Alexander has petitioned for months to give Internet service providers new cover. NSA's Alexander seeks cyber shield

Even as he defends controversial government surveillance programs, the head of the National Security Agency is asking Congress for another authority sure to inflame critics — legal immunity for companies that help the feds fight cyberattackers.

Gen. Keith Alexander has petitioned Capitol Hill for months to give Internet service providers and other firms new cover from lawsuits when they rely on government data to thwart emerging cyberthreats.


That may be a powerful perk to persuade companies to work with Washington toward bolstering the country’s digital defenses. But it’s also a source of alarm for some civil liberties advocates, who are already peeved with the NSA’s vast electronic spying regime. Those critics’ new fear: Companies acting with the government’s blessing in cyberspace could skirt legal accountability if they hit the wrong target.

“If the government asks the company to do something to protect the networks, or to do something and a mistake is made, and it was our fault, then they should have liability protection for that,” Alexander told a Senate committee Wednesday.

Digital countermeasures in theory can encompass everything from the benign blocking of suspicious IP addresses to more aggressive and eye-opening efforts to poison hackers’ home bases. Done effectively, these tactics can help companies stop attacks or remove spies from their networks. But there’s always risk: Bad intelligence could lead a company to block legitimate Web traffic, for example, or perhaps kick perfectly legal Internet users offline. The most aggressive countermeasures — like actively hacking back a known hacker — are banned under current U.S. law.

As Congress rethinks the private sector’s powers to defend itself, however, lawmakers have struggled to provide a clear definition as to what companies can do and what legal protections they should receive. Exactly what the Obama administration seeks isn’t clear either. Alexander, for his part, has never revealed the full set of tools he believes companies should have at their disposal when acting on government intelligence. The NSA declined further comment — as did the Pentagon, where the general also leads U.S. Cyber Command.

A White House official speaking anonymously to POLITICO said the administration could support a change to law that allows companies to take some defensive countermeasures in cyberspace, with narrow legal protections and strong oversight. But the official said the White House hasn’t put forward its own definition of what qualifies as a “defensive countermeasure” because it’s not writing legislation.

In a separate statement, an administration spokeswoman stressed the need for limits on legal immunity given to companies that take “defensive action” based on “specific, tailored cyberthreat information” from the government that turns out to be faulty.

Most of official Washington is focused on the NSA now because of its broad phone record collection program and its Internet surveillance effort known as PRISM. Amid that controversy, lawmakers are engaged in a long-standing debate over how the government and private companies can work together to identify and defeat foreign hackers and spies.

Many members of Congress agree there’s need for the public and private sectors to exchange more intel about emerging cyberthreats. There’s division, though, as to how companies should defend their own networks — and the sort of legal protections the government should afford private businesses that assist in the cybersecurity cause.

Companies, for their part, want to be shielded from as many lawsuits as possible, especially if they’re on the front lines. And the government, in the past, has granted such immunity in the realm of surveillance — like when Congress during the Bush era shielded telecoms from lawsuits as they assisted the NSA’s warrantless wiretapping program.

When it comes to cyber countermeasures, sources say Alexander has long been a proponent of a more aggressive approach.

One former White House aide told POLITICO that Alexander has been asking members of Congress for some time to adopt bill language on countermeasures that’s “as ill-defined as possible” — with the goal of giving the Pentagon great flexibility in taking action alongside Internet providers. Telecom companies, the former aide said, also have been asking Alexander for those very legal protections.

While Alexander hasn’t been very specific in his public comments, he’s dropped some clues about his thinking on companies that act as “agents of the government,” as he explained at an April hearing of the Senate Armed Services Committee.

“We send a signature [to a company] that says, stop this piece of traffic,” Alexander told lawmakers at the time. But if the government were to “mischaracterize” the threat, leading an Internet provider to have “stopped some traffic they didn’t intend to,” Alexander said, “in that venue we’ve got to give [companies] immunity.”

The general quickly added he was “not talking about giving them broad, general immunity, and I don’t think anyone is.”

Alexander initially promised in April to provide one committee member, Sen. Bill Nelson (D-Fla.), a more complete explanation of his thinking, but the NSA declined to make that document available, and the senator’s office did not comment to POLITICO.

The lack of clarity has irked civil liberties advocates still peeved about the NSA’s alleged overreach in cyberspace. Given the “recent revelations about the NSA’s surveillance activities that seem to go well beyond its statutory authorities, I think any authorization to enlist companies in related activities … is going to have a lot of people up in arms,” said Greg Nojeim, senior counsel at the Center for Democracy and Technology.

As the debate proceeds, the NSA does have some receptive allies on Capitol Hill. Chief among them may be Sen. Dianne Feinstein (D-Calif.), the leader of the chamber’s Intelligence Committee and co-author of a forthcoming bill on cybersecurity information sharing.

It was Feinstein who asked Alexander about liability protection at a high-octane Wednesday appropriations hearing. She began her question by noting lawmakers have consulted with the NSA leader on lawsuit immunity and countermeasures.

Feinstein’s office declined comment for this story. The senator backed limited defensive countermeasures in her previous 2012 cybersecurity bill. Companies deploying them would not have gained full liability protections but could have made a good-faith defense in court.

This year, though, there’s new chatter about codifying the government’s role working with private companies against cyberthreats. New legislation could grant the government some ability to approve or recommend the use of countermeasures, according to a congressional aide familiar with the discussions. And that could come with stronger liability protections, too, the source indicated.

Meanwhile, Feinstein’s counterpart on the Senate Intelligence Committee — ranking Republican Sen. Saxby Chambliss of Georgia — also told POLITICO there’s still appetite for the idea.

“Providing the private sector with full liability protection from frivolous lawsuits for all information sharing and for the use of certain countermeasures is essential to encouraging better cybersecurity, both within the private sector and the federal government,” he said in a statement. “Any bill we pass must contain these vital protections.”

His office cautioned, though, that it’s only “defensive countermeasures” that lawmakers have in mind — but he declined to offer specifics.

The concept, if it advances in Congress, could spark heated argument if history is any guide.

A major Senate cybersecurity bill that reached the chamber floor last year specified companies could only act with defensive interests in mind. It still failed to assuage the concerns of critics, who felt the language may have permitted Internet providers to snoop on their users and take significant action without any legal penalty for wrongdoing. Sen. Al Franken (D-Minn.) at the time led an effort to delete the offending section, though the bill never became law. Similar complaints dogged a House-passed bill that at one point earned the president’s veto threat.

As the debate returns, privacy hawks and civil liberties advocates promise to press the issue. There might be a way to balance competing security and privacy interests, explained Michelle Richardson, legislative counsel at the American Civil Liberties Union — but she emphasized it would come down to specifics.

“You don’t want to give too much protection so companies are acting recklessly and causing all sorts of collateral damages or unintended consequences,” she said.

This article tagged under: Technology

NSA

Keith Alexander