WASHINGTON — Obama administration actions to change some of the National Security Agency’s surveillance practices after the leaks of classified documents by contractor Edward Snowden are falling short of what many private cyberexperts want.
Top government experts told the Reuters Cybersecurity Summit this week they would be more transparent about spying activity. Nongovernment guests, however, said the administration wasn’t doing enough to advance Internet security.
For instance, last December a White House review commission called for a drastic reduction in the NSA’s practice of keeping secret the software vulnerabilities it learns about and then exploiting them for spying purposes.
White House cybersecurity advisor Michael Daniel said at the conference that he would lead the interagency group charged with weighing each newly discovered software flaw and deciding whether to keep it secret or warn the software maker about it.
“The policy has been in place for a number of years, but it was not as active as we decided that it should be,” Daniel said. “(Now) there is a process, there is rigor in that process, and the bias is very heavily tilted toward disclosure.”
Commission member Peter Swire told the summit he was pleased by the formal process for debating vulnerability use, but others said there were too many loopholes.
In an April 28 White House blog post, Daniel wrote that the factors the interagency group would consider included the likelihood that the vulnerability would be discovered by others and how pressing was the need for intelligence.
“That is the loophole that swallows the entire policy, because there’s always going to be an important national security or law enforcement purpose,” Chris Soghoian, a technology policy analyst with the American Civil Liberties Union said at the summit.
Some security experts active in the market for trading software flaws said they had seen no dip in U.S. purchases.
“There’s been no change in the market at all as far as we can see,” said Adriel Desautels, chief executive of Netragard Inc, which buys and sells programs taking advantage of undisclosed flaws.
The White House has also declined to spin off the NSA’s defense mission from its more dominant intelligence-gathering mission, as the commission recommended. New NSA Director Michael Rogers told the summit that the agency could keep doing both offense and defense and that “a good, strong Internet is in the best interest of the nation.”
The review commission implicitly acknowledged that the NSA had developed the capability to penetrate some widely used cryptography. And it urged the NSA to commit to not undermine encryption standards.
The White House has issued no policy statement in response.
Daniel said, “(Officials) do not have any intention of engineering vulnerabilities into algorithms that undergird electronic commerce.”
Critics say such statements leave ample wiggle room.
Among other things, they don’t preclude using backroom deals.
For instance, the Snowden documents published by journalists say Microsoft Corp. had worked with the NSA to let the agency obtain access to some user emails before they were encrypted.
“The way most crypto gets broken is through implementation,” Swire said. “How you set up crypto is very important.”
According to Snowden documents, the NSA has hacked into Google and impersonated Facebook overseas, where it faces far fewer restrictions on what it can collect. The NSA has said nothing about changing such tactics.