SAN FRANCISCO » President Barack Obama’s newly installed defense secretary, Ash Carter, toured Silicon Valley last week to announce a new military strategy for computer conflict, starting the latest Pentagon effort to invest in promising startups and to meet with engineers whose talent he declared the Pentagon desperately needed in fending off the nation’s adversaries.
He immediately acknowledged, though, the need to rebuild trust with Silicon Valley, whose mainstays – like Apple, Google and Facebook (whose new headquarters were toured by Carter) have spent two years demonstrating to customers around the world that they are rolling out encryption technologies to defeat surveillance. That, of course, includes blocking the National Security Agency, a critical member of the military-intelligence community.
"I think that people and companies need to be convinced that everything we do in the cyber domain is lawful and appropriate and necessary," Carter told students and faculty at Stanford.
He urged the next generation of software pioneers and entrepreneurs to take a break from developing killer apps and consider a tour of service fending off Chinese, Russian and North Korean hackers, even as he acknowledged that the documents leaked by Edward J. Snowden, the former intelligence contractor, "showed there was a difference in view between what we were doing and what people perceived us as doing."
Carter’s careful appeal was part of a campaign last week by government officials trying to undo the damage of Snowden’s revelations. While Carter got a respectful hearing, Jeh Johnson, the secretary of Homeland Security, and a group of other government officials ran into a buzz saw of skepticism at the world’s largest conference of computer security professionals, just 30 miles to the north.
Those officials argued for some kind of technical compromise to allow greater security of electronic communications while enabling the FBI and intelligence agencies to decode the emails and track the Web activities of suspected terrorists or criminals. Yet many among the computer security professionals at the conference argued that no such compromise was possible, saying that such a system would give Russians and Chinese a pathway in, too, and that Washington might abuse such a portal.
Not long after Johnson declared that "encryption is making it harder for your government to find criminal activity, and potential terrorist activity," large numbers of entrepreneurs and engineers crammed into the first of several seminars called "Post-Snowden Cryptography." There, they took notes as the world’s best code makers mocked the Obama administration’s drive for a "technical compromise" that would ensure the government some continued access.
Ronald Rivest, one of the inventors of a commonly used encryption algorithm, took on the arguments by Johnson and other senior U.S. officials, including John P. Carlin, head of the Justice Department’s national security division, that the best minds in Silicon Valley could find a way to ensure legal government access while still assuring users that their communications and data stored in their iPhones and the cloud are safe.
"There are lots of problems with these ideas," Rivest said. "We live in a global information system now and it’s not going to be just the U.S. government that wants a key, it’s going to be the U.K., it’s going to be Germany, it’s going to be Israel, it’s going to be China, it’s going to be Iran, etc."
It was clear all week that the Snowden revelations, while fading in memory across much of the country, have not been forgotten in the rapidly growing computer and encryption communities here.
One of Johnson’s deputies, Phyllis Schneck, projected colorful graphics on a screen that showed the government’s plans for real-time monitoring and blocking of malware flowing through the Internet, urging private industry to help.
"We want you to make money," said Schneck, a former chief technology officer at McAffee Inc., known for its virus-protection software. Many in the crowd, though, said they worried whether the government would turn any malware-monitoring system to other uses.
Obama’s computer coordinator, Michael Daniel, who has been trying to preside over the unwieldy administration debate over encryption rules, was meeting executives in private and calling in public for "cybernorms of behavior" that could constrain the kind of hackers who attacked U.S. corporations, the White House, the State Department and the Pentagon. But he acknowledged that this was an area where the grindingly slow wheels of diplomacy were being outpaced by technological development.
"The government fears its own obsolescence," said retired Adm. Patrick M. Walsh, who left the Navy in 2012 and is now an executive at iSight Partners, a cybersecurity firm.
Carter, in his Stanford talk, noted that past wars were fought state to state. But in computer conflict, he said, the most sophisticated threats and weapons are seen by banks, security firms and Silicon Valley companies like Apple, Google, Yahoo, Twitter and Facebook that serve as conduits for the world’s communications. That is data Washington most needs.
Yet nearly two years after the Snowden revelations, many companies are as reluctant as ever to give the government any information unless they are compelled to do so, particularly as they try to convince foreign customers in global markets that they are doing everything they can to keep Washington at a distance.
The new defense secretary received what was probably the warmest welcome of government officials on the tour through Silicon Valley. Carter, who did graduate studies at Stanford, returned for much of last year, until Obama pulled him back to Washington. That time gave him a new appreciation, he said, for how ill-suited the Pentagon’s lumbering procurement system was in taking advantage of new technology and startups.
At Facebook he talked with Sheryl Sandberg, a former colleague from the Clinton administration, about using social media to connect the troops – and the challenges it poses as terror groups become adept at exploiting it. On Friday he went to a venture capital firm, Andreessen Horowitz, to meet with the founders of a series of relatively new ventures.
"He really just wanted to explore how their technologies might be applied to current problems at the Pentagon," said Margit Wennmachers, a partner at the firm, who joined the session. During the meetings, Carter spoke with an executive of Github, an Andreessen Horowitz portfolio company, which was recently targeted by China in a cyberattack intended to keep Western news reports out of the hands of the Chinese public.
Obama, on a trip to Stanford in February, had expressed sympathy with those who were striving to protect privacy, even while saying it had to be balanced against the concerns of the FBI and other agencies that fear "going dark" because of new encryption technologies. (Apple says that with its new iPhone operating system, it has no way to decode data in phones, even if given a court order.) Obama’s aides say decisions about how to resolve these differences are still months away.
With so much more data at stake, and attacks so frequent, cryptographers say the need for encryption is greater than ever.
One proposal, by Adm. Michael S. Rogers, the head of the NSA, is to develop a split-key system in which companies hold half and the government, or some outside agent, holds the other half of the key to unlock encrypted communications. The two would be put together only with approval of a court. But many computer security experts reject idea, saying it leaves too much room for theft, and would motivate other governments to require the same.
"The amount of information that intelligence officials are collecting – even if some sources go dark – is dramatically more than it has been in history," Paul Kocher, a cryptographer, said Wednesday. "The idea that we need to stop rolling out technology to keep our industries and businesses safe, to keep a few sources from going dark, is certainly not a tradeoff."
David E. Sanger & Nicole Perlroth, New York Times