NYT: In Keeping Grip on Data Pipeline, Obama Does Little to Reassure Industry

http://www.nytimes.com/2014/01/18/technology/in-keeping-grip-on-data-pipeline-obama-does-little-to-reassure-industry.html

JAN. 17, 2014

In Keeping Grip on Data Pipeline, Obama Does Little to Reassure Industry

By DAVID E. SANGER and CLAIRE CAIN MILLER

WASHINGTON -- Google, which briefly considered moving all of its computer servers out of the United States last year after learning how they had been penetrated by the National Security Agency, was looking for a public assurance from President Obama that the government would no longer secretly suck data from the company's corner of the Internet cloud.

Microsoft was listening to see if Mr. Obama would adopt a recommendation from his advisers that the government stop routinely stockpiling flaws in its Windows operating system, then using them to penetrate some foreign computer systems and, in rare cases, launch cyberattacks.

Intel and computer security companies were eager to hear Mr. Obama embrace a commitment that the United States would never knowingly move to weaken encryption systems.

They got none of that.

Perhaps the most striking element of Mr. Obama's speech on Friday was what it omitted: While he bolstered some protections for citizens who fear the N.S.A. is downloading their every dial, tweet and text message, he did nothing, at least yet, to loosen the agency's grip on the world's digital pipelines.

White House officials said that Mr. Obama was committed to studying the complaints by American industry that the revelations were costing them billions of dollars in business overseas, by giving everyone from the Germans to the Brazilians to the Chinese an excuse to avoid American hardware and cloud services.

"The most interesting part of this speech was not how the president weighed individual privacy against the N.S.A.," said Fred H. Cate, the director of the Center of Applied Cybersecurity Research at Indiana University, "but that he said little about what to do about the agency's practice of vacuuming up everything it can get its hands on."

Professor Cate, who also advises the Department of Homeland Security on cyber issues, noted that Mr. Obama "took a report that had 46 recommendations, and touched on three or four of them."

In fact, he did more than that: Mr. Obama reminded the country that it was not only the government that was monitoring users of the web, it was also companies like Apple, Facebook, Twitter and Yahoo that had complained so loudly, as members of an industry group called Reform Government Surveillance.

"Corporations of all shapes and sizes track what you buy, store and analyze our data, and use it for commercial purposes," the president said. "That's how those targeted ads pop up on your computer and your smartphone periodically."

Translation: Corporate America wants to be able to mine Americans' data, but fears business will be hurt when the government uses it for intelligence purposes.

In fact, behind the speech lies a struggle Mr. Obama nodded at but never addressed head on. It pits corporations that view themselves as the core of America's soft power around the world -- the country's economic driver and the guardians of its innovative edge -- against an intelligence community 100,000 strong that regards its ability to peer into any corner of the digital world, and manipulate it if necessary, as crucial to the country's security.

In public, the coalition was polite if unenthusiastic about the president's speech. His proposals, the companies said in a statement, "represent positive progress on key issues," even while "crucial details remain to be addressed on these issues, and additional steps are needed on other important issues."

But in the online chat rooms that users and employees of those services inhabit each day, the president's words were mocked. "If they really cared about the security of US infrastructure, they'd divulge the vulnerabilities they found or bought from the black market that exploit the security of these systems, so those systems can be fixed, and no one else can exploit them with these exploits," wrote a user called "higherpurpose" on Hacker News.

"Instead they keep them for themselves so they can exploit them," the user wrote.

In an interview, a senior administration official acknowledged that the administration had weighed what the president could say in public about the delicate problems of encryption, or the N.S.A.'s use of "zero day" flaws in software, the name for security holes that have never been seen before. It is a subject the intelligence agencies have refused to discuss in public, and Mr. Obama determined that it was both too secret, and too fluid, to discuss in the speech, officials said.

In response to questions, the White House said the president had asked his special assistant for cybersecurity, Michael Daniel, and the president's office of science and technology policy to study a recent advisory panel's recommendation that the government get out of the business of corrupting the encryption systems created by American companies.

It will not be an easy task. One of the recent disclosures, first reported by Reuters, indicated that the N.S.A. paid millions of dollars to RSA, a major encryption firm, to incorporate a deliberately weakened algorithm into some of its products, giving the government a "back door" to read whatever it wanted. But when the advisory panel concluded that the United States should not "in any way subvert, weaken or make vulnerable generally available commercial software," the intelligence agencies protested.

"Some in the intelligence community saw that as a call for the N.S.A. to get out of cryptography, which is the reason they were created," the senior official said. He added: "We've said that we are very much supportive of U.S. industry and making sure that U.S. industry remains competitive, and able to produce really good products. And N.S.A. has been out there saying they have no interest in breaking encryption that guards global commerce."

But as Mr. Obama himself acknowledged, the United States has a credibility problem that will take years to address. The discovery that it had monitored the cellphone of Chancellor Angela Merkel of Germany, or that it has now found a way to tap into computers around the world that are completely disconnected from the Internet -- using covert radio waves -- only fuels the argument that American products cannot be trusted.

That argument, heard these days from Berlin to Mexico City, may only be an excuse for protectionism. But it is an excuse that often works.

"When your products are considered to not only be flawed but intentionally flawed in the support of intelligence missions, don't expect people to buy them," said Dan Kaminsky, a security researcher and chief scientist at White Ops, an antifraud company whose clients include many of the nation's biggest data users.

Mr. Obama will have to address those issues at some point. Every time he meets Silicon Valley executives, many of whom enthusiastically campaigned for him, they remind him of their complaints. But at the Justice Department on Friday, he reminded them that the battle for cyberspace runs in all directions.

"We cannot unilaterally disarm our intelligence agencies," he said at one point in the speech. "There is a reason why BlackBerrys and iPhones are not allowed in the White House Situation Room. We know that the intelligence services of other countries -- including some who feign surprise over the Snowden disclosures -- are constantly probing our government and private sector networks, and accelerating programs to listen to our conversations, and intercept our emails and compromise our systems."

David E. Sanger reported from Washington, and Claire Cain Miller from San Francisco. Quentin Hardy contributed reporting from San Francisco.