Americans have always loved to watch a good odd-couple law enforcement pairing, from Jackie Chan and Chris Tucker to Tom Hanks and a French mastiff. Earlier this week, we got the real-life equivalent when the Department of Homeland Security (DHS) and the National Security Agency (NSA) released a memorandum of agreement detailing their plans to work closely together in defending the United States from cyber-attackers. DHS will send teams over to NSA to plan and synchronize cyber-defense, learn about acquisition and detection technologies, and coordinate on civil liberties protections. NSA, meanwhile, will send a team of cryptologists and operational professionals to the DHS network operations center to support DHS operations.
The agencies involved here are taking a page from the classic rookie-cop/veteran-cop playbook. DHS is a young agency with a broad set of responsibilities but limited experience in cybersecurity, looking to learn its new beat on the job. NSA, by contrast, is a grizzled veteran of the network security scene, with extensive experience in breaking codes and tapping into network traffic, as well as responsibility for protecting systems handling classified data. Letting NSA experts work alongside DHS cybersecurity teams is a smart way to bring those teams up to speed quickly. If of limited duration, it may also represent the best solution to the conundrum of how to utilize the NSA's defensive expertise domestically without the negatives associated with secretive intelligence agencies in general and NSA in particular. Indeed, CDT has long advocated building up a civilian cybersecurity capability, precisely to reduce the need to rely on NSA. DHS should be working toward building the necessary expertise so that the current arrangement can expire by a date certain and be replaced by an information sharing regime that is on-going but carefully defined.
By letting NSA show DHS the ropes, the government is taking the risk that NSA will import too much of that intelligence culture along with its security expertise. NSA is, after all, charged with breaking into systems as well as defending them. When it operates overseas, it bends or breaks local rules. Moreover, it is committed to keeping its activities secret. This culture of secrecy and avoidance of public oversight is appropriate for foreign intelligence work, but is incompatible with the civil liberties oversight and regular information sharing necessary for the success of a domestic cybersecurity program. Both American corporations and the American public are right to distrust NSA intrusion into the networks where we exchange personal messages.
Meanwhile, DHS is an agency with the right set of attitudes, but one that has yet to be tested in a surveillance context. Homeland Security has an excellent privacy office and good relationships with much of the private sector, but has not yet built up core competencies in cybersecurity. DHS has taken over cybersecurity for domestic federal agencies, but is still engaged in collecting all federal partners, hiring personnel, and updating its capabilities. Within private sector networks, its role is not yet clear. Moreover, it is only doing limited information sharing on a voluntary basis. As DHS grows, and begins to handle larger amounts of data on a regular basis, it cannot lose sight of the importance of protecting personal privacy and the difference between collecting data for domestic cybersecurity and for foreign intelligence.
This kind of a pairing often works in the movies -- the experienced partner brings knowledge and skill, while the new partner brings idealism and a fresh reminder that rules matter. The danger, however, is that this becomes an altogether different kind of movie, one in which the streetwise partner tries to convince the rookie that the ends justify the means and that rules for policing the cybersecurity beat are made to be broken. We need to keep an eye on this particular law enforcement pairing to made sure that it remains the kind of rookie/veteran couple we want: more like Se7en, less like Training Day.