How to Be Friends With the NSA Again
Relations between Silicon Valley and Washington have never been easy. But the technology sector’s fury about hacking by the National Security Agency has company executives talking about the U.S. government as its new adversary. That could make the Internet an even more vulnerable place.
Technology companies and service providers vow they will not voluntarily share information with the government and are racing to encrypt more data. Revelations by former NSA contractor Edward Snowden have also derailed discussions about how business and government might work together to stop cybercrimes.
Eric Grosse, Google’s security chief, says Washington previously “pointed out some things that we thought should be hardened in our systems, and we very much appreciated the help.” But he says the public reaction to the Snowden leaks have made it “increasingly difficult to cooperate even on the defense side.” The government has to do the lion’s share of the work to restore even minimal trust, but the tech industry has to get beyond the notion that it can go it alone.
For years the tech sector—with its libertarian streak—wasn’t sure why it should sully itself with Washington, a town where the BlackBerry still rules. Microsoft began seriously lobbying only after it ran into antitrust problems in the mid-1990s. Google set up a single lobbyist in the capital in 2005, explaining on a company blog that it “seems that policymaking and regulatory activity in Washington, D.C., affect Google and our users more every day.” Last year the tech sector was the fourth-largest spender on D.C. lobbying, a few million dollars behind the oil and gas industry. The Snowden scandal only confirmed tech’s suspicions about the government.
More than a year after the Snowden leaks began, there is a lot we still don’t know about relations between the NSA and American companies, including how much personal data was voluntarily shared by the tech sector and the more accommodating telecommunications providers, and how much came from the NSA’s hacking into companies’ data. Allied governments and foreign companies believe the worst. On June 26, Germany announced it would not renew a contract with Verizon over concern that the company could not keep data from the U.S. government.
Afraid of losing overseas markets, tech leaders have become increasingly vocal about their frustration and their intention to challenge Washington on every issue. Late last year, Brad Smith, Microsoft’s general counsel, described government snooping as an “advanced persistent threat”—techspeak that was once reserved for the most sophisticated kinds of Chinese hacking. After reports in March that the NSA had masqueraded as a Facebook server to hack into an unknown number of computers, Chief Executive Officer Mark Zuckerberg called President Obama to protest. He then vented his anger in a Facebook post, writing, “When our engineers work tirelessly to improve security, we imagine we are protecting you against criminals, not our own government.”
This spring’s discovery of the “Heartbleed” flaw in widely used encryption software should have been a warning about the vulnerability of cyber infrastructure and an argument for why Washington and Silicon Valley need to find a way to get past Snowden. In March and early April, a Google engineer and Codenomicon, a Finnish firm, separately discovered the bug. Google quietly alerted a few technology companies (it won’t say which ones) and the OpenSSL project, which oversees the open-source code. Codenomicon notified Finland’s National Cyber Security Center. The U.S. government didn’t learn about Heartbleed until OpenSSL sent out a security advisory on April 7.
The damage from Heartbleed was limited. But the potential for mayhem was huge. The challenge from the start was to quietly alert users so they could put patches in place before the bad guys could exploit the software flaw. That is a natural role for the U.S. government. A tech executive says that before Snowden, “the rest of the world would have trusted [Washington] to pro bono do the right thing.” No longer.
The government has a critical role to play—if it can regain trust. Much like the Centers for Disease Control and Prevention does with infectious diseases, a government-run central clearinghouse could spread the word about vulnerabilities and cyber attacks. Only Washington can build the law enforcement networks capable of tracking cybercriminals globally, press for stronger intellectual property protections in trade agreements, negotiate treaties and international guidelines to constrain cyber attacks, and appeal to other governments for help to stop them.
That is what happened in 2012, when Iran hijacked servers around the world and bombarded U.S. bank websites for months, slowing or disrupting service. After the financial industry sought Washington’s help, the NSA proposed a targeted and supposedly undetectable move against the Iranian server. The White House instead decided to use diplomacy, asking scores of governments to clean up local servers and offering them technical assistance. The attacks tapered off. If Silicon Valley needed another reminder that malevolent organizations are still at work, Symantec, the cybersecurity firm, said on June 30 that a group with apparent links to the Russian government had infected American and Western European energy companies with a piece of malware called “Energetic Bear” that potentially could crash energy facilities.
Obama has proposed reforms, including an end to NSA warehousing of telephone “metadata” and a requirement that the government get a court order before it can see records. That isn’t enough. Microsoft’s Smith says, “The tech sector is still waiting for a commitment that the government won’t hack its way, outside of legal processes, into accounts, data, or services operated by American companies.” To begin to repair the damage, there will also have to be more effective oversight by Congress of U.S. surveillance policies; more transparency for the public; a credible separation between agencies responsible for the conflicting missions of intelligence gathering and cybersecurity; and clear rules on how information will be used and shared across the government.
Any constraints on intelligence gathering inevitably mean more risk. But if the private sector and American allies are unwilling to cooperate with Washington, the dangers could be far greater.
Serious reform will also require a cultural shift in the intelligence establishment, which has always believed it should control everything and explain nothing. General Keith Alexander, who oversaw the NSA’s vast growth as its director from 2005 until earlier this year, was particularly tone deaf to fears about government overreach. In the pre-Snowden era, he told business leaders and other officials privately that his goal was to build a shield for the country against malware, malicious IP addresses, and other dangers. “He said he could do it, but he would have to sit on everyone’s networks,” says a former NSA official who asked not to be named so he can remain on good terms with the agency.
After the discovery of the Heartbleed bug raised questions about the NSA stockpiling undisclosed flaws so it can use them for hacking in the future, Michael Daniel, Obama’s coordinator for cybersecurity, wrote on a White House blog that decisions to publicize or withhold information about vulnerabilities are carefully weighed with a “bias” toward disclosure. But he also said in some cases going public means forgoing “an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries.” The declaration did nothing to allay critics’ concerns.
The new head of the NSA, Admiral Michael Rogers, has acknowledged that the relationship with the tech industry is in disrepair. “I understand why we are where we are,” he told the New York Times on June 27, pledging a “public dialogue” about NSA policies. That would be a start. But it is going to take a lot more to rebuild trust.