NSA Pushes Eavesdropping Law, Hits TikTok, Braces for AI-Boosted Attacks
AI will help malicious actors “to be better or faster,” says the spy agency’s cybersecurity director.
NSA leaders are fighting to persuade Congress to renew a controversial law that cuts red tape for intelligence agencies eavesdropping on foreign actors but which has also been improperly used hundreds of times to collect data on Americans.
“So FISA Section 702 is up for renewal this year. And it is a vital source of intelligence. It is an authority that lets us do collection against a known foreign entity who chooses to use U.S. infrastructure,” Rob Joyce, the National Security Agency’s cybersecurity director, said Tuesday during a Center for Strategic and International Studies event. “It makes sure that we don't afford the same protections to those foreign malicious actors who are on our infrastructure as we do the Americans who live here.”
Section 702 of the Foreign Intelligence Surveillance Act, or FISA, gives the U.S. government the ability to digitally spy on foreign targets outside of the U.S. without a warrant. But civil-liberties groups have documented hundreds of times that U.S. citizens’ social-media interactions, phone calls, and emails have accidentally been gathered in 702-related surveillance. New America calls such violations “inadvertent or unintentional” yet “extremely concerning” because they reveal “systemic problems that result from the scope and complexity of the Section 702 surveillance program.” Even the court that oversees FISA cases has noted violations.
But supporters of the law describe it as integral to intelligence and law enforcement efforts. Section 702 is set to expire and is up for reauthorization this year with an expected debate to come. And NSA plans to advocate hard for keeping it, Joyce said.
“I can't do cybersecurity at the scope and scale we do it today without that authority, and so we'll be working hard with Congress, with the administration, with our partners at FBI and others, DOJ, to figure out how we get 702 reauthorized. It's really vital.”
New privacy laws, as well as privacy provisions in cybersecurity laws, are complicating things as well. The standards advanced in the European Union’s five-year-old General Data Protection Regulation, or GDPR, have presented some roadblocks for intelligence agencies.
“There were second-order effects that we didn't—I won't say we didn't appreciate, because there were people sounding the alarm. They were not fully considered in the weight of that,” Joyce said.
“The default was you couldn't know that thing. And so cybersecurity researchers all over the world lost the ability to follow connectivity between banned domains. So we've got to think about second-order reflections,” Joyce said. “There is a need for data privacy, but we've got to have rational connectivity to the rule of law processes that still makes cybersecurity effective.”
TikTok and ChatGPT: our friendly AI overlords?
Joyce said the concern with TikTok isn’t potentially exposing personal data of a subset of individuals but the possibility that the Chinese government could access every bit of metadata the platform gathers.
“Do I think if I loaded TikTok on my phone, they're going to get to all the other sensitive things through that TikTok app tomorrow? Probably not. The cost of exposing to TikTok in that way to exploit one or a small set of users probably isn't worth it. But all the data, the metadata, that they do collect, that goes back to big servers, accessible to China—that's a problem,” Joyce said.
TikTok CEO Shou Chew, who faced intense questioning from Congress last month, pledged that the app would remove U.S. users’ non-public data to servers that can only be accessed by U.S.-based employees. But the NSA cyber director said, echoing lawmakers' concerns, that even the algorithms pose a threat.
“The idea that they own the algorithms that promote or suppress the content. That's a huge problem when you have millions upon millions of eyes consuming the content, and they can dial up something that is divisive, or they can dial down something that is threatening to the PRC. That's the advantage,” he said.
“The technology's impressive. It is really sophisticated,” Joyce said. “Is it going to, in the next year, automate all of the attacks on organizations? Can you give it a piece of software and tell it to find all the zero-day exploits for it? No, but what it will do is it's going to optimize the workflow. It's going to really improve the ability for malicious actors who use those tools to be better or faster.”
That includes phishing or fraud messages that read more like native English-language speakers.
“And in the case of the malicious foreign actors, it will craft very believable native-language English text, that could be part of your phishing campaign or your interaction with a person or your ability to build a backstory—all the things that will allow you to do those activities or even malign influence—that's going to be a problem,” Joyce said.
AI will also help certain hackers reach a new level, he said.
“Is it going to replace hackers and be this super AI hacking? Certainly not in the near term, but it will make the hackers that use AI much more effective and they will operate better than those who don't,” he said.