Surveillance review board recommends U.S. shift to cyber defense

By Joseph Menn SAN FRANCISCO (Reuters) - The task force appointed by the White House to review controversial surveillance programs and other operations by the National Security Agency has recommended policy shifts that emphasize cybersecurity defense. Among other proposals, the five-member panel's report issued on Wednesday said the NSA should refrain from inserting deliberate weaknesses in encryption systems that "guard global commerce." Instead, the government should work to promote strong encryption, and its use "should be greatly expanded" to benefit the cause of Internet freedom and protect American business. "Encryption is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible. For the entire system to work, encryption software itself must be trustworthy," the panel wrote to the White House. The panel also warned that concerns abroad about the revelations of widespread surveillance via U.S. technology companies "can directly reduce the market share" of these companies, reducing U.S. economic growth. Such statements, along with the group's broader call to scale back mass data collection, were immediately welcomed by technology groups that have objected to the programs on behalf of member companies. "Assurances such as these are vital to American companies' success in foreign markets. Equally important is the United States' credibility as a worldwide advocate for a communications tool that promotes democracy," said Computer & Communications Industry Association Chief Executive Ed Black. "If we do not model the ideals of Internet privacy and freedom, some countries will use that perception to justify greater controls and censorship of the Internet." Two other proposals will be welcome to many longtime cybersecurity defenders if adopted by the White House or Congress. The first is that the NSA's Information Assurance Directorate be split off from the agency and housed at the Department of Defense. The directorate is charged primarily with keeping military networks secure, but because of its expertise it has come to play a large role in protecting civilian and non-government assets as well. Echoing private complaints from veterans of the agency, the review group said there has been an imbalance favoring offense within NSA, and that "potential conflicts of interest" arise when the dominant mission is penetration, not protection. In a similar attempt to rebalance toward defense, the panel said the use of newly discovered flaws in software in attacks should be subjected to more careful review by representatives of multiple agencies. Those flaws are known in the security world as zero-day vulnerabilities, because the maker of the software has had no notice of their existence. Trade in the programs that take advantage of such flaws has boomed in recent years, with U.S. intelligence agencies collectively the largest buyer. As detailed in a May Reuters report, the use of zero-days alarms defenders for a number of reasons, including the fact that they can be bought simultaneously by hostile parties and that the U.S. agency buyers do not warn the software makers, leaving their customers exposed. The review panel said that the National Security Council staff should review the use of zero-days and generally approve their use only in "rare instances" for high priority targets after senior review by multiple departments. Most of the time, the report said, the government should use the information about zero-days to make sure that government and private networks are patched. The NSA referred questions about the recommendations to the White House. A White House spokeswoman said they are not ready to respond to individual recommendations in the report. (Reporting by Joseph Menn. Editing by Andre Grenon)