Top officers in US tech firms and the National Security Agency had cozy a relationship and held regular meetings before Edward Snowden’s leaks exposed both sides to public criticism, disclosed email exchanges indicate.
The email communications between NSA director Gen. Keith Alexander and Google executives Sergey Brin and Eric Schmidt were made public by Al Jazeera America, which obtained them under the Freedom of Information Act. The communication refers to events prior to Snowden's disclosures of mass electronic surveillance by the NSA, which forced tech industry captains, including Schmidt, to distance themselves from the agency and express outrage over the practice.
The emails disclosed so far provide no evidence that tech firms willingly participated in NSA bulk collection of personal data. But they indicate a much closer relationship between the American intelligence community and tech firms than implied by Silicon Valley's reaction to Snowden's exposure, Al Jazeera said.
One of the events mentioned in the correspondence was a secret briefing on a government initiative called the Enduring Security Framework (ESF). The initiative was launched with participation of the Pentagon, the Homeland Security Agency and “18 US CEOs” in 2009 to “coordinate government/industry actions on important (generally classified) security issues that couldn’t be solved by individual actors alone,” Alexander wrote.
“For example, over the last 18 months, we (primarily Intel, AMD [Advanced Micro Devices], HP [Hewlett-Packard], Dell and Microsoft on the industry side) completed an effort to secure the BIOS of enterprise platforms to address a threat in that area,” an email says.
BIOS stands for Basic Input/Output System, a firmware used in most personal computers that acts as an interface between its hardware and the operating system. NSA's effort to thwart an alleged Chinese cyber-warfare plot targeting BIOS upgrades that could “destroy every computer in the world," was subject of CBS News' "60 Minutes" program last December. The report was received skeptically by some IT professionals.
"There is probably some real event behind this, but it's hard to tell, because we don't have any details," Robert Graham, CEO of Atlanta penetration-testing firm Errata Security, wrote on his blog last night. "It's completely false in the message it is trying to convey. What comes out is gibberish, as any technical person can confirm."
Privacy advocates commented on the story with concern, pointing out that NSA's task to collect communications was in conflict with the task of protecting computer networks from foreign surveillance.
“I think the public should be concerned about whether the NSA was really making its best efforts, as the emails claim, to help secure enterprise BIOS and mobile devices and not holding the best vulnerabilities close to their chest,” said Nate Cardozo, a staff attorney with the Electronic Frontier Foundation’s digital civil liberties team.
Two weeks after the “60 Minutes” broadcast, the German magazine Der Spiegel, citing documents obtained by Snowden, reported that the NSA inserted back doors into BIOS, proving those concerns were legitimate.
When inquired about the meeting by Al Jazeera, a Google representative declined to answer specific questions.
“We work really hard to protect our users from cyber-attacks, and we always talk to experts — including in the US government — so we stay ahead of the game,” the representative was cited as saying. “It’s why Sergey attended this NSA conference.”
Emails cited by the report indicate not only professional, but also good personal relationships between Alexander and top Google executives.
“General Keith.. so great to see you.. !” Schmidt wrote Alexander to inform him that he wouldn't be able to attend a meeting in San Jose in August 2012 dedicated to mobile devices security. “I’m unlikely to be in California that week so I’m sorry I can’t attend (will be on the east coast). Would love to see you another time. Thank you!”
“Hi Keith, looking forward to seeing you next week. FYI, my best email address to use is [redacted],” Brin wrote in another email. “The one your email went to — firstname.lastname@example.org — I don’t really check.”