Tomorrow Sen. John McCain, along with five other Republican senators, plans to unveil a cybersecurity bill to rival the Lieberman-Collins bill that Majority Leader Harry Reid has said he plans to bring to the Senate floor without an official markup by committee.
At a hearing earlier this month, Sen. McCain criticized the Lieberman-Collins bill for not giving the NSA authority over civilian networks. And as we’ve heard this week, the NSA has been aggressively seeking this authority—so aggressively in fact that the White House publicly rebuked Gen. Keith Alexander in the pages of the Washington Post. But as CDT’s Jim Dempsey explains in a blog post today,
The NSA’s claims are premised on the dual assumptions that the private sector is not actively defending its systems and that only the NSA has the skills and the technology to do effective cybersecurity. The first is demonstrably wrong. The Internet and telecommunications companies are already doing active defense (not to be confused with offensive measures). The Tier 1 providers have been doing active defense for years – stopping the threats before they do damage – and the companies have been steadily increasing the scope and intensity of their efforts.
The second assumption (that only the NSA has the necessary skills and insight) is very hard for an outsider to assess. But given the centrality of the Internet to commerce, democratic participation, health care, education and multiple other activities, it does not seem that we should continue to invest a disproportionate percentage of our cybersecurity resources in a military agency. Instead, we should be seeking to improve the civilian government and private sector capabilities.
The military, and especially the NSA, has great experience and useful intelligence that should leveraged to protect civilian networks. But that assistance should be provided at arms-length and without allowing the military to conduct surveillance on the private Internet. Military involvement in civilian security is as inappropriate in cyberspace as it is in the physical world.
As Gene Healy has explained, civilian law enforcement and security agencies “are trained to operate in an environment where constitutional rights apply and to use force only as a last resort”, while the military’s objectives are to defeat adversaries. The NSA’s warrantless wiretapping scandal speaks to this difference. “Accordingly, Americans going back at least to the Boston Massacre of 1770 have understood the importance of keeping the military out of domestic law enforcement.” The Senate Republicans would do well to leave NSA involvement in civilian networks out of a new cybersecurity bill.
And FYI: I will be presenting at a Cato Institute Capitol Hill briefing on cybersecurity on March 23rd along with Jim Harper and Ryan Radia. Full details and RSVP are here.