Panel Recommends Limits on NSA SurveillanceIndependent Panel's Report Offers 46 Recommendations
A presidential panel has made 46 recommendations that include limiting the National Security Agency's surveillance methods, such as curtailing how the government systematically collects and stores metadata from Americans' phone calls.
The five intelligence and legal experts who wrote a 308-page report, Liberty and Security in a Changing World, recommend the metadata be maintained by communications providers, rather than the NSA. And they say that government agencies should only be able to search the metadata if they obtain a court order.
See Also: Threat Briefing: Ransomware
"In our view, the current storage by the government of bulk meta-data creates potential risks to public trust, personal privacy and civil liberty," the report says. "We recognize that the government might need access to such meta-data, which should be held instead either by private providers or by a private third party. This approach would allow the government access to the relevant information when such access is justified, and thus protect national security without unnecessarily threatening privacy and liberty."
President Obama ordered the review after former NSA contractor Edward Snowden leaked documents revealing government surveillance programs (see How Did Snowden Breach NSA System). The report, issued Dec. 18, also includes a recommendation aimed at preventing the NSA from subverting initiatives to create secure encryption to safeguard confidential communications and data.
Reports earlier this year that said the NSA had cracked much of the encryption that shields global commerce and Internet communications caused the National Institute of Standards and Technology to withdrawal one of its cryptographic guides (see NIST to Review Crypto Guidance Methods). The panel says it's aware of these reports, but says it could not find any evidence that the NSA circumvented encryption. Still, it says the suggested limits to be placed on the NSA are designed to encourage the proper use of encryption.
The White House had planned to release the report, along with Obama's response to it, in January. But a day after the president met with key technology company executives who criticized NSA surveillance practices, the administration decided to move up the release of the report (see President Confronts NSA Critics).
Report Gets High Marks
Cryptographer and author Bruce Schneier, who first reported concerns that the NSA meddled in NIST's cryptography standards in 2007, says he's "flabbergasted at how good" the panel's recommendations are. "I expected something much, much worse," he says. "[But] I can't imagine that the White House will accept these recommendations."
In fact, the White House precluded one of the panel's recommendations even before the report was submitted. Army Gen. Keith Alexander, who will retire this spring, serves as NSA director as well as commander of the military's Cyber Command. The panel not only recommends ending the dual-hatted position, but suggests the director of the NSA could be a civilian. A general or admiral has always led the NSA.
The Obama administration last week rejected that idea. "Following a thorough interagency review, the administration has decided that keeping the positions of NSA director and Cyber Command commander together as one, dual-hatted position is the most effective approach to accomplishing both agencies' missions," says White House spokeswoman Caitlin Hayden.
James Lewis, a cybersecurity expert at the think tank Center for Strategic and International Studies, says the panel's strong recommendations would go far to rebuild trust by addressing legitimate concerns about NSA's collection activities.
"While some of its recommendations are tangential or superfluous, the central recommendations, if adopted, would go far to bring the intelligence programs and the laws passed after 9/11 into line with the constitutional requirements for judicial oversight and with the reforms that have guided intelligence collection since the 1970s," he says.
Jacob Olcott, principal for cybersecurity at the consultancy Good Harbor Consulting, says he believes the recommendations will be well-received by leaders of the House and Senate judiciary committees, but suspects that members of the intelligence committees would find the proposals to be overreaching. (Good Harbor is headed by Richard Clarke, one of the panel's five members.)
The report also recommends that the federal government:
- Consider potential economic and diplomatic harm before deciding to spy on foreign leaders;
- Improve intelligence coordination with allies and partners;
- Create a public interest advocate to represent the interests of privacy and civil liberties before the secret Federal Intelligence Surveillance Courts;
- Restrict FISA courts from compelling phone companies to disclose private information to the government;
- Prohibit for-profit companies from conducting security clearance investigations;
- Develop software to allow targeted information acquisition rather than bulk-data collection;
- Mitigate insider threats so classified information is only accessed by those who need to see it;
- Create a new and strengthened agency, the Civil Liberties and Privacy Protection Board, to receive whistle-blower complaints;
- Review personnel security clearances continuously rather than on a fixed schedule;
- Continuously monitor all networks carrying classified data by employing tools such as the Einstein 3 intrusion detection program.
"This report sends a very strong message to the executive and legislative branches that rebuilding this trust is an essential priority for our nation to move forward," says Olcott, a former senior cybersecurity staffer and counsel for the Senate Commerce Committee. "The Internet age has certainly ushered in a new era of transparency, and this report helps promote that idea by calling for some very important changes in the way that the U.S. government publicly discloses information about these surveillance programs."