The Washington Post reported on January 11 that the National Security Agency (NSA) is helping major US banks shore up their cybersecurity systems, in the wake of "a barrage of assaults" on the financial institutions' websites.
American Banker picked up the story two days later:
The banks are said to have pressed the nation's top spy agency for advice on how to protect their computer systems and for information about methods used in the attacks, which have swamped the websites of at least 12 banks since September and prevented customers from retrieving their accounts.
According to the Post, the bank websites hit with cyberattacks include Bank of America, PNC Bank, Wells Fargo, Citigroup and HSBC, among others. The attacks overwhelm web servers and have the effect of either slowing them down or taking them down altogether. While these incursions have not resulted in stolen data, they’re a serious disruption and a waste of resources.
Nonetheless, a public/private cooperation like this is unnerving. It would seem that private profit-making corporations, competing in a market economy, do not have the public interest stature to start using government capabilities – particularly surveillance capabilities – for their own unsupervised ends. Former NSA Director Mike McConnell, however, does not agree.
In 2010, after Google announced it had suffered a cyber-assault that attempted to penetrate the email accounts of Chinese human rights activists, the corporation went to the NSA for help. McConnell, writing in the Post, declared this type of cooperation to be the foundation of a new public/private alliance in the upcoming cyberwar, which, he added, would be equivalent in intensity to the Cold War of the past century.
We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options -- and we must be able to do this in milliseconds. More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment -- who did it, from where, why and what was the result -- more manageable.
The “we” here is a particular construction: specifically, it’s Google and other large corporations, together with the NSA, expressed in this inclusive way to suggest that we’re all in this together. McConnell continued:
The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same.
But from an average citizen’s perspective, this kind of cooperation gets murky fast. When “we” dig down into our new alliance, we find that there’s very little in the way of a legal framework for it. That problem had already occurred to McConnell:
We must give key private-sector leaders (from the transportation, utility and financial arenas) access to information on emerging threats so they can take countermeasures. For this to work, the private sector needs to be able to share network information -- on a controlled basis -- without inviting lawsuits from shareholders and others.
So the new collaboration we’re all part of isn’t quite so seamless after all. In fact, when the NSA came to the assistance of Google in 2010, the Electronic Privacy Information Center (EPIC) filed a Freedom of Information Act (FOIA) request for:
1. All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cyber security;
2. All records of communication between NSA and Google concerning Gmail, including but not limited to Google’s decision to fail to routinely encrypt Gmail messages prior to January 13, 2010; and
3. All records of communications regarding NSA’s role in Google’s decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs.
EPIC hit a stone wall. The NSA issued a Glomar response: it would neither confirm nor deny the existence (or non-existence) of responsive documents. EPIC appealed and lost.
In his 2010 op-ed, McConnell tried to preempt this kind of confrontation:
We now need a dialogue among business, civil society and government on the challenges we face in cyberspace -- spanning international law, privacy and civil liberties, security, and the architecture of the Internet. The results should shape our cybersecurity strategy.
But Nakashima’s piece in the Post yesterday about the de facto NSA/Bank of America/Wells Fargo/Citigroup/etc. alliance to fight cyber threats strongly suggests that the public-surveillance /private-enterprise collaboration is already well down the road. And there never was a dialogue, was there? If there was, the Government Accountability Project (GAP) wasn’t involved.
We should have been. We represent banking whistleblowers who revealed that fraud at the highest levels in US banks was (and potentially is) widespread. We also represent NSA whistleblowers who exposed cronyism, lawlessness, waste and abuse of authority at the agency. At GAP, we’re not sure that we want banks and spies collaborating on our behalf.
Nakashima’s article also illustrates the shadowy character of the issue. Facts had to be attributed to “industry officials,” “U.S. government officials” who believe recent attacks “have been carried out by Iran,” and “One bank official, who like most interviewed for this article, spoke on the condition of anonymity because he was not authorized to speak for the record.” For its part, the NSA issued a statement: “…[T]he agency provides assistance ‘in full compliance with all applicable laws and regulations.’” Not one official would go on the record. Only civil society spokesmen would.
More to the point, the NSA has no credibility when it claims to be in compliance with all applicable laws. We (U.S. citizens) are still in the process of learning how deeply the NSA is invading our privacy through the Stellar Wind data collection program, which, most would agree, is both illegal and unconstitutional. It is also ongoing.
Nor are U.S. banks high on the list of institutions Americans trust. These corporations brought us to the brink of economic collapse by pushing sub-prime mortgages, flogging them as securities with triple A no-risk ratings, and then trading them back and forth in increasingly arcane financial “products” that were ultimately worthless. As a consequence of this unregulated chicanery, millions of us lost our homes, our jobs and our pensions.
There is something really wrong with this. As taxpayers, we fund the development and deployment of NSA technology. As customers, we deposit our paychecks in U.S. banks, and as citizens we have built a government that supposedly operates with the consent of the governed. That’s us.
An alliance between U.S. banks and America’s spy agencies that putatively protects us from – oh, maybe China? Maybe Iran? – is deeply disturbing. It’s even more disturbing when the NSA, the banks and the courts tell us that we have no right to know:
- how it came about,
- who’s paying for it,
- what it has decided that it’s authorized to do?
Moreover, McConnell told us that we’re headed into this alliance with a Cold War-like commitment. Does this mean Cold War funding, Cold War spying, Cold War propaganda?
As citizens, don't “we” have a right to ask what’s going on? And don't we have a right to more than just a “neither confirm nor deny” response from our government?
Bea Edwards is Executive and International Director for the Government Accountability Project, the nation's leading whistleblower protection and advocacy organization.