US secretly allowing Internet surveillance, monitoring Internet traffic
Scared that CISPA might pass? The federal government is already using a secretive cybersecurity program to monitor online traffic and enforce CISPA-like data sharing between Internet service providers and the Department of Defense.
The Electronic Privacy Information Center has obtained over1,000 pages of documents pertaining to the United Statesgovernment’s use of a cybersecurity program after filing a Freedomof Information Act request, and CNET reporter Declan McCullagh saysthose pages show how the Pentagon has secretly helped push forincreased Internet surveillance.
“Senior Obama administration officials have secretlyauthorized the interception of communications carried on portionsof networks operated by AT&T and other Internet serviceproviders, a practice that might otherwise be illegal under federalwiretapping laws,” McCullagh writes.
That practice, McCullagh recalls, was first revealed when DeputySecretary of Defense William Lynn disclosed the existence of theDefense Industrial Base (DIB) Cyber Pilot inJune 2011. At the time, the Pentagon said the program would allowthe government to help the defense industry safeguard theinformation on their computer systems by sharing classified threatinformation between the Department of Defense, the Department ofHomeland Security and the Internet service providers (ISP) thatkeep government contractors online.
“Our defense industrial base is critical to our militaryeffectiveness. Their networks hold valuable information about ourweapons systems and their capabilities,” Lynn said. “Thetheft of design data and engineering information from within thesenetworks greatly undermines the technological edge we hold overpotential adversaries.”
Just last week the US House of Representatives voted in favor ofthe Cyber Intelligence Sharing and Protection Act, or CISPA — a legislation that, if signed into law, wouldallow ISPs and private Internet companies across the country likeFacebook and Google to share similar threat data with the federalgovernment without being held liable for violating their customers’privacy. As it turns out, however, the DIB Cyber Pilot has expandedexponentially in recent months, suggesting that a significant chunkof Internet traffic is already subjected to governmentalmonitoring.
In May 2012, less than a year after the pilot was firstunveiled, the Defense Department announced the expansion of the DIBprogram. Then this past January, McCullagh says it was renamed theEnhanced Cybersecurity Services (ECS) and opened up to a largernumber of companies — not just DoD contractors. An executive order signed by US President Barack Obamaearlier this year will let all critical infrastructure companiessign-on to ECS starting this June, likely in turn bringing on boardentities in energy, healthcare, communication and finance.
Although the 1,000-plus pages obtained in the FOIA requesthaven’t been posted in full on the Web just yet, a sampling of thattrove published by EPIC on Wednesday begins to show just exactlyhow severe the Pentagon’s efforts to eavesdrop on Web traffic havebeen.
In one document, a December 2011 slideshow on the legal policiesand practices regarding the monitoring of Web traffic on DIB-linkedsystems, the Pentagon instructs the administrators of thosethird-party computer networks on how to implement the program and,as a result, erode their customers’ expectation of privacy.
In one slide, the Pentagon explains to ISPs and other systemadministrators how to be clear in letting their customers know thattheir traffic was being fed to the government. Key elements to keepin mind, wrote the Defense Department, was that DIB “expresslycovers monitoring of data and communications in transit rather thanjust accessing data at rest.”
“[T]hat information transiting or stored on the system may bedisclosed for any purpose, including to the government,” itcontinued. Companies participating in the pilot program were toldto let users know that monitoring would exist “for anypurpose,” and that users have no expectation of privacyregarding communications or data stored on the system.
According to the 2011 press release on the DIB Cyber Pilot,“the government will not monitor, intercept or store anyprivate-sector communications through the program.” In aprivacy impact assessment of the ECS program that was published inJanuary by the DHS though, it’s revealed that not only isinformation monitored, but among the data collected byinvestigators could be personally identifiable information,including the header info from suspicious emails. That would meanthe government sees and stores who you communicate with and whatkind of subject lines are used during correspondence.
The DHS says that personally identifiable information could beretained if “analytically relevant to understanding the cyberthreat” in question.
Meanwhile, the lawmakers in Congress that overwhelminglyapproved CISPA just last week could arguably use a refresher inwhat constitutes a cyberthreat. Rep. Michael McCaul (R-Texas) toldhis colleagues on the Hill that "Recent events in Bostondemonstrate that we have to come together as Republicans andDemocrats to get this done,” and Rep. Dan Maffei (D-New York)made unfounded claims during Thursday’s debate that thewhistleblowing website WikiLeaks is pursuing efforts to “hackinto our nation’s power grid.”
Should CISPA be signed into law, telecommunication companieswill be encouraged to share Internet data with the DHS andDepartment of Justice for so-called national security purposes. Buteven if the president pursues a veto as his advisers havesuggested, McCullagh says few will be safe from this secretivecybersecurity operation already in place.
The tome of FOIA pages, McCullagh says, shows that the JusticeDepartment has actively assisted telecoms as of late by lettingthem off the hook for Wiretap Act violations. Since the sharing of databetween ISPs and the government under the DIB program and now ECSviolates federal statute, the Justice Department has reportedlyissued an undeterminable number of “2511 letters” to telecoms:essentially written approval to ignore provisions of the WiretapAct in exchange for immunity.
"The Justice Department is helping private companies evadefederal wiretap laws," EPIC Executive Director Marc Rotenbergtells CNET. "Alarm bells should be going off."
In an internal Justice Department email cited by McCullagh,Associate Deputy Attorney General James Baker is alleged to writethat ISPs will likely request 2511 letters and theECS-participating companies “would be required to change theirbanners to reference government monitoring.”
"These agencies are clearly seeking authority to receive alarge amount of information, including personal information, fromprivate Internet networks," EPIC staff attorney AmieStepanovich adds to CNET. "If this program was broadly deployed,it would raise serious questions about government cybersecuritypractices."
EPIC FOIA Request Reveals Details About Government Cybersecurity Program
On June 16, 2011, the Washington Post reported that the NSA had implemented a new program designed to monitor all traffic flowing through certain ISPs to a select number of defense contractors. The goal of this pilot program is the "thwarting [of] cyberattacks against defense firms," although Deputy Secretary of Defense William J. Lynn III stated that "[w]e hope the . . . cyber pilot can be the beginning something bigger." The NSA pilot program is to serve as a model that can be "transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security."
New documents obtained by EPIC in a Freedom of Information Act lawsuit reveal that the Department of Defense advised private industry on how to best circumvent federal wiretap law. The documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation. For more information, see EPIC: EPIC v. DHS (Defense Contractor Monitoring), and EPIC: EPIC v. NSA - Cybersecurity Authority.