December 22, 2024

Feedback Friday: Reactions to White House Cybersecurity Information Sharing Initiative

Posted on February 14, 2015 by in Security

Obama Signs Executive Order After an Address at Stanford University

During the White House Summit on Cybersecurity and Consumer Protection at Stanford University on Friday, President Barack Obama signed an executive order to promote cybersecurity information sharing between private sector companies and the U.S. Government.

The executive order, signed by the President on stage after addressing a large audience, outlines an information sharing framework that would help companies work together, along with the federal government, to more effectively identify and protect against cyber threats.

“This has to be a shared mission,” Obama said during his speech. “So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone. But the fact is that the private sector can’t do it alone either, because it’s government that often has the latest information on new threats.”

Overall, industry professionals applauded the steps by the White House, but indicated this is just a small step in addressing serious threats. An executive order can only go so far and more is needed than just information sharing to combat sophisticated cyber attacks, experts said.

Feedback On White House Information Sharing Initiatve

And the feedback begins…

Phil Smith, SVP of Government Solutions and Special Investigations at Trustwave:

“The President’s remarks at today’s summit are a great beginning, especially when he explained today’s threat landscape as a ‘cyber arms race.’ That statement is significant because it puts organizations and individuals on notice that cybersecurity is a national security and public safety issue. Sharing threat intelligence across government agencies, law enforcement and the private sector is a critical component of strengthening data protection however it will not work without safe harbor protections for companies that participate.

An executive order can only go so far. It takes Congressional action to mandate information sharing on a national level that includes liability protection. Without that protection, we will not see the level of participation required for information sharing to be successful.

When organizations share information they produce actionable threat intelligence that helps them stay ahead of the criminals and build defenses to block their next move.”

 Ken Xie, CEO of Fortinet:

“During the White House’s Cybersecurity Summit, there was a lot of great discussion around information sharing. The biggest obstacle is that our industry is extremely shorthanded: it’s estimated we can only fulfillne in every 20 technology positions needed in the cybersecurity space. Who will mitigate the threat? Where and who are the cyber swat teams? Who will train the responders? Answers to these questions remain unanswered, though the conversation is a step in the right direction.”

Nate Fick, CEO of Endgame:

“Much of the talk in the room is about information sharing. In security, the advantage often goes to the team with better, more usable data. So any steps to encourage faster sharing are meaningful progress.”

Tomer Weingarten, CEO of SentinelOne:

“Information sharing is a good start. However, it needs to be handled in a way that preserves the privacy of affected organizations and prevents data from being “leaked”. In the wrong hands, this intelligence would let attackers know that their operation has been compromised, could reveal attack binaries that can be re-used and expose companies that have been breached which may lead to more attacks against them. Also, sharing data and intelligence will do little to mitigate carefully crafted attacks since they often do not demonstrate any previously seen indicators.”

Mike Brown, VP and GM Public Sector for RSA:

“It isn’t just information sharing that is needed. We have some valuable avenues to share information. What we need is liability relief and clarity about the type and format of information that needs to be shared. That is also critical so that information that is shared is actually actionable.”

Tal Klein, CMO for Adallom:

“The fact that the President is addressing the issues of cyber security is a good thing – we definitely need more awareness. That stated, I am less excited about specific directives that may offset the financial incentive for companies to be in the business of cyber security. Information sharing is good, but if a security company makes their money researching threats and then is expected to turn over their research to the public domain as soon as its complete, then the value of that research diminishes.

 

I don’t think the government should be in the business of regulating the information security industry. What I suspect is that we are close to the age of the “cyber lobby” (dare I say “cyber subsidies”) – and I’m not sure that will benefit anyone other than the companies that pay to influence policy. So, I would prefer the President’s agenda would begin and end with “awareness” and avoid tinkering with the economic  dynamics of the information security market.”

Ivan Shefrin, VP of Security Solutions at TaaSera:

“Voluntary sharing of cybersecurity intelligence can be an important step – provided it’s accompanied by appropriate liability and privacy constraints. The benefits are clear: last year’s United Parcel Service breach was in fact discovered as a direct result of threat intelligence sharing between the government and private sector.

 

Sharing cyber intelligence can have a positive impact if information sharing is made actionable. To accomplish this, security professionals should assume they’re already compromised, and implement policies, tools and budgets to balance breach prevention with pre-breach detection and response.”

Marc Gaffan, CEO & Co-Founder of Incapsula:

“President Obama is taking a bold stance be visiting with tech companies in silicon valley this week to talk about his proposed cybersecurity legislation, right on the heels of his cybersecurity agency announcement earlier this week. In the past, the sale and use of botnets, which have the potential to overwhelm a site or network with malicious activity, was surrounded by legal ambiguities and grey areas. Obama’s new legislation removes all ambiguity so for the first time companies can prosecute the so-called “bot-herders” that try to do them harm.”

Ron Gula, CEO, Tenable Network Security:

“It’s important to applaud this administration for its attention to cyber security. It’s been long overdue and at the rapid pace technology is evolving, we are already behind the curve. Executive orders such as this, while not a substitute for good security practices, raise awareness for the need to invest more heavily when it comes to cyber security.

Information sharing won’t solve the bigger problems we face in the industry, but it’s a good place to start. Everyone in IT is realizing the scale and saving from centralizing command and control. Once consolidated, the information shared will provide greater context, allowing for organizations to be more agile in mitigating sophisticated attacks.”

Ryan Shaw, Director of Research and Development at Foreground Security:

“The President’s intention to issue an Executive Order (EO) promoting government and private sector cybersecurity information sharing is an important acknowledgement of the current deficiencies in our country’s current cybersecurity defense capability. Unfortunately, EOs and new agencies will not be able to resolve the sharing challenges that have existed for years.  These challenges include:

· Lack of trust between the parties involved

· COTS cybersecurity tools (e.g. SIEM, NSM, Web Proxies, ID/PS, Next-gen Firewalls) that are ill-equipped to deal with large quantities of multi-source, non-normalized threat indicators

· Shortfall of skilled cyber-threat analysts or source-agnostic platforms to manage the deluge of threat indicators

· Multiple sharing vehicles and taxonomies (these are a portion of the Voluntary Standards for ISAOs that the President will speak of)”

John Dickson, principal at software security firm Denim Group:

 “There is no mention of increased liability protection for companies in the today’s briefing sheet.  Absent of increased protection, or at least clarity, for the corporate liability question will likely result in a lukewarm reception from industry.  Couple that with remaining post-Snowden doubts that remain over working with government and law enforcement, then you have a potential non-starter here.

The focus on strong privacy and civil liberty protections misses the point here – that’s not hurdle in more information sharing, liability protection is. Cooperation with the Congress is an imperative. My contacts in the US Capitol say these initiatives are coming out with little consultation with Congress, which also brings up the question of the measures’ ultimate implementation.”

Jeff Williams, CTO, Contrast Security:

 “I’m encouraged by all the talk about public-private partnerships that bring security to the forefront for government, large businesses, small businesses, and consumers. The panelists were right about the problems of speed and scale that cybersecurity involves.  I was thrilled to see that there is awareness of the complexity and importance of the problem at the highest levels of government and business.

 

However, the overwhelming theme of the summit was that the way forward is to focus on the threats and that communication will enable us to stop attacks.  I have serious doubts as to whether chasing the threat will have any effect whatsoever – the attribution problem is so significant in cyberattacks that after months we still have no resolution to the Sony attack, much less Anthem or others.

The worst part is that spending all this effort chasing our tails takes away from time we should be focused on building secure code and strong defenses. The fact that we are still producing code with SQL injection after almost two decades is embarrassing. The government can and should play a role in encouraging the software market to produce secure code. But with a confusing patchwork of agencies, agendas, and responsibilities, government has fallen far behind the financial industry in their ability to secure their own house.”

Jason Lewis, Chief Collection and Intelligence Officer of Lookingglass Cyber Solutions:

 “The White House is pushing a lot of recommendations that don’t seem to have gone through a vetting process by experienced technologists. The effort to weaken encryption will ultimately have the opposite of the desired effect. There are new rules that impact security researchers and will lead to less secure systems, because it will be illegal for researchers to test those systems.

 

The positive results will be the increased visibility and discussion about these issues. For me, if the US government really wanted to improve security they would be at the forefront of data sharing and making it easier for researchers to contribute, not harder.”

Dan Waddell, Director of Government Affairs, (ISC)2:

“It’s important that the American public put this issue into perspective.  As mentioned by Lisa Monaco, the White House’s top aide for counterterrorism and homeland security, the cyber threat is becoming more diverse, sophisticated and dangerous. The actions of cyber attackers, while seldom seen played out online, are potentially as egregious on many different levels including economically, militarily, and in regards to the public’s day-to-day safety.

Overall, I think it’s a positive sign that we’re having these discussions at the highest levels of both the public and private sectors as well as academia.  CEOs, CISOs, government leaders and educators are all saying the same thing – cybersecurity is an absolute necessity to help protect our nation’s interests. It has an impact on every aspect of our lives – from homeland security, to defense, to the economy, to energy and critical infrastructure, to health, etc.  Everyone shares a common interest: We need to secure information of the people, for the people.”

Chris Wysopal, CTO & co-founder at Veracode:

 “The challenge for the tech industry is they need to retain the trust of their users or they can’t grow their businesses which require more and more intimate data be stored and processed by them.  That is why after many years of security professionals complaining of the lack of SSL usage by majo7r tech companies it wasn’t until the Snowden revelations that it was finally enforced by the big players.  

 

“The federal government has to convince the people using Google, Yahoo, Apple, etc., not the executives from those companies, that their data is safe from wholesale snooping or the information sharing they want is going to be a struggle.” 

Ken Westin, Security Analyst Tripwire:

“This Order and the informatPion sharing initiatives are a step in the right direction, however the challenge will be in the implementation where citizens’ privacy and civil liberties are protected, as well as making any intelligence gathered through these initiatives relevant and actionable for government agencies as well as private industry. In order to make these initiatives effective, secure and manageable, will require strong oversight and properly allocated resources to implement, not just initially, but also over the next few years as the program evolves. There needs to be constant vigilance and review of processes, data collected and effectiveness of the program in order to ensure agencies do not overreach and that the program itself remains useful to industry and agencies alike.

The devil is truly in the details, although I believe the spirit and intentions of the Order is good, it will be critical that there is transparency and oversight regarding its implementation. The government is breaking new ground and it is important to tread carefully, as there is a lot to learn in the process of developing a system of this scale and depth. I sincerely hope that the government will be involving not just law makers and political thinkers, but also technologists and security experts from both private industry and the government to ensure the program is implemented efficiently, securely and meets established requirements for the program.” 

*Additional reporting by Eduard Kovacs

Subscribe to the SecurityWeek Email Briefing

view counter

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

US Slaps Sanctions on North Korea After Sony Hack

Posted on January 4, 2015 by in Security

The United States imposed new sanctions Friday on North Korea in retaliation for a cyber attack on Hollywood studio Sony Pictures.

In an executive order President Barack Obama authorized the US Treasury to place on its blacklist three top North Korean intelligence and arms operations, as well as 10 government officials, most of them involved in Pyongyang’s arms exports.

Obama said he ordered the sanctions because of “the provocative, destabilizing, and repressive actions and policies of the Government of North Korea, including its destructive, coercive cyber-related actions during November and December 2014.”

The activities “constitute a continuing threat to the national security, foreign policy, and economy of the United States,” he added, in a letter to inform congressional leaders.

“The order is not targeted at the people of North Korea, but rather is aimed at the Government of North Korea and its activities that threaten the United States and others,” Obama added.

The sanctions come after hackers penetrated Sony’s computers in late November, stealing and releasing over the Internet employee information, unreleased films and an embarrassing trove of emails between top company executives.

The hackers — a group calling itself Guardians of Peace — then began to issue threats against the company over the looming Christmas release of the comedy film “The Interview”, which depicts a fictional CIA plot to kill North Korea’s leader.

The threats led first to worried movie theater owners dropping the film and then Sony cancelling the public debut altogether, before releasing it online.

After the hackers invoked the 9/11 attacks in their threats, the White House branded it a national security threat, and an investigation by the FBI said North Korea was behind the Sony intrusion.

Pyongyang repeatedly denied involvement, but has applauded the actions of the shadowy Guardians of Peace group.

‘Proportional’ response

The White House stressed Friday that its response will be “proportional”, but also that the sanction actions were only “the first aspect of our response.”

“We take seriously North Korea’s attack that aimed to create destructive financial effects on a US company and to threaten artists and other individuals with the goal of restricting their right to free expression,” said White House press secretary Josh Earnest.

In parallel with the White House announcement, the Treasury named the first targets of sanctions in the Sony case.

They included the Reconnaissance General Bureau, the government’s main intelligence organization, and two top North Korean arms exporters: Korea Mining Development Trading Corporation (KOMID) and Korea Tangun Trading Corporation.

The individuals named included agents of KOMID in Namibia, Russia, Iran and Syria, and other representatives of the government and the sanctioned organizations.

An administration official, briefing reporters, said that they remain “very confident” in their assessment that Pyongyang is behind the attack on Sony, amid doubts raised by security experts.

The official said the three organizations had “no direct involvement” with the hacking. “They’re being designated to put pressure on the North Korean government,” the official said.

It was the first time the Treasury sanctions mechanism had been invoked due to a threat to a private company, the official acknowledged.

The sanctions forbid US individuals and companies from doing business with those blacklist, and freezes any assets those blacklisted might have on US territory.

A particular aim of such sanctions is to limit their access to international financial services by locking them out of the US financial system.

All three of the organizations blacklisted in the Sony case are already under US sanctions for the country’s persistence with its nuclear weapons program, its alleged provocations on the Korean peninsula, and other “continued actions that threaten the United States and others,” as Obama said in his letter.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013

Tags:


SecurityWeek RSS Feed

North Korea Calls Obama ‘Monkey’, Blames US for Blackout

Posted on December 27, 2014 by in Security

North Korea on Saturday called US President Barack Obama a “monkey” for inciting cinemas to screen a comedy featuring a fictional plot to kill its leader, and blamed Washington for an Internet blackout this week.

The isolated dictatorship’s powerful National Defence Commission (NDC) threatened “inescapable deadly blows” over the film and accused the US of “disturbing the Internet operation” of North Korean media outlets.

The Internet outage triggered speculation that US authorities may have launched a cyber-attack in retaliation for the hacking of Sony Pictures — the studio behind madcap North Korea comedy “The Interview”.

Washington has said the attack on Sony was carried out by Pyongyang.

The NDC accused Obama of taking the lead in encouraging cinemas to screen “The Interview” on Christmas Day. Sony had initially cancelled its release after major US cinema chains said they would not show it, following threats by hackers aimed at cinemagoers.

“Obama always goes reckless in words and deeds like a monkey in a tropical forest,” a spokesman for the NDC’s policy department said in a statement published by the North’s official KCNA news agency.

“If the US persists in American-style arrogant, high-handed and gangster-like arbitrary practices despite (North Korea’s) repeated warnings, the US should bear in mind that its failed political affairs will face inescapable deadly blows,” the NDC spokesman said.

He accused Washington of linking the hacking of Sony to North Korea “without clear evidence” and repeated Pyongyang’s condemnation of the film, describing it as “a movie for agitating terrorism produced with high-ranking politicians of the US administration involved”.

Unlikely symbol of free speech

The film took in $ 1 million in its limited-release opening day, showing in around 300 mostly small, independent theatres. It was also released online for rental or purchase.

The film, which has been panned by critics, has become an unlikely symbol of free speech thanks to the hacker threats that nearly scuppered its release.

The low-brow comedy revolving around the fictional assassination of North Korean leader Kim Jong-Un played to packed cinemas across the US.

A file sharing website reported the film had been illegally downloaded more than 750,000 times.

Online services for Sony’s PlayStation and Microsoft’s Xbox gaming consoles, which had decided to release the film online, went down Thursday, apparently attacked by hackers.

Microsoft’s online network for its Xbox gaming console was restored to nearly full service Friday but the PlayStation network remained down.

The NDC spokesman called again for a joint investigation into the Sony hack, which has already been rejected by the US, while accusing Washington of “beating air after being hit hard by others”.

“In actuality, the US, a big country, started disturbing the Internet operation of major media of the DPRK (North Korea), not knowing shame like children playing a tag,” he said.

From Monday night, websites of the North’s major state media went dead for hours.

The cause of the outages in North Korea’s already limited Internet access has not been confirmed. The US has refused to say whether it was involved in the shutdown.

The North has about one million computers — mainly available at educational and state institutions — but most lack any connection to the world wide web.

All online content and email are strictly censored or monitored with access to the Internet strictly limited to a handful of top party cadres, propaganda officials and expatriates.

KCNA previously compared Obama to a black “monkey” in a zoo in May, prompting Washington to condemn the comments as “ugly and disrespectful”.

The North Korean mouthpiece also earlier this year called South Korean President Park Geun-Hye a “prostitute” in thrall to her “pimp” Obama.

Subscribe to the SecurityWeek Email Briefing

view counter

© AFP 2013


SecurityWeek RSS Feed

MBR Wiper Attacks Hit Korean Power Plant: Trend Micro

Posted on December 24, 2014 by in Security

Researchers at Trend Micro revealed details of an attack against a major Korean utility company hit by malware designed to wipe the master boot records (MBR) of compromised computers.

According to Trend Micro, the malware is believed to have infected the targeted systems through a vulnerability in the Hangul Word Processor (HWP), a commonly-used application in South Korea. The attackers used a variety of social engineering lures as well.

“We detect the malware as TROJ_WHAIM.A, which is a fairly straightforward MBR wiper,” according to Trend Micro. “In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted. Rather cleverly, it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat evade detection.”

“This particular MBR-wiping behavior, while uncommon, has been seen before,” the researchers noted. “We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability.”

Trend Micro also found similarities to the previous MBR wiper attacks as well. All three attacks overwrite the MBR with certain repeated strings; this attack uses the repeating “Who Am I?” string, while the Sony attack used a repeating 0xAAAAAAAA pattern.

The attack on Sony has caused a further rift between North Korea and the United States, as U.S. President Barack Obama promised last week that the United States would offer a proportional response to North Korea’s involvement in the attack.

North Korea has denied any involvement in the incident. The country began suffering Internet outages this week, though the cause of those outages remains unclear.

“While there are definite similarities in the behavior of all these attacks, this is not enough to conclude that the parties behind the attacks are also related,” according to Trend Micro. “All three attacks have been well documented, and it is possible that the parties behind each attack were “inspired” by the others without necessarily being tied. Without sufficient evidence, we cannot make claims either way.”

“These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors,” the researchers added. “This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Secret Documents Say NSA Had Broad Scope, Scant Oversight: Report

Posted on July 1, 2014 by in Security

WASHINGTON – The US National Security Agency has been authorized to intercept information “concerning” all but four countries worldwide, top-secret documents say, according to The Washington Post.

“The United States has long had broad no-spying arrangements with those four countries – Britain, Canada, Australia and New Zealand,” the Post reported Monday.

Yet “a classified 2010 legal certification and other documents indicate the NSA has been given a far more elastic authority than previously known, one that allows it to intercept through US companies not just the communications of its overseas targets but any communications about its targets as well.”

The certification – approved by the Foreign Intelligence Surveillance Court and included among a set of documents leaked by former NSA contractor Edward Snowden — says 193 countries are “of valid interest for US intelligence.”

The certification also let the agency gather intelligence about entities such as the World Bank, the International Monetary Fund, European Union and the International Atomic Energy Agency, the report said.

“These documents show both the potential scope of the government’s surveillance activities and the exceedingly modest role the court plays in overseeing them,” Jameel Jaffer, deputy legal director for the American Civil Liberties Union who had the documents described to him, told the Post.

The report stresses the NSA did not necessarily target nearly all countries but had authorization to do so.

It should come as cold comfort to Germany which was outraged by revelations last year that the NSA eavesdropped on Chancellor Angela Merkel’s mobile phone, as well as about wider US surveillance programs of Internet and phone communications.

Germany’s parliament is investigating the extent of spying by the US National Security Agency and its partners on German citizens and politicians, and whether German intelligence aided its activities.

The privacy issue is a particularly sensitive one in formerly divided Germany.

Ties between Washington and Europe more broadly, as well as other nations such as Brazil, have been strained since the revelations, despite assurances from US President Barack Obama that he is ending spy taps on friendly world leaders.

The Obama administration has insisted the NSA needs tools to be able to thwart terror attacks not just against the United States, but also its allies.

Snowden, a 30-year-old former NSA contractor was granted temporary asylum by Russia last August after shaking the American intelligence establishment to its core with a series of devastating leaks on mass surveillance in the US and around the world.

© AFP 2013


SecurityWeek RSS Feed

Yahoo CISO Says Now Encrypting Traffic Between Datacenters, More Encryption Coming

Posted on April 3, 2014 by in Security

Yahoo’s recently-appointed VP of Information Security and CISO said that, as of this week, Internet traffic moving between Yahoo’s data centers is now fully encrypted.

Alex Stamos, who joined the company last month and has been tasked with securing Yahoo’s online products, provided a status update Wednesday on the company’s initiatives to protect users and their data.

The efforts by Yahoo are the latest as Internet and technology firms scramble to boost their security efforts and up encryption after Edward Snowden began to leak classified details on the scope of US government spying.

According to Stamos, the company has accomplished the following:

• Made Yahoo Mail more secure by making browsing over HTTPS the default.

• Has enabled encryption of mail between its servers and other mail providers that support the SMTPTLS standard.

• The Yahoo Homepage and all search queries that run on the Yahoo Homepage and most Yahoo properties also have HTTPS encryption enabled by default.

• Implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many the company’s global properties.

He also said that users can initiate an encrypted session for a variety of the company’s news and media services by typing “https” before the site URL in their web browser.

“One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure,” Stamos wrote in a blog post. “Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.”

A new, encrypted, version of Yahoo Messenger will be available in the months ahead, Stamos said.

“In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months,” Stamos continued. “This isn’t a project where we’ll ever check a box and be “finished.” Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy.” 

Late last month, Google announced that its Gmail service would use added encryption to protect against eavesdropping and keep messages secure.

In December 2013, a group of US-based Internet giants called on Washington to overhaul its surveillance laws. In an open letter to President Obama and Congress, the tech giants called on Washington to lead the way in a worldwide reform of state-sponsored spying.

In January, President Barack Obama announced plans to curtail the reach of massive phone surveillance sweeps by the NSA, but said bulk data collection must go on to protect America from terrorists.

In December, Microsoft said it would “pursue a comprehensive engineering effort to strengthen the encryption of customer data” in order to protect its customers from prying eyes and increase transparency.

Managing Editor, SecurityWeek.

Previous Columns by Mike Lennon:


SecurityWeek RSS Feed

US Allows Tech Giants to Reveal Spy Agency Demands

Posted on January 28, 2014 by in Security

WASHINGTON – The United States agreed to give technology firms the ability to publish broad details of how their customer data has been targeted by US spy agencies, officials said Monday.

Facing a legal challenge and a furious public debate, Attorney General Eric Holder and Director of National Intelligence James Clapper said the companies would now be allowed to disclose figures on consumer accounts requested.

“The administration is acting to allow more detailed disclosures about the number of national security orders and requests issued to communications providers,” the officials said in a joint statement.

In a letter to tech giants Facebook, Google, LinkedIn, Microsoft and Yahoo, the Justice Department freed them to release the approximate number of customer accounts targeted.

President Barack Obama’s administration has faced pressure from the tech sector following leaked documents outlining vast surveillance of online and phone communications. The companies have said the reports have already begun to affect their business.

Facebook, Google, LinkedIn, Microsoft and Yahoo, which sued for the right to publish more data, said in a joint statement they were pleased with the settlement.

“We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive,” the companies said.

“We’re pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we’ll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.”

Under the agreement filed with the secretive Foreign Intelligence Surveillance Court the companies will be able to disclose the numbers, within ranges.

They will have an option to reveal within bands of 1,000 the numbers of “national security letters” and specific court orders. Another option will be to disclose, in bands of 250, all the national security requests, lumped together.

The reports will have a six-month lag time, so data for the second half of 2014 may be published in mid-2015, according to the agreement.

Previously, the existence of orders made by the secret for access to private online data was itself classified, to the outrage of the firms.

In addition to the bare numbers of targeted consumers, the companies will also be permitted to disclose the number but not the nature of selection criteria for broader Internet sweeps.

Civil liberties groups welcomed the deal, while arguing for even more transparency.

“This is a victory for transparency and a critical step toward reining in excessive government surveillance,” said Alex Abdo, an ACLU attorney.

But Abdo said more is needed: “Congress should require the government to publish basic information about the full extent of its surveillance, including the significant amount of spying that happens without the tech companies’ involvement.”

Kevin Bankston of the New America Foundation’s Open Technology Institute, called the news “an important victory in the fight for greater transparency around the NSA’s surveillance programs” but said the agreement “falls far short of the level of transparency that an unprecedented coalition of Internet companies, privacy advocates and civil liberties organizations called for this summer.”

“Meaningful transparency means giving companies the ability to publish the specific number of requests they receive for specific types of data under specific legal authorities,” Bankston said.

“Fuzzing the numbers into ranges of a thousand — and even worse, lumping all of the different types of surveillance orders into a single number — serves no national security purpose while making it impossible to effectively evaluate how those powers are being used.”

US tech firms have claimed that reports on the US government’s secretive data collection programs have distorted how they work with intelligence and law enforcement. The firms have been asking for permission to disclose more on the nature of the requests and what is handed over.

Google’s petition said that despite reports to the contrary, the US government “does not have direct access to its servers” and that it only complies with “lawful” requests.

The issue caught fire after Edward Snowden, a former IT contractor at the National Security Agency, revealed that US authorities were tapping into Internet user data.

[Updated]

© AFP 2013


SecurityWeek RSS Feed

US Lawmakers Say Snowden Was ‘Helped’ by Foreign Power

Posted on January 20, 2014 by in Security

WASHINGTON – Edward Snowden may have acted in concert with a foreign power in exposing US surveillance programs, two Republican lawmakers suggested Sunday.

“I think there are some interesting questions we have to answer that certainly would lend one to believe that the Russians had at least in some part something to do” with the affair, House Intelligence Committee chairman Mike Rogers told CBS’s “Face the Nation.”

Rogers, a Republican, said “everything from how he prepared to leave, his route of departure and how he quickly ended up in Moscow” put Snowden’s ties at question.

Edward Snowden
Fugitive NSA Leaker Edward Snowden

The “vast majority” of the information leaked by Snowden, Rogers said “had nothing to do with the NSA program and everything to do with our military capabilities, army, navy, air force, marines.”

Rogers, appearing in a second interview on NBC’s “Meet the Press,” said he didn’t think “it was a gee-whiz luck event that he ended up in Moscow under the handling of the FSB” state security agency in Russia.

Michael McCaul, chairman of the House Homeland Security Committee, told ABC’s “This Week” that he didn’t believe “Mr Snowden was capable of doing everything himself.

“I believe he was helped by others,” the congressman said in an interview from Moscow.

McCaul, a Republican, said he could not say “definitively” that Russia was involved, “but I believe he was cultivated.”

US President Barack Obama curtailed the reach of massive US National Security Agency phone surveillance sweeps Friday, in a long-awaited speech designed to quell a furor over the programs exposed by Snowden.

The president, however, also said bulk data collection must go on to protect America from terrorists.

© AFP 2013


SecurityWeek RSS Feed

Obama to Unveil NSA Reforms, Response to Snowden

Posted on January 17, 2014 by in Security

WASHINGTON – President Barack Obama will Friday announce plans to stop the National Security Agency hoarding hundreds of millions of telephone call records, among reforms to US surveillance programs exposed by Edward Snowden.

A senior US official, speaking ahead of Obama’s speech on NSA programs, said that Obama believed trawling for telephone “metadata” was vital to fighting terrorism, but needed to be reformed to preserve civil liberties.

“In his speech, the president will say that he is ordering a transition that will end the Section 215 telephone metadata program as it currently exists,” the senior official told AFP.

The president foresees a move to a program “that preserves the capabilities we need without the government holding this bulk metadata.”

“The president believes that the 215 program addresses important capabilities that allow us to counter terrorism, but that we can and should be able to preserve those capabilities while addressing the privacy and civil liberties concerns that are raised by the government holding this metadata.”

It was not immediately clear how Obama would accomplish the reform or whether he would leave it up to Congress to decide which entity should hold the call data.

Telecommunications companies have balked at suggestions that data on the destination and duration of calls should be held within their servers and be accessed by US spies armed with court permission.

Some activists have suggested a third party company could be charged with holding the data.

Obama will also order Friday another immediate change to the system of telephone data dragnets, requiring a judicial finding before the NSA can query the database, the official said.

Obama has also asked Attorney General Eric Holder and the intelligence community to report to him by March 28 on how the program can be preserved without the government holding the metadata.

Snowden, a fugitive US contractor now exiled in Russia, has fueled months of revelations by media organizations over data mining and spying on foreign leaders by the NSA in one of the biggest security breaches in US history.

The disclosures have infuriated US allies, embarrassed Obama administration diplomats and shocked privacy campaigners and lawmakers.

The White House has assured Americans that data on phone calls and Internet use is only collected to build patterns of contacts between terror suspects — and that US spies are not listening in.

But Obama has said that one of his goals in Friday’s speech at the US Justice Department is to restore public confidence in the clandestine community.

His appearance follows a prolonged period of soul-searching and policy reviews by the White House.

On the eve of the speech, Britain’s Guardian newspaper and Channel 4 News splashed the latest revelations from Snowden.

Their reports said the NSA had collected almost 200 million mobile phone text messages a day from around the world, and used them to extract data on the location, contact networks and credit card details of mobile users.

Civil liberties activists are bracing themselves for disappointment.

Michelle Richardson, legislative counsel for the American Civil Liberties Union, said Thursday that Obama would likely neither outlaw nor significantly reform bulk collection of telephone and Internet metadata.

“We are looking to the president tomorrow to make a very bold statement about reclaiming privacy. We are looking to him to take leadership about reining in this programs,” she said.

“Will our government continue to spy on everyday Americans?”

Kevin Bankston, policy director of the Open Technology Institute at the New America Foundation, warned that if Obama did not announce specific reforms, the battle would shift to Congress.

“President Obama’s trajectory on these issues from reformer to supporter of these programs has been very dispiriting,” Bankston said.

“If he does fail to take a stand and exercise the bold leadership that is necessary, it will become Congress’s responsibility to step into the breach and we look forward to working with them to do so.”

Intelligence chiefs say the programs are perfectly legal, but their opponents say they are unconstitutional.

Obama is also expected to back extra privacy protections for foreigners swept up by the programs and limits to spying on friendly world leaders.

His challenge will be to prove that data mining programs, made possible by swift advances in technology, can enhance national security while restoring public confidence that individual freedoms are safe.

During his deliberations, Obama has had to reconcile his duties as a commander-in-chief sworn to keep Americans safe and his oath to uphold the US Constitution.

Not to mention guard his political flank — Obama knows his Republican enemies would pounce if a future terror attack could be pinned on restrictions he placed on spy agency capabilities.

The president’s speech will also be closely watched for any changes to the PRISM program, which mainly sweeps up Internet data on foreigners, based on records acquired from Internet companies like Google, Yahoo and Apple.

© AFP 2013


SecurityWeek RSS Feed

Obama to Unveil Spying Reforms on January 17

Posted on January 11, 2014 by in Security

WASHINGTON – US President Barack Obama will unveil reforms to the country’s spying activities on January 17, his spokesman said Friday, following a review of the National Security Agency (NSA).

White House spokesman Jay Carney said that Obama’s remarks next Friday would show the “outcomes of the work that has been done on the review process.”

The White House said on Thursday that the president was nearing the end of his soul searching about US spying reforms as he met lawmakers who oversee the intelligence community.

Obama met the delegation in Washington as part of consultations with players on all sides of the debate on how best to balance US security and privacy rights, following revelations of massive spy agency snooping by fugitive contractor Edward Snowden.

The meeting included several prominent critics of NSA phone and data sweeps. Obama says revelations over the program by Snowden have undermined public confidence in the work of the US intelligence community and reforms are needed.

Republican House Judiciary Committee Chairman Bob Goodlatte, who was one of the lawmakers in the meeting, called on the president to explain why such vast data mining programs — which spy chiefs say help piece together links between terror suspects worldwide — were necessary.

Senior US officials have indicated Obama is considering whether to permit the programs to continue while requiring data to be held either by technology companies or a third party instead of the NSA. Intelligence officers would have to obtain court permission to access the phone records.

© AFP 2013

Tags:


SecurityWeek RSS Feed