The foreign hackers behind the massive cybersecurity failures dominating recent headlines had one critical strategy in common – they leased computers in the United States to burrow into their victim’s networks. Because U.S. cybersecurity systems don’t regard domestic connections as inherently suspect, the attackers were able to hide in plain sight. Like secretive investors deploying a series of shell companies and trusts to mask true ownership, Russia, China and other sophisticated nations effect cyber-maliciousness through a series of intermediary, innocuous-looking internet servers.
Using a server in the United States is not just an attempt to look routine. As made clear in last week’s hearings before the Congress’s intelligence oversight committees, it’s a calculated strategy that takes full advantage of a gap in the U.S. cyber surveillance system. No government agency – even our powerful spy agencies – currently has a sufficiently agile legal authority to catch foreign cyber malefactors in the act of co-opting U.S. computer networks. The National Security Agency is allowed to surveil only foreign actors; pursuing them on the home front is the job of the FBI. But by the time the NSA notices suspicious foreign activity and hands the case off to the FBI, it’s often too late. The foreign malware might well have been injected into American networks, and the FBI investigation simply confirms that now-dormant internet servers in the U.S. were used by foreigners to stage their attacks.
For important legal and organizational reasons, we’ve had a longstanding and sharp delineation of governmental responsibilities for keeping tabs on foreign versus domestic cyber activity. That arrangement, however, isn’t effective when it comes to tracking wrongdoing unconstrained by national boundaries. Designed to protect the civil liberties guaranteed to Americans by the U.S. Constitution, the system is now deliberately exploited by sophisticated foreign cyber adversaries.
The problem is well known. The difficulty lies in resolving deeply felt concerns over any increase in government surveillance authority, no matter how important the purpose. We are also paralyzed by a sense of fatalism that cyber vulnerabilities are simply the price we pay for being online, and an erroneous belief that the Constitution stands in the way of any solution.
Most cybersecurity experts agree an effective public-private cyber information-sharing system is essential in stopping foreign cyber maliciousness before it causes too much damage. But information sharing isn’t enough; it would be hamstrung from the start if the government cannot seamlessly and quickly track malicious cyber activity from its foreign source to its intended domestic victims. If some government agency had that legal power, then it could, for example, quickly check out a domestic IP address after an alert from the NSA that the address was communicating with a suspicious overseas server. If that IP address showed questionable activity, the government and the private sector jointly could take steps to reconfigure firewalls or otherwise curtail the hack. Admittedly, this wouldn’t prevent hacks and attacks that were based on previously unknown software bugs (so called “zero-day exploits”). But the reality is that most large-scale hacks by foreign countries rely on already known software imperfections and hardware deficiencies.
The issue is that almost any kind of domestic cyber inspection, even in hot pursuit of a foreign adversary, would be considered a “search” within the Constitution’s Fourth Amendment, which requires searches and seizures by the government to be not “unreasonable” and in many (but by no means all) cases to be based on a search warrant issued by a judge. The notion that searches could possibly be electronic was of course not in the Framers’ minds when adopting the amendment in 1792, but the “reasonableness” standard has allowed courts over the years to apply it to new techniques and technologies, including cyber surveillance.
To track foreign cyber malevolence in a new domestic legal framework, we would need a cyber monitoring capability that was so limited and safeguarded that it didn’t trigger the Constitution’s warrant requirement. The judicial cases tell us this should be possible. After all, for over half a century, courts have approved a range of “not unreasonable” warrantless electronic surveillance under the Fourth Amendment, taking into account various subjective factors, including the exigency of the surveillance, whether the information had already been revealed to third parties, the level of personal sensitivity of the data, whether the surveillance is broad or tailored, how likely it is that information about non-targets will be scooped up in the surveillance, and whether there are effective oversight mechanisms.
Like a property owner who has put up a fence a few feet inside his property line just to be safe, Congress has established more restrictive structures and rules in our current system than what the Constitution would require for reasonable, warrantless monitoring. The task is to see whether a legislative solution can be crafted in that intervening space. The goal is to not change the property line; there should be no weakening of the Fourth Amendment’s limits.
Here’s what an effective new legal authority, fully consistent with the Constitution, might look like:
• Any domestic inspection or monitoring would be expressly limited by the type of both target and information collected. It would be restricted to specifically identified IP addresses or other communications equipment located in the United States that was linked (by the U.S. intelligence community or the FBI) to a foreign person or country suspected of specific cyber wrongdoing. No other targets could be examined; there would be no bulk or indiscriminate collection of data. The activity might be limited to simply a traffic analysis – seeing which U.S. or foreign IP addresses were communicating with the target – or examining its logbook to look at historic connections. The government would not be allowed to look at emails or otherwise collect the substance of communications, except in the rare case (perhaps with additional approvals) when it was actually necessary for cybersecurity purposes.
• Internal governmental approvals would be needed, with a senior official certifying the underlying facts as to why the domestic inspection was required. The requirement would depend on the circumstances, but would need to be explicit. For example, there could be evidence that a server known to be controlled by a foreign nation was communicating with a U.S. IP address, or that certain malware or techniques that the intelligence community knew were unique to foreign cyber malefactors were being tracked to U.S. internet servers.
• Housing the legal authority in the FBI, rather than the NSA, might make sense. The countries with values closest to ours, such as the United Kingdom, Australia, Canada and New Zealand, have all placed their domestic cyber monitoring authorities within their foreign signals intelligence agencies (or in new affiliates). Locating this new legal authority in the NSA would follow that pattern, but the political reality is that this would be problematic. The FBI, which sits within the Department of Justice and already investigates malicious foreign cyber activity seems like a logical and acceptable alternative. Whichever agency is chosen, a governmental partnership is critical, with the NSA supplying technical expertise and foreign intelligence insights, the FBI bringing its longtime relationships with internet service providers and other communications infrastructure owners, and the Department of Homeland Security assisting with coordination and communications with the private sector, which should be equally engaged in the process.
• The domestic monitoring would be limited in time. After an initial period of 72 hours, the monitoring should end, unless further corroborating information or a demonstrated need to do deeper analysis warranted a limited extension.
• The resulting data could be used by the government only for cybersecurity purposes. Those purposes would, however, include thorough investigation into exactly what the foreign cyber malefactor did and with whom it was in contact. The data would have to be deleted after some period and couldn’t be searched for general foreign intelligence or law enforcement purposes, or shared with other government agencies (presumably with some limited exceptions such as discovery of actual evidence of a federal crime).
• Oversight should be required and modeled on the largely successful compliance scheme for the Foreign Intelligence Surveillance Act. For example, the Attorney General or the Foreign Intelligence Surveillance Court could receive periodic reports of the legal authority’s use and audit the activity, and the Privacy and Civil Liberties Oversight Board could independently verify compliance. The Department of Homeland Security could consult with the private sector and issue annual assessments of whether the authority was indeed effective in curtailing cyber hacks and attacks.
• The private sector will be required to cooperate, and not simply shut down suspect accounts. Any meaningful understanding of compromised domestic networks will likely require the assistance of owners of the affected servers or cloud service providers, so they should be required under this new legal authority to cooperate with the government, much like the way telephone companies are obligated under current law to assist the FBI with lawful wiretaps.
This proposal is by no means the only solution; it’s merely one way to balance the need for more cyber visibility while preserving our constitutional freedoms. After all, the Constitution is designed to protect our liberties, not to provide authoritarian regimes with no use for such liberties a means to exploit our vital online systems with virtual impunity.