A series of email exchanges show that the working relation between NSA Director Gen Keith Alexander and Google executives Sergey Brin and Eric Schmidt is much more tighter than it was implied earlier.
Following Edward Snowden’s (former NSA contractor) revelations regarding the new level of surveillance reached by the agency, some tech executives whose companies cooperated with the government motivated this as an obligation sustained through a court of law. But, judging by two sets of email communications dated a year before Snowden’s revelations, it appears that pressure was not the motive behind the cooperation in all the cases.
Google executive Eric Schmidt was invited by Alexander to take part on Aug. 8 in a “classified threat briefing” at a “secure facility in proximity to the San Jose, CA airport.”. The email, dated June 28, 2012, specified also that “The meeting discussion will be topic-specific, and decision-oriented, with a focus on Mobility Threats and Security,” and it will be 4 hours long.
According to the email, Alexander, Schmidt and other executives from the industry already met earlier in the same month. Alexander felt that another meeting with Schmidt and “a small group of CEOs” was needed because Silicon Valley’s help was required by the government.
“About six months ago, we began focusing on the security of mobility devices,” Alexander wrote. “A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles. When we reach this point in our projects we schedule a classified briefing for the CEOs of key companies to provide them a brief on the specific threats we believe can be mitigated and to seek their commitment for their organization to move ahead … Google’s participation in refinement, engineering and deployment of the solutions will be essential.”
The director of civil liberties at Stanford Law School’s Center for Internet and Society, Jennifer Granick, thinks that although the government and industry must share information between each other to enhace security, they must do that without sacrificing privacy. She also said that the emailexchange between Google executives and Alexandershow “how informal information sharing has been happening within this vacuum where there hasn’t been a known, transparent, concrete, established methodology for getting security information into the right hands.”
Alexander’s email provided some important detailsabout Enduring Security Framework (ESF), such as the role of the organization, the identities of some participant tech firms and the threats they discussed. ESF isa secretive government initiative, from which the classified briefing cited earlier by Alexander takes part.
ESF was launched in 2009 by the deputy secretaries of the Department of Defense, Homeland Security and “18 US CEOs” to “coordinate government/industry actions on important (generally classified) security issues that couldn’t be solved by individual actors alone.”
“For example, over the last 18 months, we (primarily Intel, AMD [Advanced Micro Devices], HP [Hewlett-Packard], Dell and Microsoft on the industry side) completed an effort to secure the BIOS of enterprise platforms to address a threat in that area.”
BIOS is the basic system software installed on a computer, it’s purpose being to initialize and test the hardware components installed.
In December, Debora Plunkett – NSA cyberdefense chief – revealed that the agency had thwarted a “BIOS plot” by China, to kill all U.S. computers. As the plot could have crashed the U.S. economy, the NSA worked to patch this BIOS vulnerabilitywith several PC manufacturers.
The scenario presented by Plunkett was questioned by some cybersecurity experts.
“There is probably some real event behind this, but it’s hard to tell, because we don’t have any details,” wrote Robert Graham, CEO of the penetration-testing firm Errata Security in Atlanta, in December on his personal blog. “It’s completely false in the message it is trying to convey. What comes out is gibberish, as any technical person can confirm.”
By working with NSA to build their defense, it’s possible that those companies facilitated the agency to access certain information that was needed for surveillance purposes.
Nate Cardozo, a staff attorney with the Electronic Frontier Foundation’s digital civil liberties team, said “I think the public should be concerned about whether the NSA was really making its best efforts, as the emails claim, to help secure enterprise BIOS and mobile devices and not holding the best vulnerabilities close to their chest,”. Securingthe enterprise BIOS it’s not put under doubt by Cardozo, but he implied that NSA was “looking for weaknesses in the exact same products they’re trying to secure.”
The NSA “has no business helping Google secure its facilities from the Chinese and at the same time hacking in through the back doors and tapping the fiber connections between Google base centers,” Cardozo said. “The fact that it’s the same agency doing both of those things is in obvious contradiction and ridiculous.” Dividing offensive and defensive tasks between two agencies is something that Cardozo strongly suggested.
These fears may have been grounded as the German magazine Der Spiegel, usingSnowden’s obtained documents, reported that NSA inserted back doors into BIOS, exactly what Plunkett said in her interview that China was planning to do.
From the email conversation we also found out the Schmidt couldn’t attend the San Jose mobility security meeting in August 2012.
“General Keith..so great to see you.. !” Schmidt wrote. “I’m unlikely to be in California that week so I’m sorry I can’t attend (will be on the east coast). Would love to see you another time. Thank you !” Since the Snowden revelations, Schmidt has been critical of the NSA and said its surveillance programs may be illegal.
This report was originally published by Aljazeera.