The head of the U.S. National Security Agency defended spying programs that monitor Americans’ phone and Internet activities to a group of hackers the agency has counted on to help aid its cybersecurity efforts.
“Terrorists use our communications. They live among us,” Army General Keith Alexander said in a speech today at the Black Hat annual computer security conference in Las Vegas.
“How do we come up with a program to stop terrorism and protect our civil liberties and privacy? This is perhaps one of the biggest issues facing our country today.”
Alexander discussed electronic surveillance efforts exposed in June by former government contractor Edward Snowden, under which the NSA collects phone metadata on millions of U.S. customers of Verizon Communications Inc. Through a separate program, known as Prism, the agency monitors e-mail, online video and other Internet content of users.
It marked the first time since Snowden’s revelations that Alexander has spoken publicly to security researchers who explore vulnerabilities in networks and let companies or agencies know they exist. The U.S. needs independent researchers to find software vulnerabilities and develop know-how to exploit networks, as well as to work for intelligence and military agencies, Alexander said.
The NSA faces mounting criticism from hackers, lawmakers and privacy advocates following revelations of classified U.S. surveillance programs.
Alexander’s speech was interrupted several times by shouts from audience members that the NSA can’t be trusted. Alexander made a personal appeal for hackers to examine “the facts” about the spy programs and to work with NSA.
“You’re the greatest gathering of technical talent anywhere in the world,” he said. “The whole reason I came here was to ask you to help us make it better. If you disagree with what we’re doing, then you should help twice as much.”
The revelations have created a moral dilemma for hackers about whether to continue friendly relations with the NSA and other government agencies, Alex Stamos, an independent security researcher and member of the Black Hat advisory board, said in an interview.
“I think there’s going to be a real backlash,” he said. “It’s going to be much harder for them to recruit because there are a lot of people now who are going to think twice about whether or not they’re going to be put into ethical situations.”
Stamos said during Black Hat in 2012 he met casually for two hours by a pool with NSA officials. “This year, if I got the same request I would say, ‘Send me questions in writing or you can meet with me and my lawyers,’” he said.
Alexander also met privately with company executives at Black Hat yesterday.
Apple Inc., based in Cupertino, California, Google Inc., based in Mountain View, California, and Microsoft Corp., based in Redmond, Washington, have asked the U.S. Justice Department for permission to clarify what they do and don’t disclose to the NSA under the Prism program.
Companies will be hesitant to share information about cyber threats on their networks with the government going forward, believing cooperation will harm their reputations, John Dickson, chief executive officer of the software security company the Denim Group Ltd., based in San Antonio, said in an interview.
“One of the implications is it will be an every-man-for-himself security environment,” said Dickson, who advises the U.S. Air Force on cybersecurity.
Alexander and other U.S. officials have been asked not to attend another security conference in Las Vegas this week, known as Defcon, that follows Black Hat in Las Vegas.
“When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship,” conference founder Jeff Moss, using the name “The Dark Tangent,” wrote in a July 10 blog.
“Therefore, I think it would be best for everyone involved if the feds call a ’time-out’ and not attend DEF CON this year. This will give everybody time to think about how we got here, and what comes next,” he wrote.
Many lawmakers also want to curb the NSA’s powers. A July 24 vote in the House of Representatives to defund the agency’s ability to collect phone metadata came seven votes short of passing.
Damage to the NSA’s reputation is a “serious situation” because the agency relies on hackers and companies to develop technology and find computer vulnerabilities, Representative Charles “Dutch” Ruppersberger of Maryland, the top Democrat on the House Intelligence Committee, said in an interview.
“The people in the NSA, which I represent, are some of the hardest working people you’ll ever meet,” Ruppersberger said. “There’s almost an analogy like they’re being blamed like the men and women who went to Vietnam were blamed when they came home. The president of the United States and Congress authorized Vietnam.”
The Office of the Director of National Intelligence released today a previously classified April 25 court document, along with briefing papers given earlier to Congress, describing the phone metadata collection program.