Yesterday at the cybersecurity conference "New America: Big Ideas and New Voices," Admiral Mike Rogers, the head of the NSA and U.S. Cyber Command, explained that when he attends such cybersecurity conferences, he is saying, "Look, there are no restrictions on questions. You can ask me anything." And bright minds in the audience took him up on that. Yet Reuters reported that other than claiming "we fully comply with the law," Rogers refused to comment on Kaspersky Lab's report about the U.S. government using implants on hard drives for surveillance.
He also reiterated what others have said about leaks courtesy of Edward Snowden, saying it had a "material impact" on intelligence agencies' abilities "to generate insights as to what terrorist groups around the world are doing."
He touched on a potential cyber Pearl Harbor and then praised metadata collection; that might have been because the authority for bulk collection will expire with the Patriot Act in June if Congress does not renew it. After all the revelations in the last two years, including how Executive Order 12333 lets the NSA unconstitutionally collect Americans' communications, we know the Patriot Act isn't the only route for mass spying on everyone. Yet Rogers was insistent that the bulk data collection is in compliance with the Patriot Act.
According to the National Defense Magazine, Rogers said:
The metadata collection generates value for the nation. I honestly believe that. Is it a silver bullet that in and of itself guarantees that there will never be another 9/11 or there won't be a successful terrorist attack? My comment would be no. … It is one component of a broader strategy designed to help enhance our security.
While it is unsurprising, it is definitely disappointing that, like FBI Director Comey, Rogers not only wants a backdoor in encryption, but wants us to believe that such backdoors won't weaken security or be exploited by criminals. Rogers said there needs to be a "legal framework," a "formalized process" for law enforcement to access encrypted communications, since "these are the paths that criminals, foreign actors, terrorists are going to use to communicate."
According to The District Sentinel, Rogers said, "Most of the debate that I've seen has been it's all or nothing. It's either total encryption or no encryption at all...We have shown in other areas that through both technology, a legal framework, and social compact that we have been able to take on tough issues. I think we can do the same thing here."
Security and privacy expert Bruce Schneier disagreed, saying, "It's not the legal framework that's hard, it's the technical framework. That's why it's all or nothing." Then he asked if the NSA is stealing encryption keys from U.S. tech companies. Rogers denied it.
Although the back-and-forth between Rogers and Yahoo Chief Information Security Officer Alex Stamos has been widely reported, it's a pushback that's worth repeating. Stamos said to Rogers, "It sounds like you agree with Director Comey that we should be building defects into the encryption in our products so that the U.S. government can decrypt… all of the best public cryptographers in the world would agree that you can't really build backdoors in crypto. That it's like drilling a hole in the windshield."
Rogers countered with "I've got a lot of world-class cryptographers at the National Security Agency."
Stamos pointed out that Yahoo has "about 1.3 billion users around the world," and "if we're going to build defects/backdoors or golden master keys for the U.S. government," then what other "countries should we give backdoors to?"
My position is — hey look, I think that we're lying that this isn't technically feasible. Now, it needs to be done within a framework. I'm the first to acknowledge that. You don't want the FBI and you don't want the NSA unilaterally deciding, so, what are we going to access and what are we not going to access? That shouldn't be for us. I just believe that this is achievable. We'll have to work our way through it. And I'm the first to acknowledge there are international implications. I think we can work our way through this.
Stamos is not the only spokesman for a tech giant that clearly opposes the use of backdoors. Apple CEO Tim Cook previously went on record to say the "NSA would have to cart us out in a box" before Apple would provide the government a backdoor to its products. Cook warned, "Sacrificing our right to privacy can have dire consequences."
Also, according to the transcript posted on Just Security by John Reed, Rogers took exception to Stamos using the term "backdoor," claiming:
"Backdoor" is not the context I would use. When I hear the phrase "backdoor," I think, "well, this is kind of shady. Why would you want to go in the backdoor? It would be very public." Again, my view is: We can create a legal framework for how we do this. It isn't something we have to hide, per se. You don't want us unilaterally making that decision, but I think we can do this.
Speaking of sounding "shady," Rogers also said, "Be grateful that you live in a nation that is willing to have this kind of dialogue."