructure customers that choose
to participate in the program.
By using DHS as the middleman, the Obama administration
hopes to bring the formidable overseas intelligence-gathering of
the NSA closer to ordinary U.S. residents without triggering an
outcry from privacy advocates who have long been leery of the
spy agency's eavesdropping.
The telecom companies will not report back to the government
on what they see, except in aggregate statistics, a senior DHS
official said in an interview granted on condition he not be
"That allows us to provide more sensitive information," the
official said. "We will provide the information to the security
service providers that they need to perform this function."
Procedures are to be established within six months of the order.
In written Senate testimony this month, DHS Secretary Janet
Napolitano said the indicators of attacks given to the
commercial companies would be the same as those used to protect
the federal government's own networks, so that the security
services offered to their infrastructure customers sector should
The administration is separately seeking legislation that
would give incentives to private companies, including
communications carriers, to disclose more to the government. NSA
Director General Keith Alexander said last week that NSA did not
want personal data but Internet service providers could inform
the government about malicious software they find and the
Internet Protocol addresses they were sent to and from.
"There is a way to do this that ensures civil liberties and
privacy and does ensure the protection of the country,"
Alexander told a congressional hearing.
SENSITIVE INFORMATION SHARING
In the past, Internet traffic-scanning efforts were mainly
limited to government networks and Defense Department
contractors, which have long been targets of foreign espionage.
But as fears grow of a destructive cyber attack on core,
non-military assets, and more sweeping security legislation
remained stalled, the Obama administration opted to widen the
Last month's presidential order calls for commercial
providers of "enhanced cybersecurity services" to extend their
offerings to critical infrastructure companies. What constitutes
critical infrastructure is still being refined, but it would
include utilities, banks and transportation such as trains and
Under the program, critical infrastructure companies will
pay the providers, which will use the classified information to
block attacks before they reach the customers. The classified
information involves suspect web addresses, strings of
characters, email sender names and the like.
Not all the cybersecurity providers will be telecom
companies, though AT&T Inc is one. Raytheon Co
said this month it had agreed with DHS to become a provider, and
a spokesman said that customers could route their traffic to
Raytheon after receiving it from their communications company.
As the new set-up takes shape, DHS officials and industry
executives said some security equipment makers were working on
hardware that could take classified rules about blocking traffic
and act on them without the operator being able to
reverse-engineer the codes. That way, people wouldn't need a
security clearance to use the equipment.
DEEP PACKET INSPECTION?
The issue of scanning everything headed to a utility or a
bank still has civil liberties implications, even if each
company is a voluntary participant.
Lee Tien, a senior staff attorney with the nonprofit
Electronic Frontier Foundation, said that the executive order
did not weaken existing privacy laws, but any time a machine
acting on classified information is processing private
communications, it raises questions about the possibility of
secret extra functions that are unlikely to be answered
"You have to wonder what else that box does," Tien said.
One technique for examining email and other electronic
packets en route, called deep packet inspection, has stirred
controversy for years, and some cybersecurity providers said
they would not be using that. In deep packet inspection,
communication companies or others with network access can
examine all the elements of a transmission, including the
content of emails.
"The signatures provided by DHS do not require deep packet
inspection," said Steve Hawkins, vice president at Raytheon's
Intelligence and Information Systems division, referring further
questions to DHS.
The DHS official said the government is still in
conversations with the telecom operators on the issue.
The official said the government had no plans to roll out
any such form of government-guided close examination of Internet
traffic into the communications companies serving the general