President Obama’s Commission on Enhancing National Cybersecurity met with tech industry executives at UC Berkeley to gather suggestions on how to improve cybersecurity. Executives from Google, Facebook, Dropbox and others had their own agenda: to move the issues of consumer data privacy, transparency and sharing of cyber threats towards more openness. Former NSA director General Keith Alexander and Uber chief security officer Joe Sullivan are among the members of the commission.
TechCrunch points to a major issue between Silicon Valley companies and the federal government: national security letters, or NSLs, that the government uses to “secretively extract user data from companies.”
Tech companies deplore the government’s reliance on NSLs, which are “often accompanied by indefinite gag orders,” meaning affected companies cannot inform users that law enforcement has collected their data. In fact, Yahoo and Microsoft have sued the Justice Department over this issue, leading to a Yahoo victory that allowed the company to make three NSLs public.
“Setting time limits on gag orders — that’s the single most important thing I would ask of government,” said Google vice president of security engineering Eric Grosse. “Systemic, indiscriminate and perpetual use of gag orders is corrosive of trust over time.”
Rather than take specific NSLs to court, Google instead, in 2010, pioneered the practice of “publishing annual transparency reports about NSLs and other government demands for data,” a move that other tech companies have copied.
“We’re not asking that there never be a gag order,” said Grosse, who stresses that the company wants the commission instead to set a time limit for gag orders. That way, when the gag orders expire, Google and others will be able to disclose the information and, in the process, improve public trust.
Threat sharing is another issue that the tech industry and the government have tussled over, with Silicon Valley saying that, by not sharing the information with the industry, the government leaves them vulnerable to malware and other threats.
“For the government to become a clearinghouse to get information on advanced threat actors and turning it over, that is a success,” said Facebook chief information officer Alex Stamos. “You can immunize companies… even if you never arrest those people. I would like to see the government start to think that way.”
The government is “beginning to dabble in bug bounties,” with an expansion of that program, but still leery of sharing the information with private companies.