Reporting from Washington — The National Security Agency should divulge information about its reported agreement with Google Inc. to help the Internet company defend itself against foreign cyber attacks, according to a lawsuit filed Monday by a privacy group.
The ad hoc and secretive nature of Google's arrangement with the federal spy agency also spotlights what some experts said was the lack of a clear federal plan to deal with the growing vulnerability of U.S. computer infrastructure to cyber intrusions launched from foreign countries. At risk are power grids, banks and other crucial public services.
"We have a faith-based approach, in that we pray every night nothing bad will happen," said James Lewis of the Center for Strategic and International Studies, a Washington think tank.
In January, Google announced that it had been the victim of "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property."
A month later, newspapers reported that Google had begun cooperating with the NSA, the spy agency in charge of defending the U.S. military from such attacks. Google, according to reports, enlisted the NSA, which has a vast electronic surveillance capability and a trove of cyber-warfare experts, to help trace the source of the attack and take steps to prevent future intrusions.
The nonprofit Electronic Privacy Information Center, which has tangled with Google in the past over the security of its Gmail e-mail system, filed a request under the Freedom of Information Act for documents related to any agreement between Google and the NSA. The NSA denied the request, and on Monday the privacy group took the agency to court, seeking to force it to hand over records.
"As of 2009, Gmail had roughly 146 million monthly users, all of whom would be affected by any relationship between the NSA and Google," the privacy group's request said. "In order for the public to make meaningful decisions regarding their personal data and e-mail, it must be aware of the details of that relationship. Neither Google nor the NSA has provided information regarding their relationship."
There probably isn't a significant privacy concern in the NSA's dealings with Google, said Richard Clarke, a top national security official in the Clinton and Bush administrations and author of "Cyber War: The Next Threat to National Security and What to Do About It."
"But the easy way for Google and NSA to prove that is by letting an outside group come in and find out," Clarke said.
Lewis said the NSA still must overcome a lack of trust among consumers after it enlisted telecom companies to help with surveillance it conducted without warrants in the wake of the Sept. 11 terrorist attacks.
Beyond the privacy issue, the Google-NSA alliance shows that no single U.S. government agency is responsible for defending the country's private computer infrastructure from the daily onslaught of foreign-based cyber attacks, Clarke and Lewis said. NSA gets involved only in select cases.
"NSA can't become the antivirus provider for the U.S. economy," Lewis said.
Clarke said the Obama administration's cyber-defense policy makes private companies responsible for their own defense, "and that obviously doesn't work."
The current approach, he said, would be akin to President Kennedy urging steel companies in 1961 to buy fighter planes and air defenses to protect against the Russian bombers that had them on target lists.
In a statement, NSA declined to confirm or deny its relationship with Google. "NSA works with a broad range of commercial partners and research associates to ensure the availability of secure, tailored solutions," the statement said.
A Google spokesman declined to comment Monday, but in January, the company issued a statement saying it was "working with the relevant U.S. authorities" in response to the cyber attack.
The attack on Google was the latest in a series of intrusions attributed to China, including the hacking of Lockheed Martin Corp. documents related to the F-35 fighter program.
"The United States is fighting a cyber-war today, and we are losing," Mike McConnell, former director of national intelligence, wrote in the Washington Post in February. "As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking."
McConnell, who also used to run the NSA, believes it is best suited to oversee the nation's defenses against cyber attacks.
"The NSA is the only agency in the United States with the legal authority, oversight and budget dedicated to breaking the codes and understanding the capabilities and intentions of potential enemies," he wrote.