Former government officials and experts stressed the need for protecting the privacy and civil liberties of U.S. citizens despite the growing need of the federal government to help thwart attacks against the networks of privately owned critical infrastructure.
The federal government can play a role in protecting private networks from cyberattacks, but in a way that doesn't trample on civil liberties, say two of three expert panelists at the 2010 RSA Conference. The panelists discussed whether the government should require the top Internet service providers to conduct deep packet inspection, a controversial process because it would require ISPs to scan network traffic of its customers to detect malware.
"We can tell ISPs by regulation that you have to do deep packet inspection," said Richard Clarke, a former White House security advisor. "A lot of the problems would be solved if the Tier-1 ISPs were required to do deep packet inspection."
Meanwhile, Michael Chertoff, former U.S. Secretary of Homeland Security said he would also support deep packet inspection of private networks, but only if it is done appropriately with safeguards in place to wall off government screening of emails or VoIP communications. Chertoff said he doesn't see a way policy can be created to avoid liability issues.
"We don't want the government sitting and operating opening and closing doors," Chertoff said. "The key is to build system that ... preserves a certain gate between [the government] and also provides a certain amount of accountability."
Urging the most caution about government involvement in protecting private networks was Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), who said telecommunications companies have had the right for years to listen in on phone calls to assure quality, but crossing the line into monitoring data streams could pose new problems.
"There's a sharp boundary between service delivery and content filtering," he said. "Deep packet inspection opens the door to a lot of commercial opportunities."
The NSA has used deep packet inspection technology to bolster its Internet surveillance and analysis. All three of the panelists said the security agency should have no role in monitoring U.S.-based networks, despite its role in heading the newly formed U.S. Cyber Command.
"The Cyber Command is NSA and unfortunately it's the only capable organization to deal with cybersecurity," Clarke said. "[NSA] is the right organization to defend the military and wrong one to defend the private sector."
Homeland Security Secretary says privacy is important
In a keynote address shortly after the privacy panel, Homeland Security Secretary Janet Napolitano also trumpeted the need for privacy as the government works diligently to protect its networks from attack and ensure security improvements at critical infrastructure facilities. The agency established an oversight and compliance officer to work with the U.S. computer emergency readiness team (US-CERT) personnel on the protection of privacy and other civil liberties. While the agency acts to ensure the security of the country's aviation systems and the protection of its ports from terrorism attacks, protection of critical systems is also part of its core principles, she said.
"We are working with our private sector partners in the financial services arena about what needs to be done and can be done to strengthen security there," she said.
The agency has completed its deployment of Einstein 2 for its managed protocol service providers and will be implementing Einstein 3, a fully automated intrusion prevention system that can detect and disable malware, she said.