A long list of influential security, privacy and technology experts, largely from academic circles, has petitioned the NSA review board to include a technologist among its ranks.
The board, established on Aug. 12 by Director of National Intelligence James R. Clapper upon the orders of the president, is supposed to provide oversight over the U.S. intelligence community’s signals-intelligence and surveillance capabilities. Clapper’s three-paragraph announcement of the board also spoke of the need to balance the country’s national security needs with the need to maintain public trust.
But experts have slammed the board’s makeup because it includes a number of people with close ties to either the White House or Democratic Party. Richard Clarke, former presidential cybersecurity advisor to President George W. Bush, leads the list of panelists familiar to the security industry. The four other panelists include Peter Swire, former OMB privacy director under President Bill Clinton, Michael Morrell, former deputy CIA director under President Obama, Cass Sunstein, former administrator of the White House Office of Administrative and Regulatory affairs, and Geoffrey Stone of the University of Chicago and an informal advisor to Obama’s 2008 campaign.
The review panel, formally known as the Director of National Intelligence Review Group on Intelligence and Communications Technologies, needs to understand the implications of the NSA’s and others’ technical collection capabilities in order to fulfill its charter, the letter to the board states.
“A technologist can situate advancements in modern technology, how they work, what is possible, how data moves through infrastructure and how modern technology may implicate privacy and security,” the group wrote in its letter.
The letter spells out the challenges and potential ramifications of improperly gauging the impacts of the surveillance activities and capabilities, the letter said, adding that the review group will not be successful in gaining a comprehensive understanding of the surveillance systems in place without an independent technologist with no ties to the intelligence community or political groups tied to intelligence. The group also used the Foreign Intelligence Surveillance Court as an example of an oversight board also lacking adequate technical understanding leading to potentially negative consequences.
“Without an understanding of the technical details of the surveillance programs, the FISC has been forced to accept unsupported assertions that the government has made about these programs,” the letter says.
The experts hope the review panel assesses the FISA court’s technical understanding of which it has oversight and adds a technology advisor to that body as well.
The list of luminaries among the 47 who signed the letter, coordinated by the Electronic Frontier Foundation and the Center for Democracy and Technology, includes a number of security and technology pioneers such as Steve Bellovin, Ross Anderson, Ed Felten, Matthew Green, Peter Neumann, Bruce Schneier and Phil Zimmermann. The experts spend considerable space in the letter explaining their concerns over the NSA’s alleged subversion of encryption standards and undermining of popular algorithms with backdoors. The letter covers the supposed backdoor implanted by the NSA in the Dual EC DRBG random number generator central to a number of software products. RSA Security has been the highest profile company urging developers to steer clear of the algorithm, which is used in its BSAFE cryptographic tools and libraries, used at many large companies and government agencies.
The letter also scolds the NSA and GCHQ in the United Kingdom for its alleged hacking of computers to gain pre-encryption access to communications, accusing them of using bogus digital certificates by subverting legitimate certificates or legally ordering Internet companies to use an NSA-owned CERT.
“In the NSA’s dual role as both an information assurance and signals intelligence entity, clearly the signals intelligence mission has trumped information assurance,” the letter said, warning also that companies in the United States may begin to look overseas for security products, and that standards bodies such as the National Institute of Standards and Technology (NIST) may lose their clout because of covert intelligence activity to undermine standards, forcing rogue standards groups to pop up around the world, threatening the compatibility and security of products.
“The Review Group must have deep, competent technical expertise. You must also have access to granular technical details to do this work and you must be able to properly situate the technical reality you find behind the veil of secrecy surrounding the surveillance programs,” the letter concludes. “You must recognize that current NSA surveillance activities make everyone less secure and call into question the extent to which human rights translate into the online environment.”