The problem is well known. The difficulty lies in resolving deeply felt concerns over any increase in government surveillance authority, no matter how important the purpose. We are also paralyzed by a sense of fatalism that cyber vulnerabilities are simply the price we pay for being online, and an erroneous belief that the Constitution stands in the way of any solution.
Most cybersecurity experts agree an effective public-private cyber information-sharing system is essential in stopping foreign cyber maliciousness before it causes too much damage. But information sharing isn’t enough; it would be hamstrung from the start if the government cannot seamlessly and quickly track malicious cyber activity from its foreign source to its intended domestic victims. If some government agency had that legal power, then it could, for example, quickly check out a domestic IP address after an alert from the NSA that the address was communicating with a suspicious overseas server. If that IP address showed questionable activity, the government and the private sector jointly could take steps to reconfigure firewalls or otherwise curtail the hack. Admittedly, this wouldn’t prevent hacks and attacks that were based on previously unknown software bugs (so called “zero-day exploits”). But the reality is that most large-scale hacks by foreign countries rely on already known software imperfections and hardware deficiencies.
The issue is that almost any kind of domestic cyber inspection, even in hot pursuit of a foreign adversary, would be considered a “search” within the Constitution’s Fourth Amendment, which requires searches and seizures by the government to be not “unreasonable” and in many (but by no means all) cases to be based on a search warrant issued by a judge. The notion that searches could possibly be electronic was of course not in the Framers’ minds when adopting the amendment in 1792, but the “reasonableness” standard has allowed courts over the years to apply it to new techniques and technologies, including cyber surveillance.
To track foreign cyber malevolence in a new domestic legal framework, we would need a cyber monitoring capability that was so limited and…