U.S. considers monitoring of all Internet traffic

January 20, 2008

In a long profile published by The New Yorker this week, Director of National Intelligence Mike McConnell discusses a plan in the works to dramatically expand online surveillance. As The Wall Street Journal sums it up, "in order to accomplish his plan, the government must have the ability to read all the information crossing the Internet in the United States in order to protect it from abuse."1 (emphasis ours)

How broad are the powers needed to keep US servers safe? According to the article, in order for cyberspace to be policed, Internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer, or Web search. "Google has records that could help in a cyber-investigation," he said.1

While nobody outside the intelligence community knows the exact volume of international telephone and Internet traffic that crosses U.S. borders, experts agree that it bounces off a handful of key telephone switches and perhaps a dozen IXPs in coastal cities near undersea fiber-optic cable landings, particularly Miami, Los Angeles, New York and the San Francisco Bay Area.2

A significant portion of international phone and Internet traffic worldwide flows through the United States largely because of pricing models established more than 100 years ago in the International Telecommunication Union to handle international phone calls. Under those ITU tariffs, smaller and developing countries charge higher fees to accept calls than the U.S.-based carriers do, which can make it cheaper to route phone calls through the United States than directly to a neighboring country.2

The CyberSecurity initiative pushed by McConnell is in large part aimed at blocking possible attempts to attack the US' information infrastructure.1

This comes at the heels of a recent admission by the CIA that cyberattacks have caused at least one power outage affecting multiple cities outside the United States. The disclosure was made at a New Orleans security conference on January 18 attended by international government officials, engineers, and security managers from North American energy companies and utilities. Alan Paller, director of research at the SANS Institute, said that CIA senior analyst Tom Donahue presented him with a written statement that read, "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."3

It is estimated that 85% of the U.S. critical infrastructure is controlled by the private sector.3

As Congress debates new rules for government eavesdropping, a top intelligence official says it is time that people in the United States changed their definition of privacy. Donald Kerr, the principal deputy director of national intelligence, argues that privacy no longer can mean anonymity. Instead, it should mean that government and businesses properly safeguard people's private communications and financial information.4

Millions of people in the U.S. - particularly young people - already have surrendered anonymity to social networking sites such as MySpace and Facebook, and to Internet commerce. These sites reveal to the public, government and corporations what was once closely guarded information. "Those two generations younger than we are have a very different idea of what is essential privacy, what they would wish to protect about their lives and affairs. And so, it's not for us to inflict one size fits all," said Kerr, 68. "Protecting anonymity isn't a fight that can be won. Anyone that's typed in their name on Google understands that."4

"Our job now is to engage in a productive debate, which focuses on privacy as a component of appropriate levels of security and public safety," Kerr said. "I think all of us have to really take stock of what we already are willing to give up, in terms of anonymity, but (also) what safeguards we want in place to be sure that giving that doesn't empty our bank account or do something equally bad elsewhere."4

Or as Ed Giorgio puts it: "We have a saying in this business: 'Privacy and security are a zero-sum game.'"1

1. "US intel chief wants carte blanche to peep all 'Net traffic", Ars Technica, January 17, 2008

2. "NSA's Lucky Break: How the U.S. Became Switchboard to the World", Wired, October 10, 2007

3. "CIA admits cyberattacks blacked out cities", IT News, January 19, 2008

4. "Intelligence official says people need to redefine privacy, adjust to loss of anonymity", The Associated Press, November 11, 2007