WASHINGTON — The National Security Agency has pushed repeatedly over the past year to expand its role in protecting private-sector computer networks from cyberattacks but has been rebuffed by the White House, largely because of privacy concerns, according to administration officials and internal documents.
The most contentious issue was a legislative proposal last year that would have required hundreds of companies that provide critical services such as electricity generation to allow their Internet traffic be continuously scanned using computer threat data provided by the spy agency. The companies would have been expected to turn over evidence of potential cyberattacks to the government.
NSA officials portrayed these measures as unobtrusive ways to protect the nation’s vital infrastructure from what they say are increasingly dire threats of devastating cyberattacks.
But the White House and Justice Department argued that the proposal would permit unprecedented government monitoring of routine civilian Internet activity, according to documents and officials familiar with the debate. They spoke on the condition of anonymity to describe administration deliberations; internal documents reviewed by The Washington Post backed these descriptions.
White House officials cautioned the NSA that President Obama has opposed cybersecurity measures that weakened personal privacy protections. They also warned the head of the spy agency, Gen. Keith Alexander, to restrain his public comments after speeches in which he argued that more expansive legal authority was necessary to defend the nation against cyberattacks, according to several officials.
“We have had to remind him to at least be cognizant of what the administration’s policy positions are, so if he’s openly advocating for something beyond that, that is undermining the commander-in-chief,” said an administration official.
The debate, which is surfacing as Congress considers landmark cyber legislation, turns on what means are necessary and appropriate to protect vital private-sector systems from attack by China, Russia or other potential adversaries. Even some criminal gangs and hackers, such as the self-styled activist group Anonymous, increasingly may acquire the tools to mount major assaults on the nation’s computer systems, say U.S. officials.
NSA officials acknowledged that they have warned about such threats but say they have not sought to establish policy.
“As a major source of the nation’s technical expertise on cyber and cybersecurity, we have a responsibility to ensure our leaders are informed and aware of what is happening in the cyber realm,” agency spokeswoman Judith Emmel said. “We also work diligently to team with other agencies, industry and academia to find solutions to protecting our nation’s critical infrastructure.”
The proposal was intended to supplement an administration legislative package, unveiled last May, which NSA officials felt did not go far enough in protecting critical industries such as nuclear power, according to administration officials. The proposal was put forth by the Defense Department, which includes the NSA, and the Department of Homeland Security.
The proposal drew on a Pentagon pilot program launched last year in which Internet service providers used NSA’s library of threat data to scan e-mails and other computer traffic flowing to and from the nation’s top defense contractors . That program was a response to fears that foreign spy services were using cybertechnology to steal corporate or U.S. military secrets.
A Pentagon-commissioned report in November validated the concept but said the effectiveness of such an approach remained uncertain.
The agency, however, saw that program as a model for expanding its role in protecting other potential significant targets of cyberattack. The proposed legislation would have made participation in an expanded program mandatory for designated industries that didn’t reach certain security benchmarks on their own after one year, officials said.
The reason, NSA officials said in internal administration discussions, is that the private companies have not shown they are capable of defeating the rapidly evolving universe of cyberthreats. By the time a major attack on a water system or nuclear plant is discovered, it may be too late to thwart it.
“In order to stop it, you have to see it in real time, and you have to have those authorities,” Alexander, who is also head of the U.S. military’s Cyber Command, said in remarks at Fordham University in New York last month. “Those are the conditions that we have put on the table. Now how and what the administration and Congress choose, that will be a policy issue.”
His remarks prompted calls from congressional staff to the Pentagon and White House seeking to know whether the administration was seeking new powers for NSA, said several government officials with knowledge of the exchanges.
The NSA proposal, called Tranche 2, sparked fierce debate within the administration. It would have required an estimated 300 to 500 firms with a role in critical infrastructure systems to allow their Internet carrier or some other private company to scan their computer networks for malicious software using government threat data. The Department of Homeland Security, which helped develop the plan, would have designated which companies had to participate.
NSA officials say this process would have been automated, preventing intrusion into the personal privacy of ordinary users visiting Web sites or exchanging electronic messages with friends. Only when the scanning identified a potential threat would analysts be involved, to assess what the software identified and use it to craft better tools to stop such threats, the agency said in the internal administration debates. Identifying information on specific Internet users would have been blocked.
Agency officials took exception to suggestions that such a system amounted to “monitoring” of private-sector Internet traffic — something that Obama has specifically and publicly opposed.
In an interview with The Post, NSA Deputy Director John C. Inglis said, “At no time was there, from the NSA perspective, a proposal that the government enter into an arrangement where it would monitor private sector networks.”
But the White House and other agencies, including the departments of Justice and Commerce, said the proposal left open the possibility that the large Internet carriers themselves could be designated critical entities. This, they said, could have allowed scanning of virtually all Internet traffic for cyberthreats on behalf of the government, opening a newly extensive window into American behavior online.
Officials also worried the effectiveness of the approach and the costs to participating industries.
Senior officials at numerous government agencies reviewed the NSA proposal. At a White House meeting last August, Tranche 2 was killed, said officials with knowledge of the debate.
“At the end of the day it was shut down because it looked way too much like a government monitoring program,” said a second administration official.
More recently, in January, NSA officials expressed concern when the White House blocked draft legislation being prepared by a Senate Intelligence Committee staffer enabling any government agency to monitor private computer networks for cyberthreats and to take measures to counter those threats, according to administration officials and documents. These include draft version of legislation and internal communications discussing them.
A revised version of the bill, which is part of the cyber legislation introduced in Congress this month, allowed only private-sector entities to monitor networks and to operate the countermeasures.
The issue, said James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies, is one of trust. He said that he trusts NSA to handle the data responsibly, but “the oversight we have in place isn’t enough to reassure everyone the data are not being used for other purposes.”