Officials Woo Tech Companies in Push for Cybersecurity Law
Senior U.S. officials on Wednesday sought to mend fences with the technology industry as they renewed their pleas for legislation to increase the flow of information about cyber attacks between federal agencies and private companies.
A plan to protect companies from privacy lawsuits if they turn over data on electronic intrusions was a central feature of the administrations cybersecurity agenda last year, but legislation containing it failed to pass and it has not gained momentum during this Congressional session.
The previous bill brought opposition from privacy advocates who feared too much data would end up in the hands of the National Security Agency, which is aligned the with military and generally charged with spying overseas. Those arguments resonate more now that documents leaked by Edward Snowden showed that the NSA collects domestic calling records and that big Internet companies provide information on thousands of overseas customers.
"If we thought that information-sharing was moving slowly before, now it's moving even more slowly," a senior administration official said in an interview granted on condition of anonymity.
The White House task would be easier with technology companies' support, but some are reluctant to endorse anything that would exacerbate the negative publicity from Snowden's documents.
NSA Director Keith Alexander stressed Wednesday that Google Inc, Facebook Inc and other technology companies revealed by Snowden as assisting the NSA were only doing what courts had ordered them to do in a "compelled relationship." A half-dozen companies are petitioning U.S. courts for the right to disclose more about how much they turn over, saying that early media reports exaggerated their role.
"Industry has done the right thing, and we need industry to work with us on cyber legislation," Gen. Alexander said in a speech at Billington Cybersecurity Summit in Washington. "If we can't share information with them, we won't be able to stop it."
The senior U.S. official said the White House wants security legislation that would minimize data on Americans and limit what the NSA could do with that data.
In the meantime, federal agencies are working to share more information with each other more rapidly and automatically where feasible, and officials are expanding a program to use secret data about emerging threats to protect private companies that are critical to the country's economic health.
In another bid to make amends with the technology industry, the U.S. National Institute of Standards and Technology is revisiting its past endorsement of a cryptology tool developed at the NSA that Snowden's papers show was promoted because it was weak and could be broken by the NSA. EMC Corp's RSA security division and others adopted the tool and have recently asked software writers to stop relying on it, but many programs using it are in wide circulation.
A NIST official told Reuters that the agency would work closely with outside cryptography experts to see whether other standards were problematic. "We are looking at reviewing our processes," said Donna Dodson, deputy cybersecurity advisor at NIST.
Alexander and Mike Rogers, chair of the House Intelligence Committee, gave spirited defenses of the NSA programs, which Alexander said had helped prevent dozens of terrorist attacks, and said that most of the violations described in declassified court rulings were minor.
"It's not a privacy violation. It's a bureaucratic issue and a technology issue," Rogers said at a cybersecurity event put on by the U.S. Chamber of Commerce.
Alexander said that over the past decade, the NSA had self-reported 12 "willful" violations of its own spying rules overseas, and that the majority of those responsible had taken retirement afterward. Two were demoted and had their pay docked.
(Reporting by Joseph Menn; Additional reporting by Alina Selyukh; Editing by Richard Chang)