21 March 2021

The Obama Administration Had a Plan to Stop Cyberattacks Like SolarWinds

BY FRED KAPLAN

It turns out that massive computer hacks—such as the ones recently launched by the Russians against SolarWinds and the Chinese against Microsoft—will be harder to fix and easier for attackers to replicate in the future.

The problem, as analysts have since determined, is that the hacks were mounted from servers based in the United States. This explains why the U.S. government didn’t notice the intrusions. (FireEye, one of the private cybersecurity firms targeted in the SolarWinds hack, detected them.) The National Security Agency, which monitors cybertraffic as well as any entity on earth, is legally barred from engaging in domestic surveillance. The Department of Homeland Security, which is supposed to track threats from within, has never been up to the task, lacking the money, manpower, or technology.

So the Biden administration is looking for a new, more effective, but still legal approach. The good news is that a decade ago, in a little-known episode of Barack Obama’s presidency, two Cabinet secretaries came up with a possible solution—but it was sabotaged by one of their underlings. Biden’s team might take a second look at the plan; the times, and the threats, have changed since then. This time, it might take hold.

The idea was hatched in July 2010. Cyberattacks against civilian infrastructure were growing in frequency and scope. Secretary of Defense Robert Gates understood the dilemma: Only the NSA could deal with these attacks, but it lacked the legal authority; the DHS had the mandate to deal with these attacks, but it lacked the ability.

Gates called a meeting with Janet Napolitano, the secretary of homeland security. They came up with a way out of the thicket. She would appoint a second deputy director of the NSA (Gates would formally appoint the official, but it would be her pick). In the event of a threat to the nation’s critical infrastructure, this new deputy could draw on the NSA’s technical resources while invoking the DHS’s legal authority. The two Cabinet secretaries drafted a memorandum of understanding, which included firewalls to protect privacy and civil liberties. On July 27, they took the idea to Obama, who had no objections. Obama passed it to his national security adviser, Thomas Donilon, who sent it to an interagency panel of the National Security Council. Everything seemed set. Gates and Napolitano moved on to the many other issues on their plate.

Over the next few months, the arrangement blew apart.

Before she moved on, Napolitano selected her candidate for the new NSA deputy director—a two-star admiral named Michael Brown, who was her deputy assistant secretary for cybersecurity. Brown seemed ideal for the job. He’d studied cryptology at the Naval Academy, worked on signal intelligence teams at the NSA and the Pentagon, and, in the two years he’d been working at DHS, expanded the department’s cyber staff from 28 people to nearly 400 and turned its emergency response team into a vaguely functional organization.

But, in part because of his background, Brown ran into obstacles at every step. Napolitano’s deputy, Jane Holl Lute—a lawyer, former assistant secretary-general for peacekeeping at the United Nations, and an Army veteran in signals intelligence—was deeply suspicious of the NSA and resisted any policy that might turn the internet into, as she put it, a “war zone.” She was joined in her resistance by the White House cybersecurity adviser, Howard Schmidt, who winced at those who described cyberspace as a “domain,” in the same sense that Air Force and Navy officers describe the skies and the ocean as “domains” for military operations. Brown’s rank as a naval officer, his background in cryptology, and his experience with the NSA suggested (quite plausibly) that the joint endeavor would be far from an equal partnership—that the NSA would run the show.

The deputy secretaries in the National Security Council’s interagency group were also a bit peeved that this deal had gone down without their consultation. In the end, they approved Brown as “cybersecurity coordinator,” but wouldn’t let him be a deputy director of the NSA; they wouldn’t give him the legal authority to do the job that Gates and Napolitano had envisioned.

All this time, staff meetings between NSA and DHS seethed with tension. The Gates-Napolitano memo called for each agency to send 10 analysts to the other’s headquarters, as a sort of cultural exchange program. Early on, the NSA sent its 10, but DHS was slow to reciprocate. Part of the problem was resources. About 25,000 people worked at NSA; sparing 10 of them was no sacrifice. But DHS had only a few hundred cyber specialists; rather than transferring any, Lute decided to hire 10 extra people, a process that involved juggling the budget, processing security clearances—in short, lots of time. Well before all 10 were cleared, the arrangement sputtered and ground to a halt.

Meanwhile, on Oct. 31, 2010, U.S. Cyber Command was officially chartered, raising its flag at the Fort Meade headquarters of the NSA. The NSA’s director, by charter a four-star general or admiral, would become the commander of Cyber Command as well. In the rubble of the Gates-Napolitano plan, the military took total control of the government’s cyber realm—while the civilian sector remained as ill-protected as ever.

Who knows whether the Gates-Napolitano plan would have worked out, even with a more sincere effort to enforce it? The deputies had a point that the NSA would have dominated the partnership, which would have sparked legal and bureaucratic conflicts. (Way back in 1984, the first presidential directive on cybersecurity, signed by Ronald Reagan, called for the NSA to set security standards for all computers in the U.S., private, corporate, and governmental. Congress overruled the measure as a violation of the agency’s charter, and rightly so.)

Still, a decade on, there might be a greater tolerance, possibly an eagerness, to work out some sort of compromise. Lute’s and Schmidt’s abhorrence of turning the internet into a “war zone” or a “domain” of military operations seems quaint today; the object of their shudders is now a reality—cyberattacks are interfering with the engines of socioeconomic life—and the task is now to deal with it.

No comments: