NSA Surveillance Backlash, International Events Affect Cybersecurity Policy, U.S. Officials Say

Alexander continued to defend the NSA programs, saying the agency was doing what the White House, Congress and federal courts directed it to do. But he also suggested that the scope of those programs should be narrowed so they only collect terrorism-related data, and noted that he would be going to the White House later Tuesday to discuss the possible change. NSA and U.S. Cyber Command must also continue to play a role in cybersecurity defenses since they have unique insights into cyberthreats against the U.S., he said. The NSA surveillance-caused backlash’s effect on cybersecurity issues was a frequent topic of discussion during the Georgetown event, though U.S. officials also highlighted the government’s efforts to engage industry stakeholders and the international community on cyber issues.

Retired Gen. Michael Hayden, former head of the NSA and CIA, said he believed the leaks “laid bare the reality and the implications of the shifting cultural understanding over what constitutes legitimate privacy and legitimate transparency.” The leaks also “tore the veil off” the growing gulf between the U.S. and Europe over the balance between security and privacy. Former NSA Deputy Director Chris Inglis said he believes the U.S. and Europe both look at the issue in terms of the balance between security and privacy, but just come at it in different ways. Inglis suggested the U.S. should have a “much more public discussion” on its surveillance programs and that it should define norms of behavior for the programs.

Sen. Sheldon Whitehouse, D-R.I., blasted the NSA for its slow response to the initial leaks that disclosed its programs. “I think a lot of damage was done in the days and weeks that followed because the response was so slow and so delayed, and it took a long time until people could get it together to put the true story out there,” he said. NSA and the White House “would have been wise to have been prepared for the possibility of a sudden, catastrophic, unauthorized leak,” he said. That lack of planning meant Whitehouse and others in Congress “were stuck because if you're a member of Congress you are not a declassifier,” Whitehouse said. “And even if something is out there, unless it has been formally declassified, you can be arrested for commenting on or echoing things -- even if they're out in the public domain."

Whitehouse also said he believes “we should do everything we can to update our laws to address the cyberthreat” rather than wait until the NSA backlash dies down. “Don’t give up on Congress entirely,” he said, noting that he has partnered with Sens. Richard Blumenthal, D-Conn., Roy Blunt, R-Mo., and Lindsey Graham, R-S.C., on the Cyber Security Public Awareness Act (S-1638). The bill would require the Department of Justice, the SEC and other federal agencies to publicly disclose cyberthreats and the steps they are taking to address those threats. “The American people need to better understand the nature of the cyberthreat,” he said.

The U.S. has made progress on cybersecurity issues, but it remains a difficult problem because many stakeholders still “do not understand the economics of cyberspace,” said White House Cybersecurity Coordinator Michael Daniel. Although stakeholders are well aware of solutions like cyberhygiene and information sharing, policymakers haven’t fully overcome human reluctance to always implement cybersecurity, he said. “Technology alone cannot compensate for bad business practices,” Daniel said. President Barack Obama’s 2013 cybersecurity executive order has tried to take the economics of cyberspace into account by urging stakeholders to voluntarily raise their baseline cybersecurity practices, he said. The executive order’s marquee piece -- the National Institute of Standards and Technology-facilitated Cybersecurity Framework -- was “based on how businesses actually do business -- that is, how they manage risk in the real world,” Daniel said.

The federal government is actively working on cybersecurity on the international stage, incorporating cybersecurity issues into nearly all of its multilateral discussions, Daniel said. The U.S. is also actively working on Internet governance issues, using the U.S. international cyberspace strategy to “further implement a positive agenda for Internet governance” that supports the multistakeholder governance system, he said. The multistakeholder system is under threat from governments who “see the Internet as a thing to be controlled,” Daniel said. Christopher Painter, the State Department’s cyber issues coordinator, said cyber issues have “jumped to the forefront” in the U.S. diplomatic agenda since the department opened its cyber issues office three years ago. The issue has become particularly important in U.S. bilateral discussions with China, and have also increased in importance in discussions with other nations, he said.

The U.S. Internet governance agenda has also been hampered by the NSA scandal, which nations opposed to the multistakeholder model have used to attempt to undermine the model in international forums, Painter said. The U.S. will need to redouble its support for the multistakeholder model since it can’t assume the status quo on Internet governance “will simply endure” when international bodies like the ITU and the Internet Governance Forum debate the issue, Daniel said. The multistakeholder model needs to evolve to become more inclusive of developing nations, he said, noting the work an Internet Corporation for Assigned Names and Numbers-created panel on the future of global Internet cooperation has been doing to update the model (WID Dec 2 p3). That panel is to release a report in the next few weeks outlining its recommendations for the multistakeholder model, which the U.S. is “watching closely,” Daniel said.