There are now resounding calls to drastically change the secretive National Security Agency in the wake of the documents leaked by former NSA contractor Edward Snowden. Some advocate a completely re-made spy agency, others say moves that drastic would hurt national security.
It's become a question of "reform" of the NSA, but Congress is divided on how to tackle this and a report from the Presidentially-appointed committee looking into that question is not likely to appear until year end at the earliest. Some lawmakers in the House and Senate are advocating changes to stop some kinds of surveillance and information collection by the NSA. But others think the issue isn't NSA but Snowden, whom they call a traitor for supplying NSA documents he stole by hacking what was supposed to be the NSA's super-secure network.
Calls for new restraints on the NSA are coming from the U.S. high-tech industry--particularly Google, Facebook, Microsoft and Yahoo--which have been stung by revelations on how closely they must work under current law to supply customer data to the NSA. New accusations are now springing forth in the media that the NSA has been quietly intercepting large data chunks on its own anyway.
On the diplomatic front, America's global allies, especially Germany, are furious to find out that the NSA spied on their government leaders, including German Chancellor Angela Merkel, something seen as not just a betrayal of trust but also perhaps of democracy itself.
What's also believed now is that Snowden, who fled to Russia, holds about 10,000 documents related to traditional espionage against Russia and China that could have huge impact in global politics if passed on or made public. One security vendor, Venafi, this week offered its own opinion on how Snowden, a contractor at Booz Allen who seems to have had a systems administrator role at the NSA, got so much data out of the NSA network without being noticed.
Jeff Hudson, CEO at Venafi, says Snowden likely elevated his privileges by generating SSH keys to use them to get access to other servers. "He then used that SSH key to get access to another," said Hudson. SSH keys allow for authentication and encrypted file transfer, but tracking SSH keys in use can be a problem. "Why doesn't the NSA just come out and say that happened?"
Many in the high-tech industry would likely agree with the stark conclusion reached by Bruce Schneier, crypto expert and author who has read some of the Snowden documents directly, that "the NSA has turned the Internet into a giant surveillance platform."
But the U.S.-based tech industry is caught between a rock and hard place. Some high-tech companies, such as Google, are trying to make it harder for the NSA to intercept data by using more encryption to stymie NSA intercept.
Recent reports assert NSA is somehow intercepting data running on private lines between Google data centers. In an Interview with the Wall Street Journal, Google executive chairman Eric Schmidt last week said, "It's really outrageous that the National Security Agency was looking between the Google data centers, if that's true. The steps that the organization was willing to do without good judgment to pursue its mission and potentially violate people's privacy, it's not OK."
But at the same time, the U.S Patriot Act legally compels U.S.-based companies to hand over customer data under certain conditions and refrain from any disclosure of such a request. Power players in the tech industry have gone to Capitol Hill to try and influence any changes lawmakers are willing to make as any legislation related to an NSA makeover is proposed.
Another issue tormenting industry is whether the NSA is deliberately weakening encryption security standards or somehow getting backdoors for cyber-spying into software and hardware. There is strong belief that the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) standard, for example, was deliberately weakened, making its way into software toolkits. Just the suspicions about that have sent at least one major vendor, Cisco, to scramble to identify which of its products have Dual EC DRBG while at the same time emphasizing the controversial encryption can't actually be activated by end users.
Change is in the cards for the NSA, based in Ft. Meade, Md., and with over a $10 billion a year budget. Its beleaguered director, Gen. Keith Alexander, time and again defending the NSA since June at hearings on Capitol Hill, is set to retire from a job early next year. Even the hawkish Sen. John McCain, (R-Arizona) this week called on Alexander to resign or be fired, saying he should be held accountable for the Snowden leaks and that he should apologize to German chancellor Angela Merkel, if not other allies, for monitoring her phone.
Speaking in Germany, McCain did add: "Friends spy on friends. We all know that, but there have to be certain boundaries." He went on to suggest high-tech capabilities that exist now make it hard to define those boundaries, then said, "But when you go to the point where you invade someone's privacy, the leader of certainly Europe, if not one of the most foremost leaders in the world, Angela Merkel, then it was a mistake." Alexander in one brief public comment recently the NSA responds to diplomatic requests on these things, and that the world should look in the direction of the State Department.
The outcry in Europe over the NSA cyber-spying may be impacting U.S. companies. Reports recently indicated that AT&T, which might want to acquire a wireless operator there, could face stiff opposition from European regulators concerned about NSA data collection if the carrier tries to expand into Europe by acquiring a wireless operator.
Many people see government cyber-spying by any government as a human rights violation.
The NSA targets and monitors "foreigners," as Mikko Hypponen, chief research officer at Finland-based F-Secure noted in his recent keynote about "the surveillance state" at the TED Conference in Brussels.
"I'm a foreigner, you're a foreigner," said Hypponen. "It's wholesale blanket surveillance." No one wants to think everything they do online is being monitoring by a foreign government, he said. The balance isn't close, with the world using much American-made services but Americans by and large not using non-American services.
"It's about doing surveillance on people they know are innocent," said Hypponen. U.S. intelligence agencies are "running Loose" and "they're completely out of control." There are terrorists that need to be discovered and monitored via the Internet, he noted, but they aren't likely to be found spying on members of parliament. But if there's excess in NSA practices, it's worth remembering that "the U.S. intelligence agencies are doing their jobs, this is what they've been told to do," he adds. "Are the Americans ready to throw away the Constitution?" and human rights and privacy, he passionately said.
This goes directly to the question of possible NSA reform. What does America want the NSA to be and do?Gen. Alexander actually holds two posts: head of the signals intelligence operation conducting cyber-espionage and secondly, the head of Cyber Command, the unit set up in 2010 as the military's cyberspace strike force. Here too, discussion has begun in Washington's government circles about whether to separate the signals intelligence and Cyber Command functions, or choose a civilian rather than a military leader to head NSA.
One Washington insider says Admiral Mike Rogers would be the top candidate for the NSA "under the usual process." But for the NSA, nothing is as usual these days, with the world stunned by what the media, particularly the Washington Post, the New York Times and the Guardian, tell the world on almost a daily basis now about NSA surveillance and data collection practices. The NSA and the Director of National Intelligence, James Clapper, have done little to refute these media stories, and sometimes even appeared to confirm them. With that as a backdrop, the question is how and should the NSA be reformed in organization and practice?
Does the NSA serve any useful purpose?
It would be hard to meet two individuals with more opposite views on that than James Bamford and Stewart Johnson, who each have formidable knowledge about the NSA and long careers that have focused on the secretive NSA's operations.
Bamford is a former naval intelligence officer, a lawyer by training and college professor who has written three best-selling books about the NSA, "The Puzzle Palace," "Body of Secrets," and "The Shadow Factory." Stewart Baker is a tech-savvy lawyer who is partner at Washington, D.C.-based law firm, Steptoe & Johnson, and whose long career includes stints as the first assistant secretary for policy at the Department of Homeland Security and general counsel at the NSA.
Asked whether the NSA truly serves a worthwhile purpose, Bamford says the NSA "is most useful in terms of collecting intelligence, not good at terrorism. The problem is it was never designed to detect terrorism." The NSA roots go back to the Cold War era when there was worry the Russians would launch a nuclear attack and intelligence gathering was focused on what the Soviet Union would do. Diplomatic spying was against adversaries. Bamford says today the NSA is "overextended" and "they overreach so much." The NSA has "so much money, they collect everything from everywhere." The NSA should "stick to collecting intelligence on adversaries," he advises.
If the NSA in some way is able to get backdoors into U.S. tech industry products and services, as some Snowden revelations contend, it "ends up hurting the U.S," Bamford says, adding who is going to want to buy American tech products or encryption if the U.S. has backdoors in them? "It's ruining industries like that."
The NSA should "stick to collecting intelligence on adversaries," he advises. "Leave our allies out of it." The NSA traditionally was there to gather intelligence for the chief of Naval Operations, for example, about what aircraft there was in China or other places., says Bamford, and the NSA worked off a priority list. Any reform of the NSA should make it clear what the mechanisms for priorities are, and these priorities should be "more restrained." The NSA also doesn't need the amount of money they get now, he added. Bamford said Congress needs to set up the modern-day equivalent of the Church Committee of 1975 that where Sen. Frank Church back then investigated abuses in intelligence operations.
As to whether the director of NSA should hold the dual position of head of the signals intelligence and espionage function, plus the head of Cyber Command for potential cyberwar operations, Bamford suggests splitting up those responsibilities. Gen. Alexander has "way too much power" in the current arrangement combining both positions, Bamford asserts.
Stewart Baker couldn't disagree more.
First off, Baker said it's clear that the NSA serves a worthwhile purpose. "NSA is essential to the role the United States plays in the world. It was the key agency in hunting terrorists over the last ten years, and its capabilities allow the U.S. to play a global role and to avoid unhappy surprises when it does so."
As to whether the NSA should be banned from certain activities that have come to light, such as collecting a treasure trove of phone-call metadata from U.S. carriers or spying on foreign leaders who are allies, Baker simply notes that NSA activities "were lawful. The President has decided that some of them (collecting intelligence from the communications of world leaders and U.N. diplomats) are a bad idea from a policy point of view. While I think he is over-reacting to personal embarrassment, the greatest sin a spy can commit is to get caught spying. NSA and the United States are being punished for getting caught, and some changes in policy may be inevitable."
Baker is also opposed in principle to any measures that would forbid the NSA to use its expertise, funding or influence with U.S. industry to weaken security mechanisms, such as encryption or placing backdoors in products and services."No, that would be an overreaction," he says. "There are times when weakening security is a good idea. If we know that an encryption program is about to be delivered to an al Qaeda leader, surely we should weaken the product before it's delivered. As for stories claiming that NSA deliberately weakened security more generally, I frankly doubt their accuracy."
What may be the "worst of the ideas for changing the NSA," according to Baker, would be splitting up the intelligence-gathering and Cyber Command that today are both headed by Gen. Alexander.
"NSA gathers intelligence by breaking into adversaries' computers. Cyber Command attacks adversaries' networks by breaking into them and causing damage," says Baker. "In short, the two agencies' jobs are virtually indistinguishable. Separating the agencies will spark turf fights. It will do nothing to protect privacy. The people who think this is a good idea tend to be generals who want another combatant command--something that can be awarded to a war-fighting general rather than an intelligence specialist." Baker says having a civilian rather than a military leader for NSA is "not inherently a bad idea" but perhaps not a change worth making.
These arguments are a microcosm of the debates that the powerbrokers in Washington are having as General Alexander's tenure as NSA director comes to a close early next year. More debates are certain to be heard as the Obama-appointed five-person collective called the "Director of National Intelligence Review Group" issues its soon-to-be released report on NSA surveillance, privacy and civil liberties. The review Group consists of Richard Clarke, Michael Morell, Geoffrey Stone, Cass Sunstein and Peter Swire. Clarke, now a consultant, had a long career in U.S. intelligence was former White House cybersecurity adviser.
In the meantime, the high-tech industry is coming up with security options and encryption for cloud services that they plainly acknowledge are intended to thwart government cyber-spying as much as criminal hackers.Take the Thales e-security hardware module called nShield that can work with the Microsoft Azure Rights Management System to encrypt documents between recipients under Microsoft's just-announced "Bring Your Own Key" initiative.The idea, says Thales vice president of product strategy, Richard Moulds, is using nShield in Microsoft's "Bring Your Own Key" model in the Azure cloud platform means Microsoft has "zero knowledge" of any data stored in the cloud because Microsoft doesn't have and can't get to the encryption key. Neither can Thales, Moulds says. Only the customer can. So any legal law enforcement requests have to go to the customer holding the encryption key. "We don't have backdoors for anybody," he concluded.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: [email protected]
Read more about wide area network in Network World's Wide Area Network section.