Baker is also opposed in principle to any measures that would forbid the NSA to use its expertise, funding or influence with U.S. industry to weaken security mechanisms, such as encryption or placing backdoors in products and services."No, that would be an overreaction," he says. "There are times when weakening security is a good idea. If we know that an encryption program is about to be delivered to an al Qaeda leader, surely we should weaken the product before it's delivered. As for stories claiming that NSA deliberately weakened security more generally, I frankly doubt their accuracy."
What may be the "worst of the ideas for changing the NSA," according to Baker, would be splitting up the intelligence-gathering and Cyber Command that today are both headed by Gen. Alexander.
"NSA gathers intelligence by breaking into adversaries' computers. Cyber Command attacks adversaries' networks by breaking into them and causing damage," says Baker. "In short, the two agencies' jobs are virtually indistinguishable. Separating the agencies will spark turf fights. It will do nothing to protect privacy. The people who think this is a good idea tend to be generals who want another combatant command--something that can be awarded to a war-fighting general rather than an intelligence specialist." Baker says having a civilian rather than a military leader for NSA is "not inherently a bad idea" but perhaps not a change worth making.
These arguments are a microcosm of the debates that the powerbrokers in Washington are having as General Alexander's tenure as NSA director comes to a close early next year. More debates are certain to be heard as the Obama-appointed five-person collective called the "Director of National Intelligence Review Group" issues its soon-to-be released report on NSA surveillance, privacy and civil liberties. The review Group consists of Richard Clarke, Michael Morell, Geoffrey Stone, Cass Sunstein and Peter Swire. Clarke, now a consultant, had a long career in U.S. intelligence was former White House cybersecurity adviser.
In the meantime, the high-tech industry is coming up with security options and encryption for cloud services that they plainly acknowledge are intended to thwart government cyber-spying as much as criminal hackers.Take the Thales e-security hardware module called nShield that can work with the Microsoft Azure Rights Management System to encrypt documents between recipients under Microsoft's just-announced "Bring Your Own Key" initiative.The idea, says Thales vice president of product strategy, Richard Moulds, is using nShield in Microsoft's "Bring Your Own Key" model in the Azure cloud platform means Microsoft has "zero knowledge" of any data stored in the cloud because Microsoft doesn't have and can't get to the encryption key. Neither can Thales, Moulds says. Only the customer can. So any legal law enforcement requests have to go to the customer holding the encryption key. "We don't have backdoors for anybody," he concluded.
Sign up for Computerworld eNewsletters.