Cyberwarfare: The US government vs. Silicon Valley

shutterstock_161929184

It takes no more than two short quotes to sum up how the U.S. tech industry is feeling toward the government as of late. From Google’s chief of security: “We are in an arms race” with the U.S. government, and from Mark Zuckerberg of Facebook: “The government blew it” with respect to Internet spying.

Ultimately, if the U.S. is to continue to fend off cyberattacks and espionage from enemies abroad, it will need to cooperate — and even collaborate — with U.S. high-tech companies and the “netizens” of Silicon Valley. For all the vast capabilities of the NSA and sister intelligence agencies, it is the private sector that provides the central repository of data and a first-line of defense against foreign electronic hostile incursions. And at this point in time, prospects for a continuing, effective public-private alliance are in jeopardy.

Before describing the growing frustration and alienation of U.S. high-tech communications and Internet companies, a note of irony and potential hypocrisy must be posited. The information and telecommunications revolution has spawned business models that depend on a vast sweep up of personal data — and the Googles, Facebooks, Twitters, and LinkedIns of the world are highly dependent on gleaning details from this data (sites visited, services and goods purchased, habits formed, etc.)  in order to create highly specific marketing tools and campaigns. Beyond this, on an individual basis, Americans and others have readily surrendered large swatches of privacy through participating in social and commercial media. As Robert Samuelson of the Washington Post wrote: “People do not open Facebook, Twitter, LinkedIn, and Instagram accounts because they wish to shroud their lives in secrecy … The Internet is a vehicle for self-promotion, personal advertising and the pursuit of celebrity.”

There are, however, countervailing and distinguishing factors that set off the activities of the NSA from those of the private sector. First, though they have sometimes fallen short of their obligations, the information and telecommunication companies are keenly aware that the Internet is founded on trust in the protection of data between the service providers and their customers (users), both corporate and individual. Further, specifically for globalized (even dominant) American companies, the key to future success lies in worldwide competition — and in reality success in competing in many individual national markets, governed by the national public rules and mores. It was for this reason that Zuckerberg famously blasted the political insularity of the NSA avowal that it only spied on foreigners, to wit: “‘Oh, we only spy on non-Americans.’ Gee, thanks. We’re trying to provide an international service, not get crushed in those places either.”

Reviewing the past six months, since the first Snowden revelations were published in June, it is clear that the alienation and deterioration of government/private relations evolved from two sources: first, the highly sophisticated drip, drip, drip (water torture) of information perpetrated by Snowden’s confidants and a willing press that increasingly encircled U.S. companies in what seemed a web of collaboration with the U.S. security apparatus; and second, the failure for most of the period of the government — White House, NSA and other intelligence agencies — to reach out to the private sector, or even provide some explanatory cover. Former CIA and NSA director, Michael Hayden’s proud affirmation that “I ran the NSA. We steal stuff. We make no apologies about it. But we steal things to keep our citizens safe,” became the symbol of the U.S. response to Snowden to the outside world.

This essay is no place to describe in detail the “drip, drip” of revelations: it will only highlight two key dates and turning points.  The sudden awareness that the world had changed came in the first Snowden reports in the Guardian and The Washington Post on June 6.  The Guardian went to press without alerting any of the companies, but the Post followed with requests for comments from leading firms implicated in the purloined documents. As recounted by several high-tech company executives, they were given only 90 minutes to construct a response to documents showing that a number of telephone and Internet companies (Verizon, Microsoft, Yahoo, Facebook, Google, Apple, among others) had complied with NSA requests to turn over phone, email, search history and even Instagram records: though the companies didn’t know it, all of this was part of the now publicized Prism program, authorized under the 2008 amendments to the Foreign Intelligence Security Act of 1978.

The companies’ response established a kind of “no-win” situation that has haunted them ever since. All issued carefully worded denials that they had given the government direct access to personal data — careful because they had to get around the fact that under the Prism programs they were forced by law to turn over so-called metadata to the NSA.  The seemingly weasel-worded denials (buttressed by President Obama assuring everyone that only non-US citizens’ data was at issue) only got the companies in deeper. As one tech executive stated: “Every time we spoke it seemed to make matters worse. We just were not believed.” The problem was — and is — that the companies were barred by law from talking about details of the program, and individually the companies did not know exactly how the program worked. Since June, the private sector has clamored without notable success for permission to reveal greater detail about the government’s requests.

A second important jolt came in October when a Snowden leak exposed the existence of an upstream data collection program, aptly named Muscular, that allowed the NSA, in conjunction with its British intelligence partner GCHQ, to hack into the internal, fiberoptic traffic (internal data centers) of Google and Yahoo to collect additional data from potentially millions of Internet users. Observers have speculated that, in addition to fostering a tighter relationship, NSA utilizes GCHQ in order to avoid any legal challenges from the stricter controls on data from U.S. citizens.  It was this October leak that has set off the so-called arms race between the government and the private sector. Not only Google and Yahoo, but also other Internet companies have moved quickly to encrypt internal data. In turn, they strongly suspect that the NSA is perfecting tools to circumvent whatever new systems they devise — a suspicion strongly abetted by the recent report that the agency was working on a supercomputer program that would be able to “crack’ most or all existing data protection systems. Finally, the NSA/GCHQ revelation spurred a bolder, negative reaction from normally cautious high-tech executives, including the stinging epithet against the NSA by Microsoft General Counsel Brad Smith, who labeled the agency an “advanced persistent threat.” In cybersecurity jargon this is a term normally reserved for Chinese state-sponsored hackers and dangerous criminal groups.

We are now entering a crucial period in the formulation of new cybersecurity policies.  Within the next few weeks, the president has promised to put forward proposals to reform the operations of the NSA and its allied agencies. To his credit, he has also promised to confer with the private sector before rendering final decisions. As described in earlier posts, the companies have demanded an end to the metadata programs administered by the security agencies.  The president is not likely to go this far, but he might well consider allowing greater transparency in the information demands on the companies by the NSA.  Whatever his decisions, it will be important for the administration and Congress, while according security a top place in the criteria for new policies, also to take into account the economics consequences for many of America’s world leaders in Internet communications and hardware.  Not least, the government will also have to mend the frayed relations with the telecommunications and Internet companies if future U.S. cybersecurity defenses are to be maintained at the highest level. Finding a new balance will be a difficult task, both in policy and in political terms.

Leave a reply