WASHINGTON (Reuters) - Obama administration actions to change some of the National Security Agency’s surveillance practices after the leaks of classified documents by contractor Edward Snowden are falling short of what many private cyber experts want.
Top government experts told the Reuters Cybersecurity Summit this week they would be more transparent about spying activity. Non-government guests, however, said the administration was not doing enough to advance Internet security.
For instance, last December a White House review commission called for a drastic reduction in the NSA’s practice of keeping secret the software vulnerabilities it learns about and then exploiting them for spying purposes.
White House cybersecurity advisor Michael Daniel said at the conference that he would chair the interagency group charged with weighing each newly discovered software flaw and deciding whether to keep it secret or warn the software maker about it.
“The policy has been in place for a number of years, but it was not as active as we decided that it should be,” Daniel said. Now, he said, “there is a process, there is rigor in that process, and the bias is very heavily tilted toward disclosure.”
Commission member Peter Swire told the summit he was pleased by the formal process for debating vulnerability use, but others said there were too many loopholes.
In an April 28 White House blog post, Daniel wrote that the factors the interagency group would consider included the likelihood that the vulnerability would be discovered by others and how pressing was the need for intelligence.
“That is the loophole that swallows the entire policy, because there’s always going to be an important national security or law enforcement purpose,” Chris Soghoian, a technology policy analyst with the American Civil Liberties Union said at the summit.
Some security experts active in the market for trading software flaws said they had seen no sign that U.S. purchases were declining.
“There’s been no change in the market at all as far as we can see,” said Adriel Desautels, chief executive of Netragard Inc, which buys and sells programs taking advantage of undisclosed flaws.
The White House has also declined to spin off the NSA’s defense mission from its more dominant intelligence-gathering mission, as the commission recommended. New NSA Director Michael Rogers told the summit that the agency could keep doing both offense and defense and that “a good, strong Internet is in the best interest of the nation.”
The review commission implicitly acknowledged that the NSA had developed the capability to penetrate some widely used cryptography, and it urged the NSA to commit to not undermining encryption standards.
The White House has issued no policy statement in response. Daniel said officials “do not have any intention of engineering vulnerabilities into algorithms that undergird electronic commerce.”
Critics say such statements leave plenty of wiggle room.
Among other things, they do no not preclude using backroom deals. For instance, the Snowden documents published by journalists say Microsoft Corp (MSFT.O) had worked with the NSA to allow the agency to obtain access to some user emails before they were encrypted.
“The way most crypto gets broken is through implementation,” Swire said. “How you set up crypto is very important.”
According to Snowden documents, the NSA has hacked into Google (GOOG.O) and impersonated Facebook (FB.O) overseas, where it faces far fewer restrictions on what it can collect. The NSA has said nothing about changing such tactics.
For that reason, many U.S. technology companies are unhappy. They are spending more to boost defenses against intrusions and contesting more requests from the NSA for user data.
Although the companies have not committed to a major campaign for new legislation, they have been supporting independent standards groups like the Internet Engineering Task Force as they move toward encrypting more Web traffic.
Reporting by Joseph Menn; Editing by Tiffany Wu and Grant McCool