By law, the government can't monitor domestic Internet traffic. Hackers suspected of being Russian exploited this blind spot by disguising their origins and working through unwitting U.S. companies.



U.S. intelligence agencies operate under two sets of laws. One set of U.S. laws covers how they can monitor people overseas; another set sharply limits what they can do inside the United States and also how they monitor U.S. persons - that's U.S. citizens and other residents, wherever they may be in the world. This division is meant to protect Americans' rights, but the Internet has a way of fudging borders. And cyber experts say Russian hackers exploit the different U.S. laws when they disguise where a hack is coming from. NPR's Greg Myre explains.

GREG MYRE, BYLINE: The National Security Agency considers itself the world's most formidable cyber power. But there's a catch. By law, the NSA collects intelligence abroad and not inside the U.S. U.S. rivals like Russia know this and take advantage of it. The head of the NSA, General Paul Nakasone, laid it out recently to a Senate committee.


PAUL NAKASONE: We may see what is occurring outside of the United States, but when it comes into the United States, our adversaries are moving very quickly. They understand the laws. And so they are utilizing our own infrastructure, our own Internet service providers, to create these intrusions.

MYRE: Last year, hackers stealthily placed malware on a software update produced by the Texas company SolarWinds. No one had reason to be suspicious or the legal authority to monitor as that software went from SolarWinds to 18,000 organizations, including U.S. government agencies. General Nakasone explains.


NAKASONE: It's not the fact that we can't connect the dots; we can't see all of the dots.

MYRE: Glenn Gerstell was the NSA's top lawyer until he stepped down a year ago. He says the hackers, widely believed to be Russia's foreign intelligence service, further covered their tracks by deceiving another U.S. company.

GLENN GERSTELL: The Russians rented a computer server capability on a network-hosting company called GoDaddy. Just like I can go buy a website on GoDaddy, so too can the Russians.

MYRE: This meant that even if U.S. cybersecurity teams suspected something amiss, the breadcrumbs weren't leading back to Russia.

GERSTELL: Someone looking at their computer in the United States to see whether it was doing anything funny, all they would see is traffic communications to and from a point from their computer to another computer in the United States on GoDaddy, which doesn't look particularly suspicious.

MYRE: The hackers rummaged through computer networks for months. It was purely by chance that they were finally detected in December by yet another U.S. company hit in the attack - the California cybersecurity firm FireEye. Kevin Mandia is the CEO.

KEVIN MANDIA: We recognized right away. FireEye was one of many victims.

MYRE: Here's the larger issue. The Constitution's Fourth Amendment bars the government from domestic surveillance unless a crime is suspected. But in the digital age, these U.S. privacy protections have an unintended consequence - they help hide foreign intelligence agencies conducting cyber espionage inside the U.S. This is fueling a debate on how the U.S. government and private companies can protect computer networks and civil liberties. Again, Kevin Mandia.

MANDIA: Regardless of the agency chartered with doing it, you will have to have a clearinghouse for intel that's a single point. You just do. I don't care what you call it, but it's got to be private and public-sector thing.

MYRE: Glenn Gerstell, the former NSA lawyer, has a similar proposal.

GERSTELL: What we can do is create some kind of fusion center whereby the FBI, together with the NSA and Homeland Security, can all pull together their resources, their computers and work together in real time with the private sector.

MYRE: But Senator Ron Wyden, an Oregon Democrat, is a skeptic.


RON WYDEN: My view is that message leads to privacy-violating laws and billions of more taxpayer funds for cybersecurity.

MYRE: He spoke during a recent hearing of the Senate Intelligence Committee.


WYDEN: There are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic Internet.

MYRE: The Biden administration says it's working on ways for the government and the tech industry to better share critical information. The White House stresses it's not currently seeking increased legal authority for domestic digital surveillance.

Greg Myre, NPR News, Washington. Transcript provided by NPR, Copyright NPR.