Jonathan Meyer breaks down the NSA’s domestic cyber security surveillance authorities and capabilities:
The primary documents associated with today’s report confirm the following additional facts.
- The NSA can use FAA upstream Internet surveillance for cybersecurity purposes, so long as there is a nexus with one of the three prior certifications. The most common scenario is where the NSA can attribute a cybersecurity threat to another nation, enabling it to rely on the foreign government certification.
- Internet protocol (IP) addresses and ranges are eligible as FAA upstream surveillance selectors. The Department of Justice approved this practice in July 2012.
- Cybersecurity threat signatures are also eligible as FAA upstream surveillance selectors. This adds a de facto fourth category of FAA interceptions, since a threat signature cannot reasonably be categorized as “to,” “from,” or “about” a particular address. DOJ appears to have approved the practice in May 2012.
- The NSA has acted upon the above legal interpretations. The primary documents make reference to particular FAA cybersecurity operations. Those operations relied on the foreign government certification, and they used IP addresses as selectors.
- Since 2012, if not earlier, the NSA has prioritized obtaining an FAA “cyber threat” certification. From the agency’s perspective, a cyber certification has two desirable properties. First, it would eliminate the nexus requirement. The NSA would be able to intercept traffic associated with a cybersecurity threat, regardless of whether the threat originates with a foreign government. Second, a cyber certification would codify procedures for IP address and signature targeting. The present status of the cyber certification is not apparent; it may have been approved, have been bundled into another certification, still be in progress, or have been set aside. It is also not apparent how FAA’s foreignness requirement would be implemented under the certification.
- When data is exfiltrated in the course of an attack, it often includes sensitive information about Americans. The NSA believes that this exfiltrated data should be considered “incidental” collection, rendering it eligible for backdoor searches. Put differently: when a data breach occurs on American soil, and the NSA intercepts stolen data about Americans, it believes it can use that data for intelligence purposes.
- The NSA collaborates with the Department of Homeland Security and the Federal Bureau of Investigation on cybersecurity matters. It receives and shares cybersecurity threat signatures with both agencies. When the NSA wishes to disclose a threat signature to the private sector, it usually routes that information through DHS or the FBI. The NSA is not attributed as the source of the threat signature.
- The FBI does not have its own national security surveillance equipment installed on the domestic Internet backbone. It can borrow the NSA’s equipment, though, by having the NSA execute surveillance on its behalf.
In my view, the key takeaway is this: for over a decade, there has been a public policy debate about what role the NSA should play in domestic cybersecurity. The debate has largely presupposed that the NSA’s domestic authority is narrowly circumscribed, and that DHS and DOJ play a far greater role. Today, we learn that assumption is incorrect. The NSA already asserts broad domestic cybersecurity powers. Recognizing the scope of the NSA’s authority is particularly critical for pending legislation.
If you are following the continually evolving NSA story then this is a must read.