The U.S. National Security Agency is planning no major changes in its domestic telephone records collection program after a bill to rein in those efforts failed in the Senate this week, the agency's director said.
The NSA will continue to collect U.S. telephone records in bulk, while operating under some restrictions President Barack Obama put on the program back in January, Admiral Michael Rogers, the NSA's director, said during a House of Representatives hearing on cybersecurity Thursday. The NSA would rather wait to see what specific changes to the program Congress will require before making major changes, he told the House Intelligence Committee.
The NSA had hoped to get direction from Congress in the short term, but the agency may have to re-evaluate the telephone records program "if we're unable to gain consensus in the window that we thought," Rogers said. "I don't have an answer to that in my own mind."
The NSA should take steps to end its bulk collection of U.S. phone records even though the USA Freedom Act, a bill that would have left the data in the hands of telecom carriers, failed in the Senate this week, said Representative Adam Schiff, a California Democrat. "There's nothing in statute that requires the government to gather bulk data, so you could move forward on your own with making the technological changes," Schiff said. "You don't have to wait for the USA Freedom Act."
There's no reason for the NSA to wait for congressional approval to put additional limits on the program "if you think this is the correct policy," Schiff added. "Why continue to gather the bulk metadata if [Obama administration officials] don't think this is the best approach?"
But Rogers defended the phone records program, saying it has provided valuable antiterrorism intelligence to federal investigators.
The program operates under court and congressional oversight, and since January the NSA has needed approval from the Foreign Intelligence Surveillance Court before querying the database of collected phone records, he said. Obama in January largely left the program intact while Congress debates it, Rogers said.
"I don't think I've heard the president or the [director of national intelligence] say that the access to the data is not of value," Rogers said. "What I think I've heard is, the question gets to be who should hold the data."
The public has several misconceptions about NSA surveillance programs, said Representative Mike Rogers, the Intelligence Committee's chairman and a Michigan Republican. The NSA is not penetrating U.S. computer networks, he said.
"The NSA is not on American domestic networks, but the Russians, the Chinese, the Iranians, and multiple other bad actors are," Representative Rogers said.
While questions about the NSA phone records program came up, the purpose of Thursday's hearing was more focused on the NSA's other primary role, fighting cyberthreats, than on its surveillance role. Several committee members called on the Senate to pass controversial legislation that would give private companies protections against lawsuits when sharing cyberthreat legislation with each other and with government agencies like the NSA.
Privacy advocates have raised concerns that the cyberthreat sharing bills would allow the NSA and other government agencies to collect private information about customers of companies that are sharing information about cyberthreats.
The House, in April 2013, voted to approve the controversial Cyber Intelligence Sharing and Protection Act [CISPA], but a similar bill has stalled in the Senate. House Intelligence Committee members called on the Senate to pass cyberthreat sharing legislation by the end of the year.
Despite the NSA's mass surveillance programs, the agency isn't interested in getting personal information from companies sharing cyberthreats, Admiral Rogers said.
Personal information would bog down a cyberthreat sharing program, because the NSA has rules requiring it to protect personal data, he added. "That will slow us down," he said. "This is about computer network defense, not about intelligence."
Legislation allowing cyberthreat information sharing needs to define the specific information that can be shared, "so we're just not willy-nilly pushing information for the sake of pushing information," he said. "We should define exactly what we want, what we need, and what companies are going to provide."
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is firstname.lastname@example.org.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.