President Barack Obama today said his administration is going to change some aspects of how the National Security Agency and other U.S. intelligence agencies conduct surveillance and hold data collected on U.S and foreign individuals. But his goals fell far short of what was recommended in the 46 proposals for reform of the NSA spelled out last month by the five-member working group he appointed.
In response to the revelations made by former NSA contractor Edward Snowden about NSA's bulk data collection practices carried out across the Internet around the world, President Obama defended the NSA and its secretive operations as necessary for national security. He praised the "knowledge and professionalism" of those working for the NSA but acknowledged the power of the data-gathering technologies of the current era did hold cause for concern.
"The power of new technologies," said the President, mean "fewer and fewer technical restraints on what we can do." But he said it's also a matter of what "we should do" in terms of data collection around the world. He noted the 9/11 terrorist attacks on the U.S. had led to the NSA to greatly stepping up efforts to detect terrorists through massive data collection.
One of the most hotly-debated topics triggered by Snowden leaking of NSA documents to the media is how the NSA collects and holds a trove of metadata about phone calls, including those of U.S. citizens, in order to mine it for intelligence purposes. The President's Review Group on Intelligence and Communications Technologies, which included law experts and government veterans Richard Clarke, Michael Morrell, Geoffrey Stone, Cass Sunstein and Peter Swire, advocated in their 400-page report in December that bulk collection of phone metadata continue but that the NSA not be the one holding it. They also said it there should be tougher legal requirements in place to get to this data.
President Obama today said as part of the reform of practices he wants to hear recommendations on a "new approach" for holding all this phone metadata if the NSA itself is not holding it. He said he wanted to hear these recommendations before March 28 when the bulk-data collection program is slotted to be re-authorized. President Obama indicated he would not advocate stopping the collection of phone meta-data, so one difficulty is that phone companies themselves are not eager to hold meta-data for NSA review, so there's no clear path to tackling this issue. However, he said from now on, the NSA would only be allowed to mine phone call data about individuals 2 steps from a call from someone in a terrorist organization, not 3.
Another issue brought out by the Snowden revelations is that the NSA was long spying on foreign leaders, even those close to the U.S., such as the German Chancellor Angela Merkel. Indeed, the revelations that the U.S. routinely collects massive amounts of telecom calls and Internet-related data overseas has caused a storm of protest from allies around the world.
President Obama indicated as part of his NSA reform effort, there would be less NSA surveillance of foreign leaders friendly to the U.S., unless "there's a national security interest," and added, if he wanted to know what they were thinking, "I'll pick up the phone to call them rather than turning to surveillance."
President Obama also said the State Department will establish a service officer for signals intelligence specifically, and there will be a new person appointed at the White House as a point person for his suggested reforms. He added that John Podesta, his newest adviser in the White House, will be setting up a group to "lead a review of Big Data and privacy."
Saying America has to lead the way in debating sensitive issues like online surveillance, President Obama also took the occasion to mildly rebuke China and Russia, both known for energetic cyber-spying. "No one expects China to have an open debate about their surveillance program, or Russia to take the privacy of their citizens into account."
The reaction by many in the information-technology world was largely disappointment that the President did not go further in tackling sensitive questions about whether the NSA tries to put backdoors in high-tech equipment or deliberately weakens encryption -- all issues that have come to light in the Snowden revelations. If the NSA manages to get backdoors into equipment -- and whether industry is cooperating with that, as RSA has been accused of with its BSAFE toolkit holding NSA-compromised encryption -- is of central concern to buyers and sellers of technology. (RSA has acknowledged it had a $10 million contract in the past with the NSA for making an elliptic-curve algorithm suspected to be an NSA backdoor made the default in its BSAFE toolkit but says it would never do anything knowingly to hurt customers).
The President's Review Group specifically advocated that any NSA reform should include restoring the sense of trust the industry should have in the U.S government. and the NSA, which plays a large role in guiding technology, especially for the military. The Review Group's report states: "The US Government should take additional steps to promote security by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage."
However, President Obama made no mention of these topics at all. He also referred broadly to media stories, based on Snowden's leaks, about the NSA as "crude characterizations" of what the NSA does.
Richard Stiennon, chief research analyst at IT-Harvest, says he found the President's speech about the NSA to be "masterful and calming." However, "the major substance was his direction to the NSA to limit meta-data discovery to two links instead of three."Other reform suggestions did include "stricter requirements and review from the FISA Court to approve National Security Letters, and allow service providers to reveal more information about those letters," Stiennon noted.
"From my perspective, the real impact of the NSA surveillance has been to reveal the shaky security grounds on which all communications has been built. A ball has been set in motion to correct that. The tech industry will be the ones to counter NSA surveillance," Stiennon commented. "The only threat to improved encryption, key management, and obfuscation of meta-data, is that of the NSA attempting to thwart such efforts."
Stiennon says the goal has to be to "prevent the NSA from engaging in an arms race with the tech industry. They should be legally restricted from tampering with algorithms, infiltrating tech company infrastructure, or subverting carriers."
Dwayne Melancon, CTO at security firm Tripwire, says President Obama's speech was a "good step, but we need to see convincing results to know that the changes are meaningful and concrete." Melancon, saying he found much of the President's stated intentions to be a bit unclear, added he hoped there will be further barriers to limit the collection and use of surveillance data about U.S. citizens, but "the big difference is whether it will really make a difference or not."
"To paraphrase something often attributed to Abraham Lincoln: You can please all the people some of the time, and some of the people all the time, but you cannot please all the people all the time." Today, President Barack Obama managed to please nobody at any time. Obama can attempt all he likes to mend NSA surveillance program - but it is quite clear to any thinking person that much of the NSA's Internet surveillance programs cannot be mended to function in a free global society - it can't be mended, so it must be ended. No amount of mass surveillance is acceptable among democracies," says Sean Sullivan, security adviser at F-Secure.
Several digital rights groups called on Obama for a larger overhaul of the NSA's surveillance programs.
Real reform requires Obama to "end mass collection" of metadata phone records, says David Segal, executive director of digital rights group Demand Progress. "We urge the president to recognize that the public concern is not only over whether mass spying programs are explicitly abused, within standards set by the NSA, but whether these programs should exist at all -- whether they are fundamentally compatible with the notion that we live in a free society, a democracy," Segal said in an email.
Obama's call for a transition in the bulk phone records program raises new questions, added Kevin Bankston, policy director of the New America Foundation Open Technology Institute.
"If the ultimate alternative to government collection is mandatory bulk data retention by the phone companies or mandatory bulk handover to a third party, the president should be prepared for a major legislative battle with key members of Congress, the technology industry and the privacy community arrayed against him," Bankston said by email. "Particularly when the president's own review group concluded that the records program is not essential to preventing terrorist attacks ... the right answer here is to stop the bulk collection completely -- not to keep the same bulk data under a different roof."
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org. Grant Gross of The IDG News Service contributed to this story
Read more about wide area network in Network World's Wide Area Network section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.