The Pentagon Could Soon Share Americans’ Data With Foreign Militaries

A new cyber strategy could provide allies with Americans’ information gathered under proposed legislation.

Joint Chiefs of Staff Martin Dempsey and Secretary of Defense Ashton Carter speak to the media during a briefing at the Pentagon on April 16, 2015 in Arlington, Virginia. 
National Journal
Patrick Tucker, Defense One
Add to Briefcase
Patrick Tucker, Defense One
May 1, 2015, 9:13 a.m.

As Ashton Carter un­veiled the Pentagon’s new Cy­ber Strategy last week, he un­der­scored its im­port­ance by re­veal­ing that net­works had been in­filt­rated by act­ors with­in Rus­sia. The De­fense sec­ret­ary did not em­phas­ize a pro­vi­sion of the strategy that could send private data about U.S. cit­izens and com­pan­ies to for­eign mil­it­ar­ies.

Here’s what it says: “To im­prove shared situ­ation­al aware­ness DOD will part­ner with DHS [De­part­ment of Home­land Se­cur­ity] and oth­er agen­cies to de­vel­op con­tinu­ous, auto­mated, stand­ard­ized mech­an­isms for shar­ing in­form­a­tion with each of its crit­ic­al part­ners in the U.S. gov­ern­ment, key al­lied and part­ner mil­it­ar­ies, state and loc­al gov­ern­ments, and the private sec­tor. In ad­di­tion, DOD will work with oth­er U.S. gov­ern­ment agen­cies and Con­gress to sup­port le­gis­la­tion that en­ables in­form­a­tion shar­ing between the U.S. gov­ern­ment and the private sec­tor.”

The new strategy in­dir­ectly, but un­equi­voc­ally, ties in­to in­form­a­tion-shar­ing le­gis­la­tion that’s slowly mak­ing its way to the pres­id­ent’s desk. Among the vari­ous bills mov­ing around Cap­it­ol Hill, the most im­port­ant is the Cy­ber In­form­a­tion Shar­ing Act. Among oth­er things, CISA would pro­tect com­pan­ies from be­ing sued for send­ing data about their users to DHS, which would be per­mit­ted to send it in real time to DOD and oth­er U.S. agen­cies and out­fits. In turn, DOD’s new strategy claims the right to share cy­ber­threat data bey­ond the United States. Pre­sum­ably, that would in­clude in­form­a­tion ob­tained via CISA.

In par­tic­u­lar, the new strategy pledges DOD cy­ber as­sist­ance, in­clud­ing in­form­a­tion shar­ing, to al­lies in the Middle East: “As a part of its cy­ber dia­logue and part­ner­ships, DOD will work with key Middle East­ern al­lies and part­ners to im­prove their abil­ity to se­cure their mil­it­ary net­works as well as the crit­ic­al in­fra­struc­ture and key re­sources upon which U.S. in­terests de­pend. Key ini­ti­at­ives in­clude im­proved in­form­a­tion shar­ing to es­tab­lish a uni­fied un­der­stand­ing of the cy­ber threat, an as­sess­ment of our mu­tu­al cy­ber de­fense pos­ture, and col­lab­or­at­ive ap­proaches to build­ing cy­ber ex­pert­ise.”

For his part, the na­tion’s top cy­ber war­ri­or is openly plead­ing for new info-shar­ing laws. “We’ve got to get cy­ber-in­form­a­tion-shar­ing le­gis­la­tion passed,” Adm. Mi­chael Ro­gers, com­mand­er of U.S. Cy­ber Com­mand and dir­ect­or of the Na­tion­al Se­cur­ity Agency, said earli­er this month at an Armed Forces Com­mu­nic­a­tions and Elec­tron­ics As­so­ci­ation event. Ro­gers said his abil­ity to share in­form­a­tion with the FBI was key to fin­ger­ing North Korea as the per­pet­rat­or of the Sony hack.

But if CISA or one of its cous­ins be­comes law, what kind of in­form­a­tion might fly from com­pany serv­ers to DHS to DOD and then around the world? Mem­bers of the pri­vacy com­munity de­scribe the scope as in­cred­ibly broad.

Robyn Greene, who serves as policy coun­sel for the Open Tech­no­logy In­sti­tute at the New Amer­ica Found­a­tion, ar­gued that the bills would al­low com­pan­ies to col­lect and share a lot more in­form­a­tion about the people that they in­ter­act with on­line. Moreover, there would be few lim­its on how the U.S. gov­ern­ment could use that in­form­a­tion. It could, for ex­ample, be used to in­vest­ig­ate or pro­sec­ute crimes that have noth­ing to do with stop­ping hacks.

“This au­thor­iz­a­tion would not just ser­i­ously un­der­mine Amer­ic­ans’ Fourth Amend­ment rights, which would oth­er­wise re­quire the gov­ern­ment to ob­tain a war­rant based on prob­able cause to ac­cess much of that same in­form­a­tion, it would cre­ate an ex­pans­ive new means of gen­er­al-pur­pose gov­ern­ment sur­veil­lance. (Sec. 5(d)(5)(A)),” she wrote.

Mark Jay­cox, a le­gis­lat­ive ana­lyst at the Elec­tron­ic Fron­ti­er Found­a­tion, has made sim­il­ar ar­gu­ments. “Ex­ist­ing private rights of ac­tion for vi­ol­a­tions of the Wiretap Act, Stored Com­mu­nic­a­tions Act, and po­ten­tially the Com­puter Fraud and Ab­use Act would be pre­cluded or at least sharply re­stric­ted. “¦ It re­mains to be seen why such im­munity is needed when just a few months ago, the FTC and DOJ noted they would not pro­sec­ute com­pan­ies for shar­ing such in­form­a­tion.”

Wheth­er that shar­ing presents a vul­ner­ab­il­ity or a se­cur­ity solu­tion de­pends on the in­form­a­tion mov­ing back and forth. But there’s no doubt that shar­ing some in­form­a­tion spe­cific­ally rel­ev­ant to cy­ber­at­tacks can help shore up de­fenses. Fur­ther­more, li­ab­il­ity pro­tec­tions and le­gis­la­tion could fa­cil­it­ate more of that shar­ing. “Cy­ber-in­form­a­tion-shar­ing is crit­ic­al to thwart­ing at­tacks,” said Chris Smith, who dir­ects cy­ber strategy at the SAS In­sti­tute. “The reas­on … that people wer­en’t do­ing it was be­cause it wasn’t easy. “¦ There are pri­vacy is­sues, but it might be re­lated to in­tel­lec­tu­al prop­erty as well.

“With the con­stantly chan­ging vari­ants of cy­ber­at­tacks, or­gan­iz­a­tions can no longer simply rely on the known at­tack vec­tors or at­tack pro­files that ex­ist­ing solu­tions fo­cus on,” Smith said. He said an or­gan­iz­a­tion must look at data “at mul­tiple dif­fer­ent levels and in mul­tiple dif­fer­ent com­bin­a­tions” if it is to tell nor­mal from ab­nor­mal be­ha­vi­or. In this con­text, mul­tiple levels could be un­der­stood as across a vari­ety of part­ner­ships.

Is there a way to im­prove in­form­a­tion-shar­ing without throw­ing the data doors wide open? Greene said CISA could be helped by lim­it­ing shar­ing to only that data rel­ev­ant to cy­ber­threats, and not, for in­stance, in­vest­ig­a­tions in­to oth­er crim­in­al activ­ity. She also sug­ges­ted lim­it­ing the broad li­ab­il­ity pro­tec­tions by giv­ing con­sumers some way to seek re­course for dam­ages done by in­form­a­tion-shar­ing.

Oth­ers say that bet­ter shar­ing of cer­tain kinds of in­form­a­tion would help pre­dict cy­ber­threats without par­tic­u­larly im­per­il­ing pri­vacy or con­sti­tu­tion­al rights.

Matt Kodama of the cy­ber-in­tel­li­gence and pre­dict­ive-ana­lyt­ics group Re­cor­ded Fu­ture told De­fense One that one of the most simple and straight­for­ward in­dic­at­ors of po­ten­tial cy­ber­at­tacks is ob­serving strange be­ha­vi­or among ad­min­is­trat­ors. “After at­tack­ers break in­to a net­work, they need to avoid de­tec­tion, get to their real tar­get, and carry out the cy­ber crime. They might do this with lots of high-tech tricks, but there’s a much easi­er way. If the at­tack­er can gain ac­cess to a user ac­count with lots of ac­cess rights, like a com­puter ad­min­is­trat­or, they will be able to move right past all the alarms and de­fenses. “¦ However, the be­ha­vi­or of that user ac­count, once it’s been hi­jacked by a cy­ber at­tack­er, will be un­usu­al. The user ac­count is al­lowed to take those ac­tions, but on any reg­u­lar day the per­son us­ing that user ac­count doesn’t do all of those things. That’s the ‘user be­ha­vi­or’ that can tip off the de­fend­ers,” Kodama said.

Since com­pan­ies don’t usu­ally grant ad­min­is­trat­or priv­ileges to the people who use their ser­vices, shar­ing in­form­a­tion about ad­min be­ha­vi­or could be one way to im­prove situ­ation­al aware­ness without en­dan­ger­ing user pri­vacy.

An­oth­er warn­ing sign is the up­load­ing of large files, es­pe­cially ones that con­tain lots of mys­tery code that doesn’t seem to have any clear pur­pose. Soph­ist­ic­ated de­fenses will at­tempt to open such files in a sand­box, or walled-off por­tion of a ma­chine or net­work, so it can’t spread its in­fec­tion.

But more and more cut­ting-edge vir­uses can de­tect when they are be­ing sand­boxed, and goofy ad­min be­ha­vi­or can be a lag­ging in­dic­at­or of a ma­jor in­tru­sion, not a pre­dict­ive one. Those who ar­gue for shar­ing more in­form­a­tion say that CISA doesn’t go far enough to en­cour­age shar­ing the kind of data that will help the gov­ern­ment fight off ever more soph­ist­ic­ated on­line at­tacks.

A re­cent Con­gres­sion­al Re­search Ser­vice re­port by Eric Fisc­her found that the bills in ques­tion don’t of­fer much in­cent­ive for com­pan­ies to ac­tu­ally share user data. Li­ab­il­ity pro­tec­tions, in oth­er words, are not a car­rot but the ab­sence of a stick.

What We're Following See More »
North Korea Threatens H-Bomb Test Over Pacific
1 days ago

"North Korea said on Friday it might test a hydrogen bomb over the Pacific Ocean after President Donald Trump vowed to destroy the reclusive country, with leader Kim Jong Un promising to make Trump pay dearly for his threats. Kim did not specify what action he would take against the United States or Trump, whom he called a 'mentally deranged U.S. dotard' in the latest bout of insults the two leaders have traded in recent weeks."

Trump Makes Good on Promise of New North Korea Sanctions
2 days ago

President Trump this afternoon announced another round of sanctions on North Korea, calling the regime "a continuing threat." The executive order, which Trump relayed to Congress, bans any ship or plane that has visited North Korea from visiting the United States within 180 days. The order also authorizes sanctions on any financial institution doing business with North Korea, and permits the secretaries of State and the Treasury to sanction any person involved in trading with North Korea, operating a port there, or involved in a variety of industries there.

Trump Promises More Sanctions on North Korea
2 days ago

In response to a reporter's question, President Trump said "he’ll be looking to impose further financial penalties on North Korea over its nuclear and ballistic tests. ... The U.N. has passed two resolutions recently aimed at squeezing the North Korean economy by cutting off oil, labor and exports to the nation." Meanwhile, the Guardian reports that South Korea's unification ministry is sending an $8m aid package aimed at infants and pregnant women in North Korea. The "humanitarian gesture [is] at odds with calls by Japan and the US for unwavering economic and diplomatic pressure on Pyongyang."

FLOTUS to Speak at UN Luncheon
3 days ago
Trump Meets with UN Leaders
4 days ago

President Trump on Tuesday night met with UN Secretary Guterres and President of the General Assembly Miroslav Lajcak. In both cases, as per releases from the White House, Trump pressed them on the need to reform the UN bureaucracy.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.