Categories: SecurityWorkspace

US Government To Scan Private Firms’ Emails And Web Use

The US government is planning to scan private firms’ web use and email communications, as part of a bid to prevent cyber-attacks which has been requested by President Obama.

The government is proposing to extend existing powers, so it can analyse the communications of organisations such as banks, utility providers and transport companies,  to prevent online attacks on the country’s infrastructure, according to US security officials.

The move is in response to an executive order signed by President Obama in February that calls upon the owners and operators of critical US infrastructure to “improve cyber-security information sharing and collaboratively develop and implement risk-based standards”.

Mitigating attacks

The order also called on the Department of Homeland Security (DHS) to recommend ways to mitigate security attacks and, among other tasks, for the secretary of homeland security to direct the development of a cyber-security framework that includes a “set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks”.

The order called upon the DHS to establish the required procedures within six months.

In response, the agency is planning to expand an existing programme that currently scans the Internet communications of military contractors to include a wider array of private-sector organisations, according to US government security officials, who testified on the matter at a congressional hearing last week. Participation in the programme will be voluntary.

The organisations participating in the programme will submit data such as web traffic and email communications to the DHS, which will pass it to private-sector telecommunications and security providers that have employees holding security clearances.

These companies, who will be paid for their efforts, will analyse the data based on classified information provided by US intelligence agencies including the National Security Agency (NSA) targeting particular espionage or hacking threats.

Companies that have so far signed up to carry out scanning operations include AT&T and Raytheon.

Data anonymisation

The companies carrying out the scans will only provide the government with anonymised data such as aggregate statistics, according a senior DHS official cited by Reuters, who declined to be identified.

“That allows us to provide more sensitive information,” the official told Reuters. “We will provide the information to the security service providers that they need to perform this function.”

The NSA said it is looking for a way to better protect the US’ private sector-based critical infrastructure, such as banks, utilities, motorways and rail networks, without infringing upon citizens’ civil liberties. The organisation said it could use data such as what malicious software turns up in the scans, and the IP addresses linked to it.

“There is a way to do this that ensures civil liberties and privacy and does ensure the protection of the country,” said NSA director general Keith Alexander at a congressional hearing last week.

The data to be analysed could include web addresses, strings of characters and email sender names. A Raytheon executive told Reuters that the signatures provided by the DHS do not require deep packet inspection (DPI), a controversial technique that includes the scanning of email contents. A government official also told Reuters there are currently no plans to include DPI in the scanning programme.

Security providers are currently working on secure hardware that could carry out automated scans using the classified government signatures, which would allow companies without security-cleared employees to execute the scans, according to Reuters.

Security framework

Last month’s executive order called on the DHS to recommend ways to mitigate security attacks and, among other tasks, for the secretary of homeland security to direct the development of a cyber-security framework that includes a “set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks”. To the fullest extent possible, the framework is to “incorporate voluntary consensus standards and industry best practices,” said the order.

“We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” said President Obama during his State of the Union address on 12 February.

The leaders of US intelligence efforts and of the nation’s quickly growing Cyber Command recently warned that cyber operations by nation-states and rogue actors have become a major concern for the country, eclipsing the threat of terrorism and weapons of mass destruction.

Cyber-threats

In his delivery of the worldwide threat assessment to the US Senate Select Committee on Intelligence on 12 March, Director of National Intelligence James Clapper led his list of global threats with the current cyber operations against the nation’s interests, indicating that cyber-attacks and espionage are having more impact today than terrorism or the threat of weapons of mass destruction.

Recent attacks on US banks, the destructive virus that deleted data from 30,000 workstations at Saudi Aramco, and the wholesale theft of sensitive data by various nations – chief among them China – had weakened the United States’ technological advantage, Clapper said in his prepared remarks.

“We assess that highly networked business practices and information technology are providing opportunities for foreign intelligence and security services, trusted insiders, hackers, and others to target and collect sensitive US national security and economic data,” Clapper said.

In a separate hearing, Gen. Keith Alexander, commander of the US Cyber Command, said the organisation is quickly ramping up its operations, and plans to hire up to 5,000 cyber-savvy soldiers to staff its operations.

Public sector IT – the triumph and the tragedy… Take our quiz!

Originally published on eWeek.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago