The former assistant director of the White House’s Office of Science and Technology believes there needs to be a re-evaluation of federal surveillance practices that weaken commercial products and services.
These practices include weakening standards and placing "back doors" into products that are accessible to US government agencies, said Carnegie Mellon University’s Jon Peha, a professor of engineering and public policy, in comments to the Review Group on Intelligence and Communication Technologies established by the White House in response to the controversy over the alleged surveillance practices of the National Security Agency (NSA).
The review group is expected to provide recommendations to the president next week.
Peha said this week that deliberately weakening commercial products and services may make it easier for US intelligence agencies to conduct surveillance, but "this strategy also inevitably makes it easier for criminals, terrorists and foreign powers to infiltrate these systems for their own purposes."
Peha said cybersecurity vulnerabilities created to eavesdrop on terrorists could have unimaginable consequences.
"If we can weaken the standard for a general-purpose encryption algorithm, then it is impossible to predict what will become vulnerable,” Peha said. “Perhaps this algorithm will be used to protect stock market transactions, or the real-time control of an electric power grid, or the classified designs of a military aircraft, which would then become vulnerable.”
Peha argued that such policies "may have actually compromised both privacy and security in a failed attempt to improve security,” and that "Policies that deliberately weaken the security of US products and services will affect US competitiveness. Customers will naturally prefer products and services from companies that they believe are immune from such a policy."
Peha argued that the solution is for the NSA to apply a "comprehensive approach to assessing risks associated with these practices," which includes "protecting individual Americans from cyberattacks that lead to credit card fraud, protecting companies from cyberattacks that lead to theft of intellectual property, and protecting the competitiveness of US information technology firms in the global marketplace."
"A risk assessment that only considers NSA’s ability to conduct surveillance would inevitably lead to practices that weaken the security of commercial products and services even when doing so is harmful to American interests," Peha said.