“General Keith.. so great to see you.. !”

[coderman]

http://america.aljazeera.com/articles/2014/5/6/nsa-chief-google.html

Exclusive: Emails reveal close Google relationship with NSA

National Security Agency head and Internet giant’s executives have
coordinated through high-level policy discussions

May 6, 2014 5:00AM ET
by Jason Leopold @JasonLeopold

Email exchanges between National Security Agency Director Gen. Keith
Alexander and Google executives Sergey Brin and Eric Schmidt suggest a
far cozier working relationship between some tech firms and the U.S.
government than was implied by Silicon Valley brass after last year’s
revelations about NSA spying.

Disclosures by former NSA contractor Edward Snowden about the agency’s
vast capability for spying on Americans’ electronic communications
prompted a number of tech executives whose firms cooperated with the
government to insist they had done so only when compelled by a court
of law.

But Al Jazeera has obtained two sets of email communications dating
from a year before Snowden became a household name that suggest not
all cooperation was under pressure.

On the morning of June 28, 2012, an email from Alexander invited
Schmidt to attend a four-hour-long “classified threat briefing” on
Aug. 8 at a “secure facility in proximity to the San Jose, CA
airport.”

“The meeting discussion will be topic-specific, and decision-oriented,
with a focus on Mobility Threats and Security,” Alexander wrote in the
email, obtained under a Freedom of Information Act (FOIA) request, the
first of dozens of communications between the NSA chief and Silicon
Valley executives that the agency plans to turn over.

Alexander, Schmidt and other industry executives met earlier in the
month, according to the email. But Alexander wanted another meeting
with Schmidt and “a small group of CEOs” later that summer because the
government needed Silicon Valley’s help.

“About six months ago, we began focusing on the security of mobility
devices,” Alexander wrote. “A group (primarily Google, Apple and
Microsoft) recently came to agreement on a set of core security
principles. When we reach this point in our projects we schedule a
classified briefing for the CEOs of key companies to provide them a
brief on the specific threats we believe can be mitigated and to seek
their commitment for their organization to move ahead … Google’s
participation in refinement, engineering and deployment of the
solutions will be essential.”

Jennifer Granick, director of civil liberties at Stanford Law School’s
Center for Internet and Society, said she believes information sharing
between industry and the government is “absolutely essential” but “at
the same time, there is some risk to user privacy and to user security
from the way the vulnerability disclosure is done.”

The challenge facing government and industry was to enhance security
without compromising privacy, Granick said. The emails between
Alexander and Google executives, she said, show “how informal
information sharing has been happening within this vacuum where there
hasn’t been a known, transparent, concrete, established methodology
for getting security information into the right hands.”

The classified briefing cited by Alexander was part of a secretive
government initiative known as the Enduring Security Framework (ESF),
and his email provides some rare information about what the ESF
entails, the identities of some participant tech firms and the threats
they discussed.

The classified briefing cited by Alexander was part of a secretive
government initiative known as the Enduring Security Framework (ESF),
and his email provides some rare information about what the ESF
entails, the identity of some participant tech firms and the threats
they discussed.

Alexander explained that the deputy secretaries of the Department of
Defense, Homeland Security and “18 US CEOs” launched the ESF in 2009
to “coordinate government/industry actions on important (generally
classified) security issues that couldn’t be solved by individual
actors alone.”

“For example, over the last 18 months, we (primarily Intel, AMD
[Advanced Micro Devices], HP [Hewlett-Packard], Dell and Microsoft on
the industry side) completed an effort to secure the BIOS of
enterprise platforms to address a threat in that area.”

“BIOS” is an acronym for “basic input/output system,” the system
software that initializes the hardware in a personal computer before
the operating system starts up. NSA cyberdefense chief Debora Plunkett
in December disclosed that the agency had thwarted a “BIOS plot” by a
“nation-state,” identified as China, to brick U.S. computers. That
plot, she said, could have destroyed the U.S. economy. “60 Minutes,”
which broke the story, reported that the NSA worked with unnamed
“computer manufacturers” to address the BIOS software vulnerability.

But some cybersecurity experts questioned the scenario outlined by Plunkett.

“There is probably some real event behind this, but it’s hard to tell,
because we don’t have any details,” wrote Robert Graham, CEO of the
penetration-testing firm Errata Security in Atlanta, on his blog in
December. “It”s completely false in the message it is trying to
convey. What comes out is gibberish, as any technical person can
confirm.”

And by enlisting the NSA to shore up their defenses, those companies
may have made themselves more vulnerable to the agency’s efforts to
breach them for surveillance purposes.

“I think the public should be concerned about whether the NSA was
really making its best efforts, as the emails claim, to help secure
enterprise BIOS and mobile devices and not holding the best
vulnerabilities close to their chest,” said Nate Cardozo, a staff
attorney with the Electronic Frontier Foundation’s digital civil
liberties team.

He doesn’t doubt that the NSA was trying to secure enterprise BIOS,
but he suggested that the agency, for its own purposes, was “looking
for weaknesses in the exact same products they’re trying to secure.”

The NSA “has no business helping Google secure its facilities from the
Chinese and at the same time hacking in through the back doors and
tapping the fiber connections between Google base centers,” Cardozo
said. “The fact that it’s the same agency doing both of those things
is in obvious contradiction and ridiculous.” He recommended dividing
offensive and defensive functions between two agencies.

The government has asked for Silicon Valley’s help. Adam Berry / Getty Images

Two weeks after the “60 Minutes” broadcast, the German magazine Der
Spiegel, citing documents obtained by Snowden, reported that the NSA
inserted back doors into BIOS, doing exactly what Plunkett accused a
nation-state of doing during her interview.

Google’s Schmidt was unable to attend to the mobility security meeting
in San Jose in August 2012.

“General Keith.. so great to see you.. !” Schmidt wrote. “I’m unlikely
to be in California that week so I’m sorry I can’t attend (will be on
the east coast). Would love to see you another time. Thank you !”
Since the Snowden disclosures, Schmidt has been critical of the NSA
and said its surveillance programs may be illegal.

Army Gen. Martin E. Dempsey, chairman of the Joint Chiefs of Staff,
did attend that briefing. Foreign Policy reported a month later that
Dempsey and other government officials — no mention of Alexander —
were in Silicon Valley “picking the brains of leaders throughout the
valley and discussing the need to quickly share information on cyber
threats.” Foreign Policy noted that the Silicon Valley executives in
attendance belonged to the ESF. The story did not say mobility threats
and security was the top agenda item along with a classified threat
briefing.

A week after the gathering, Dempsey said during a Pentagon press
briefing, “I was in Silicon Valley recently, for about a week, to
discuss vulnerabilities and opportunities in cyber with industry
leaders … They agreed — we all agreed on the need to share threat
information at network speed.”

Google co-founder Sergey Brin attended previous meetings of the ESF
group but because of a scheduling conflict, according to Alexander’s
email, he also could not attend the Aug. 8 briefing in San Jose, and
it’s unknown if someone else from Google was sent.

A few months earlier, Alexander had emailed Brin to thank him for
Google’s participation in the ESF.

“I see ESF’s work as critical to the nation’s progress against the
threat in cyberspace and really appreciate Vint Cerf [Google’s vice
president and chief Internet evangelist], Eric Grosse [vice president
of security engineering] and Adrian Ludwig’s [lead engineer for
Android security] contributions to these efforts during the past
year,” Alexander wrote in a Jan. 13, 2012, email.

“You recently received an invitation to the ESF Executive Steering
Group meeting, which will be held on January 19, 2012. The meeting is
an opportunity to recognize our 2012 accomplishments and set direction
for the year to come. We will be discussing ESF’s goals and specific
targets for 2012. We will also discuss some of the threats we see and
what we are doing to mitigate those threats … Your insights, as a key
member of the Defense Industrial Base, are valuable to ensure ESF’s
efforts have measurable impact.”

A Google representative declined to answer specific questions about
Brin’s and Schmidt’s relationship with Alexander or about Google’s
work with the government.

“We work really hard to protect our users from cyberattacks, and we
always talk to experts — including in the U.S. government — so we stay
ahead of the game,” the representative said in a statement to Al
Jazeera. “It’s why Sergey attended this NSA conference.”

Brin responded to Alexander the following day even though the head of
the NSA didn’t use the appropriate email address when contacting the
co-chairman.

“Hi Keith, looking forward to seeing you next week. FYI, my best email
address to use is [redacted],” Brin wrote. “The one your email went to
— sergey.brin@google.com — I don’t really check.”