© Patrick Semansky/AP
These are two of the more significant recommendations in a 308-page report issued by the White House Wednesday in an effort to restore public confidence in the nation's spying apparatus.
The panel made 46 recommendations in all, which included moving the NSA's information assurance directorate--its computer defense arm--outside the agency and under the Department of Defense's cyber policy office. Allied foreign leaders or those with whom the U.S. shares a cooperative relationship should be accorded "a high degree of respect and deference," the panel said.
"We are not in any way recommending the disarming of the intelligence community," said Michael Morell, former Deputy Director of the CIA and one of five members of the President's Review Group on Intelligence and Communications Technologies, in a press conference.
Obama met Wednesday morning with the panel, whose suggestions are advisory only. The White House has said it will announce in January which recommendations it has chosen to adopt, as it concludes its own internal review of surveillance activities.
The panel is urging that Congress pass legislation to end the NSA's storage of phone records--estimated by some former officials to number more than 1 trillion, and to mandate that the phone companies or a private third party maintain the data instead.
Access to the data would be permitted only with an order from the Foreign Intelligence Surveillance Court based on reasonable suspicion that the information sought is relevant to an authorized terrorism investigation. Each phone number that the NSA wants to search on would require a court order.
The panel is not recommending that the companies hold data any longer than they do now, and companies' retention periods vary from as little as six months in the case of Cricket, a small prepaid phone company, to 10 years for T-Mobile. Of the large firms, Verizon keeps the phone data for 1 year and AT&T for five years, according to information provided to Sen. Edward Markey (D-Mass.), a Senate Commerce Committee member.
The panel also recommended a prohibition on the government subverting or weakening commercial software in order to get around encryption, that it not undermine efforts to create encryption standards, and that it add oversight to the use and production of "zero day" hacking tools that can be used to penetrate computer systems, and in some cases, damage or destroy them.
Moving the NSA's information assurance directorate, which is in charge of protecting classified government computer systems, is designed to separate a clearly defensive mission from the offensive side of NSA. The offensive part of the agency works to gain access to networks overseas for espionage, and can be used to enable a military cyber attack on an adversary's computer system.
In sum, the panel took aim at some of the most controversial practices of the 35,000-employee signals intelligence agency, headquartered at Fort Meade, Md., which has been in the news constantly since June when documents leaked by a 30-year-old former NSA contractor Edward Snowden began appearing in The Washington Post and the Guardian.
Some U.S. officials have said that the White House, which is free to accept, reject or modify the panel's ideas, has indicated it is not likely to endorse substantive changes to the phone records program. But it is unclear what impact, if any, a recent decision by a federal judge that the collection is likely unconstitutional will have on the administration's deliberations.
Currently, the NSA holds for five years of phone records gathered daily from U.S. phone companies. The records include the numbers dialed, and call times and durations, but no actual call content or subscriber names. But U.S. District Judge Richard Leon on Monday described the technology NSA uses to search its database as "almost Orwellian," and civil liberties and conservative groups have sued to end this "bulk collection."
Moving custodianship of the records outside the NSA would diminish the agency's agility in detecting terrorist plots, supporters of the agency say.
The NSA's information assurance directorate protects classified government computer systems and works with industry to help them better safeguard their systems. "Information assurance has a very different mission from that of the NSA," said panel member Richard Clarke, a former White House counterterrorism advisor, alluding to NSA's job of breaking into systems overseas to gain intelligence.
But Tony Sager, a former NSA executive in information assurance, said moving the defensive mission out of NSA may not be wise. "The defensive mission benefits a lot from the technology and the skills of people who work on the offensive side of the house, and vice-versa," he said. "They get better insight into the model of what real adversaries do."
Recent press reports have suggested that the agency is circumventing encryption technology by coercing companies into handing over their encryption keys or building in a "back door" - a way to exploit weaknesses in computer code to enable access to otherwise encrypted communications.
The New York Times also reported that the NSA has worked to weaken international encryption standards and may have successfully placed a vulnerability into encryption adopted in 2006 by the National Institute of Standards and Technology and the International Organization for Standardization. The panel recommending that the government not undermine encryption standards.
The security community has long been concerned that the NSA is building and buying hacking tools that are based on previously unknown vulnerabilities in software known as "zero days." Such tools can be used to hack into systems and steal data or damage computers.
The panel, sources said, has recommended that the NSA not stockpile such tools.
"As a matter of public policy, and harm reduction, the government needs to be in the business of reporting the vulnerabilities that it discovers so they can be fixed," said Matt Blaze, a University of Pennsylvania cryptology expert.
"That said, that doesn't mean that the government can't or wouldn't be able to make use of cyber attack techniques or investigative techniques that involve exploiting computers, even if it does report them," Blaze said.
Staff Writer Craig Timberg contributed to this report.
Reader Comments
to our Newsletter