Silicon Valley, DC at odds on security clearances

US wants more high-level security clearances
US wants more high-level security clearances

Beltway insiders say foot-dragging by some Silicon Valley firms is making it harder for Washington to protect American companies from cyberattacks in real time.

U.S. government officials say privately they are frustrated that Silicon Valley technology firms are not obtaining U.S. security clearances for enough of their top executives, according to interviews with officials and executives in Washington and California. Those clearances would allow the government to talk freely with executives in a timely manner about intelligence they receive, hopefully helping to thwart the spread of a hack, or other security issues.

The lack of cooperation from Silicon Valley, Washington officials complain, injects friction into a process that everyone agrees is central to the fight to protect critical U.S. cyberinfrastructure: Real-time threat information sharing between government and the private sector.

Read More

The frustration points to a sharp cultural and generational split between intelligence and cybersecurity experts in Washington, many of whom are U.S. military vets in their 40s and 50s, and those in Silicon Valley, who can be younger and have a more skeptical view of the U.S. government.

"It's a philosophical pushback in Silicon Valley by young entrepreneurs mostly fueled by the Snowden revelations," said a former high-ranking U.S. intelligence official. "It's happening at start-ups, plus some companies that have size and resilience."

At issue is whether or not global companies with employees from around the world have patriotic obligations to the countries in which they are headquartered. And it comes at a time when those obligations have been seriously tested by the revelations of NSA spying by Edward Snowden.

The former intelligence official said dealing with Silicon Valley firms is much different than his experience in other industries—or with all American companies a generation ago. "It used to be, during World War II or the Cold War, that getting cooperation from boards of directors was pretty straightforward. That's not true today, particularly at these huge start-ups that went from nothing to billions."

Read More 3 key principles for cybersecurity

From the U.S. government's perspective, the problem is that cybersecurity intelligence can often be fleetingly valuable, and any delay in passing it on to the companies involved can make the information out-of-date. At companies which do not have cleared employees, the U.S. Department of Homeland Security can obtain temporary waivers to "read in" executives on a case-by-case basis. Or the government can declassify or sanitize information to be passed on.

But both of those processes take time. Government officials say they have made a concerted effort to make security clearances available to Silicon Valley firms.

According to one technology company employee, Silicon Valley firms are deliberately controlling the number of employees who have U.S. government security clearances—as a way to minimize the amount of information the U.S. government asks them for.

And he said the resistance to getting cleared is directly based on the Snowden NSA spying disclosures. "If we had a lot more people with security clearances, they'd send us a lot more requests for information," the employee said. "So we can control how much they ask for by limiting it to just certain people." The employee described it as an effort to deliberately throttle the amount of information flowing to the US government.

The employee said his company is reluctant to talk about its security clearances on the record at all. "If we said, 'yeah we have a lot of people who are cleared,' the national security folks would say, 'Great, you're an American company, and you're doing the right thing.' But we'd get blasted for it. And we'd particularly get blasted for it in Europe where they'd say, 'see, they're in bed with the NSA.'"

Politically, many Silicon Valley firms see the world much differently than the Obama administration, despite the significant money Obama raised in the valley and the support he found there in 2008 and 2012. That has stark implications for the next Democratic presidential nominee. "I'm a liberal Democrat," the tech company employee said. "But my views on privacy are closer to Rand Paul's than Hillary Clinton's."

Government officials would not say which specific firms are least cooperative. CNBC asked 15 of the most significant firms in Silicon Valley whether or not their chief information security officials had permanent U.S. government clearances, and received a variety of responses.

A spokesperson for LinkedIn said Ganesh Krishnan, the firm's head of security engineering and information security, does not have any permanent U.S. clearances. The spokesperson did not respond to follow-up questions about why Krishnan is not cleared.

At other firms, spokespeople did not respond to repeated requests for information or declined to comment. Firms that did not answer the question included: Google, Intel, Hewlett-Packard, Oracle, Yahoo, eBay, Adobe and Netflix.

Firms that do have government-cleared executives include Apple, Facebook, Cisco, Intuit, Twitter and Electronic Arts.

Recent weeks have seen several flashpoints between Silicon Valley and the Beltway. On Feb. 23, for example, the chief security officer for Yahoo clashed with the head of the NSA in an unusual public confrontation at a conference in Washington.

The Yahoo executive, Alex Stamos, pointedly asked NSA Director Adm. Mike Rogers whether the U.S. government thinks Yahoo should agree to requests to build backdoors into its systems from all countries where the company does business—including Russia and China—or just the United States. Rogers replied, in part, "We'll have to work our way through it."

A Yahoo spokesperson declined to tell CNBC whether Stamos has any permanent U.S. government security clearances.

Earlier in February, the top executives from Google, Facebook and Yahoo were notable no-shows at President Barack Obama's cybersecurity summit at Stanford University in Palo Alto, California. Each company sent lower-level executives instead.

Tim Cook, CEO of Apple, did attend the president's summit, but focused his comments on stage on protecting online privacy—implicitly including protection from the government. "We still live in a world where all people are not treated equally," Cook said. "Too many people do not feel free to practice their religion, or express their opinion, or love who they choose—a world in which that information can make the difference between life and death."

Apple is one of the Silicon Valley companies that does have employees with permanent U.S. government security clearances.

President Barack Obama speaks at the Summit on Cybersecurity and Consumer Protection at Stanford University in Palo Alto, Calif., Feb. 13, 2015.
Kevin Lamarque | Reuters

A senior administration official told CNBC that the government is wary about creating an impression that it's forcing Silicon Valley executives to get cleared. "We're not going to tell them what to do," the official said. "We certainly respect that a company is going to make its own decisions on this, like whether to clear folks and how many to clear."

Read More5 billion Android apps open to hack

At the same time, the administration official said the decision not to get cleared causes problems. "If they don't get clearances, it will have a limiting effect," the official said. "There is considerable utility in having a clearance, especially when it comes to sharing classified information."

The official said the Obama administration is committed to declassifying as much cybersecurity information as it can in order to continue to send valuable intelligence to the industry. "We're committed to moving as much information as we can—it's up to each company."

In Silicon Valley, however, cybersecurity executives have a different perspective on the tension. "I believe that this is more about the overclassification of information and the relatively low value that government cyberintel has for tech firms," said one Silicon Valley executive. "Clearances are a pain to get, despite what government people think. Filling out the paper work … is a nightmare, and the investigation takes a ridiculous amount of time."

It's the hassle factor, as much as any ideological concern, driving reluctance to obtain security clearances as well as skepticism that U.S. government intelligence is all that useful.

"I think tech companies are doing a return-on-investment analysis and don't think the government intel is worth the cost or effort," said the Silicon Valley executive. "This is why government threat signature sharing initiatives are such a nothing-burger: The signatures are of limited value and only a few select companies with clearances can actually use them."

Silicon Valley executives complain about the government's "Standard Form 86," known as an "SF-86," which employees must fill out to apply for a U.S. government security clearance. It's a precursor to a formal interview process that can take a year or more.

Former government intelligence officials admit the process is too slow for many fast-moving tech companies. The form—which anyone can download from the General Services Administration website here—is 127-pages long and asks for information on everything from family members to personal travel and history of drug use. Non-U.S. citizens are not eligible for security clearances.

Executives and government security officials agree that the questionnaire can be burdensome—and sometimes ridiculous. Other questions asked on the SF-86:

"Have you ever advocated any acts of terrorism or activities designed to overthrow the US government by force? Provide the reasons for advocating acts of terrorism."

"Have you ever experienced financial problems due to gambling?"

"Has a court or administrative agency ever declared you mentally incompetent?"

Although it is not headquartered in Silicon Valley, Microsoft is a tech company that is experienced in dealing with government intelligence.

"I think that security clearances have been a part of the equation for many years—it's not, frankly, a new concept," said Microsoft General Counsel Brad Smith. "We need new steps to protect public safety. But we also need to win people's confidence and trust when it comes to the protection of privacy. And it's that balance that, frankly, only Congress can strike."

—By CNBC's Eamon Javers. Follow him on Twitter: