The Pentagon Could Soon Share Americans’ Data With Foreign Militaries

A new cyber strategy could provide allies with Americans’ information gathered under proposed legislation.

Joint Chiefs of Staff Martin Dempsey and Secretary of Defense Ashton Carter speak to the media during a briefing at the Pentagon on April 16, 2015 in Arlington, Virginia. 
National Journal
Patrick Tucker, Defense One
Add to Briefcase
Patrick Tucker, Defense One
May 1, 2015, 9:13 a.m.

As Ashton Carter un­veiled the Pentagon’s new Cy­ber Strategy last week, he un­der­scored its im­port­ance by re­veal­ing that net­works had been in­filt­rated by act­ors with­in Rus­sia. The De­fense sec­ret­ary did not em­phas­ize a pro­vi­sion of the strategy that could send private data about U.S. cit­izens and com­pan­ies to for­eign mil­it­ar­ies.

Here’s what it says: “To im­prove shared situ­ation­al aware­ness DOD will part­ner with DHS [De­part­ment of Home­land Se­cur­ity] and oth­er agen­cies to de­vel­op con­tinu­ous, auto­mated, stand­ard­ized mech­an­isms for shar­ing in­form­a­tion with each of its crit­ic­al part­ners in the U.S. gov­ern­ment, key al­lied and part­ner mil­it­ar­ies, state and loc­al gov­ern­ments, and the private sec­tor. In ad­di­tion, DOD will work with oth­er U.S. gov­ern­ment agen­cies and Con­gress to sup­port le­gis­la­tion that en­ables in­form­a­tion shar­ing between the U.S. gov­ern­ment and the private sec­tor.”

The new strategy in­dir­ectly, but un­equi­voc­ally, ties in­to in­form­a­tion-shar­ing le­gis­la­tion that’s slowly mak­ing its way to the pres­id­ent’s desk. Among the vari­ous bills mov­ing around Cap­it­ol Hill, the most im­port­ant is the Cy­ber In­form­a­tion Shar­ing Act. Among oth­er things, CISA would pro­tect com­pan­ies from be­ing sued for send­ing data about their users to DHS, which would be per­mit­ted to send it in real time to DOD and oth­er U.S. agen­cies and out­fits. In turn, DOD’s new strategy claims the right to share cy­ber­threat data bey­ond the United States. Pre­sum­ably, that would in­clude in­form­a­tion ob­tained via CISA.

In par­tic­u­lar, the new strategy pledges DOD cy­ber as­sist­ance, in­clud­ing in­form­a­tion shar­ing, to al­lies in the Middle East: “As a part of its cy­ber dia­logue and part­ner­ships, DOD will work with key Middle East­ern al­lies and part­ners to im­prove their abil­ity to se­cure their mil­it­ary net­works as well as the crit­ic­al in­fra­struc­ture and key re­sources upon which U.S. in­terests de­pend. Key ini­ti­at­ives in­clude im­proved in­form­a­tion shar­ing to es­tab­lish a uni­fied un­der­stand­ing of the cy­ber threat, an as­sess­ment of our mu­tu­al cy­ber de­fense pos­ture, and col­lab­or­at­ive ap­proaches to build­ing cy­ber ex­pert­ise.”

For his part, the na­tion’s top cy­ber war­ri­or is openly plead­ing for new info-shar­ing laws. “We’ve got to get cy­ber-in­form­a­tion-shar­ing le­gis­la­tion passed,” Adm. Mi­chael Ro­gers, com­mand­er of U.S. Cy­ber Com­mand and dir­ect­or of the Na­tion­al Se­cur­ity Agency, said earli­er this month at an Armed Forces Com­mu­nic­a­tions and Elec­tron­ics As­so­ci­ation event. Ro­gers said his abil­ity to share in­form­a­tion with the FBI was key to fin­ger­ing North Korea as the per­pet­rat­or of the Sony hack.

But if CISA or one of its cous­ins be­comes law, what kind of in­form­a­tion might fly from com­pany serv­ers to DHS to DOD and then around the world? Mem­bers of the pri­vacy com­munity de­scribe the scope as in­cred­ibly broad.

Robyn Greene, who serves as policy coun­sel for the Open Tech­no­logy In­sti­tute at the New Amer­ica Found­a­tion, ar­gued that the bills would al­low com­pan­ies to col­lect and share a lot more in­form­a­tion about the people that they in­ter­act with on­line. Moreover, there would be few lim­its on how the U.S. gov­ern­ment could use that in­form­a­tion. It could, for ex­ample, be used to in­vest­ig­ate or pro­sec­ute crimes that have noth­ing to do with stop­ping hacks.

“This au­thor­iz­a­tion would not just ser­i­ously un­der­mine Amer­ic­ans’ Fourth Amend­ment rights, which would oth­er­wise re­quire the gov­ern­ment to ob­tain a war­rant based on prob­able cause to ac­cess much of that same in­form­a­tion, it would cre­ate an ex­pans­ive new means of gen­er­al-pur­pose gov­ern­ment sur­veil­lance. (Sec. 5(d)(5)(A)),” she wrote.

Mark Jay­cox, a le­gis­lat­ive ana­lyst at the Elec­tron­ic Fron­ti­er Found­a­tion, has made sim­il­ar ar­gu­ments. “Ex­ist­ing private rights of ac­tion for vi­ol­a­tions of the Wiretap Act, Stored Com­mu­nic­a­tions Act, and po­ten­tially the Com­puter Fraud and Ab­use Act would be pre­cluded or at least sharply re­stric­ted. “¦ It re­mains to be seen why such im­munity is needed when just a few months ago, the FTC and DOJ noted they would not pro­sec­ute com­pan­ies for shar­ing such in­form­a­tion.”

Wheth­er that shar­ing presents a vul­ner­ab­il­ity or a se­cur­ity solu­tion de­pends on the in­form­a­tion mov­ing back and forth. But there’s no doubt that shar­ing some in­form­a­tion spe­cific­ally rel­ev­ant to cy­ber­at­tacks can help shore up de­fenses. Fur­ther­more, li­ab­il­ity pro­tec­tions and le­gis­la­tion could fa­cil­it­ate more of that shar­ing. “Cy­ber-in­form­a­tion-shar­ing is crit­ic­al to thwart­ing at­tacks,” said Chris Smith, who dir­ects cy­ber strategy at the SAS In­sti­tute. “The reas­on … that people wer­en’t do­ing it was be­cause it wasn’t easy. “¦ There are pri­vacy is­sues, but it might be re­lated to in­tel­lec­tu­al prop­erty as well.

“With the con­stantly chan­ging vari­ants of cy­ber­at­tacks, or­gan­iz­a­tions can no longer simply rely on the known at­tack vec­tors or at­tack pro­files that ex­ist­ing solu­tions fo­cus on,” Smith said. He said an or­gan­iz­a­tion must look at data “at mul­tiple dif­fer­ent levels and in mul­tiple dif­fer­ent com­bin­a­tions” if it is to tell nor­mal from ab­nor­mal be­ha­vi­or. In this con­text, mul­tiple levels could be un­der­stood as across a vari­ety of part­ner­ships.

Is there a way to im­prove in­form­a­tion-shar­ing without throw­ing the data doors wide open? Greene said CISA could be helped by lim­it­ing shar­ing to only that data rel­ev­ant to cy­ber­threats, and not, for in­stance, in­vest­ig­a­tions in­to oth­er crim­in­al activ­ity. She also sug­ges­ted lim­it­ing the broad li­ab­il­ity pro­tec­tions by giv­ing con­sumers some way to seek re­course for dam­ages done by in­form­a­tion-shar­ing.

Oth­ers say that bet­ter shar­ing of cer­tain kinds of in­form­a­tion would help pre­dict cy­ber­threats without par­tic­u­larly im­per­il­ing pri­vacy or con­sti­tu­tion­al rights.

Matt Kodama of the cy­ber-in­tel­li­gence and pre­dict­ive-ana­lyt­ics group Re­cor­ded Fu­ture told De­fense One that one of the most simple and straight­for­ward in­dic­at­ors of po­ten­tial cy­ber­at­tacks is ob­serving strange be­ha­vi­or among ad­min­is­trat­ors. “After at­tack­ers break in­to a net­work, they need to avoid de­tec­tion, get to their real tar­get, and carry out the cy­ber crime. They might do this with lots of high-tech tricks, but there’s a much easi­er way. If the at­tack­er can gain ac­cess to a user ac­count with lots of ac­cess rights, like a com­puter ad­min­is­trat­or, they will be able to move right past all the alarms and de­fenses. “¦ However, the be­ha­vi­or of that user ac­count, once it’s been hi­jacked by a cy­ber at­tack­er, will be un­usu­al. The user ac­count is al­lowed to take those ac­tions, but on any reg­u­lar day the per­son us­ing that user ac­count doesn’t do all of those things. That’s the ‘user be­ha­vi­or’ that can tip off the de­fend­ers,” Kodama said.

Since com­pan­ies don’t usu­ally grant ad­min­is­trat­or priv­ileges to the people who use their ser­vices, shar­ing in­form­a­tion about ad­min be­ha­vi­or could be one way to im­prove situ­ation­al aware­ness without en­dan­ger­ing user pri­vacy.

An­oth­er warn­ing sign is the up­load­ing of large files, es­pe­cially ones that con­tain lots of mys­tery code that doesn’t seem to have any clear pur­pose. Soph­ist­ic­ated de­fenses will at­tempt to open such files in a sand­box, or walled-off por­tion of a ma­chine or net­work, so it can’t spread its in­fec­tion.

But more and more cut­ting-edge vir­uses can de­tect when they are be­ing sand­boxed, and goofy ad­min be­ha­vi­or can be a lag­ging in­dic­at­or of a ma­jor in­tru­sion, not a pre­dict­ive one. Those who ar­gue for shar­ing more in­form­a­tion say that CISA doesn’t go far enough to en­cour­age shar­ing the kind of data that will help the gov­ern­ment fight off ever more soph­ist­ic­ated on­line at­tacks.

A re­cent Con­gres­sion­al Re­search Ser­vice re­port by Eric Fisc­her found that the bills in ques­tion don’t of­fer much in­cent­ive for com­pan­ies to ac­tu­ally share user data. Li­ab­il­ity pro­tec­tions, in oth­er words, are not a car­rot but the ab­sence of a stick.

What We're Following See More »
Lieberman Withdraws from Consideration for FBI Job
13 hours ago
Trump Tells NATO Countries To Pay Up
16 hours ago
Russians Discussed Influencing Trump Through Aides
18 hours ago

"American spies collected information last summer revealing that senior Russian intelligence and political officials were discussing how to exert influence over Donald J. Trump through his advisers." The conversations centered around Paul Manafort, who was campaign chairman at the time, and Michael Flynn, former national security adviser and then a close campaign surrogate. Both men have been tied heavily with Russia and Flynn is currently at the center of the FBI investigation into possible collusion between the Trump campaign and Russia.

Ethics Cops Clear Mueller to Work on Trump Case
2 days ago

"Former FBI Director Robert Mueller has been cleared by U.S. Department of Justice ethics experts to oversee an investigation into possible collusion between then-candidate Donald Trump's 2016 election campaign and Russia." Some had speculated that the White House would use "an ethics rule limiting government attorneys from investigating people their former law firm represented" to trip up Mueller's appointment. Jared Kushner is a client of Mueller's firm, WilmerHale. "Although Mueller has now been cleared by the Justice Department, the White House may still use his former law firm's connection to Manafort and Kushner to undermine the findings of his investigation, according to two sources close to the White House."

Senate Intel to Subpoena Two of Flynn’s Businesses
2 days ago

Senate Intelligence Committee chairman Richard Burr (R-NC) and ranking member Mark Warner (D-VA) will subpoena two businesses owned by former National Security Advisor Michael Flynn. Burr said, "We would like to hear from General Flynn. We'd like to see his documents. We'd like him to tell his story because he publicly said he had a story to tell."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.