Embed Size (px)
Citation preview
Business Implications of the President’s Review Group
Peter Swire
Huang Professor of Law and EthicsScheller College of Business
Georgia Institute of Technology
Preface
Thank you for welcoming me to Scheller A law professor, with business as well:
IT/privacy/cybersecurity Housing finance & health care, including in
government Taught corporations, torts, antitrust, law & economics Grew up in a family business and had real law clients
Look forward to getting to know more of you
Overview of the Talk
Intro to Review Group Five business issues:
Business & economics issues into the IC calculus US-based global businesses affected by IC decisions Lean toward defense in cyber-security Support better Internet governance Upgrade against insider attacks
Two themes: Same Internet for multiple purposes Declining half life of secrets
Creation of the Review Group
Snowden leaks of 215 and Prism in June, 2013 August – Review Group 5 members
Diversity of backgrounds Technology Business Insider status
Our assigned task
Protect national security Advance our foreign policy, including economic
effects Protect privacy and civil liberties Maintain the public trust Reduce the risk of unauthorized disclosure
Our assigned task (2)
Protect national security Advance our foreign policy, including economic
effects Protect privacy and civil liberties Maintain the public trust Reduce the risk of unauthorized disclosure Q: A simple task for operations research
maximization? Focus today: implications for business/econ
Our Report
Meetings, briefings, public comments 300+ pages in December 46 recommendations
Section 215 database “not essential” to stopping any attack; recommend government not hold phone records
Pres. Obama speech January Adopt 70% in letter or spirit Additional recommendations under study Organizational changes to NSA not adopted
Issue 1: Foreign Affairs/Economics
Major theme of the report is that we face multiple risks, not just national security risks Effects on allies, foreign affairs Risks to privacy & civil liberties Risks to economic growth & business
Historically, intelligence community is heavily walled off, to maintain secrecy NSA especially, signals intelligence, secret and dauntingly
complex Now, convergence of civilian and military/intelligence
communications devices, software & networks Q: How respond to the multiple risks?
Addressing Multiple Risks
RG Recs 16 & 17: New process & WH staff to review sensitive
intelligence collection in advance Senior policymakers from the economic agencies
(NEC, Commerce, USTR) should participate Monitoring to ensure compliance with policy
RG Rec 19: New process for surveillance of foreign leaders Relations with allies, with economic and other
implications, if this surveillance becomes public
Issue 2: US-Based Cloud Companies in a Global Market
The issue: effects on US-based cloud industry Understanding contrasting perspectives of IC and the IT industry Intelligence community perspective:
Snowden a criminal; 0% say whistleblower Substantial assistance to adversaries by ongoing revelations
of sources & methods E.g., reports on techniques for entering into “air-gapped”
computer systems IC Tradition of expecting secrecy over long time scale, so
details of intelligence activities rarely disclosed and harms from disclosures rarely experienced
Tech Industry Perspective
Tech industry perspective: Silicon Valley – 90% say whistleblower Snowden has informed us about Internet realities Tech industry libertarianism: “information wants to be
free” and suspicion of government & secrecy Anger at undermining encryption standards More anger for stories that leased lines for Yahoo and
Google servers were tapped Microsoft GC: the US Government as an
“advanced persistent threat”
What is at Stake for the IT Industry Biggest focus on public cloud computing market
Double in size 2012-2016 Initial study estimated losses from Snowden at $21.5
billion/year Cloud Security Alliance estimates up to $180 billion/year
by 2016 – biggest effect from lower market share for new business
An opening for non-U.S. providers Market currently dominated by US companies Deutsche Telecomm and others: “Don’t put your data in
the hands of the NSA and US providers”
The IT Industry Response
Focus of industry response: more transparency Regular transparency reports already
One goal already had been to boost consumer confidence, especially overseas, such as for previous Patriot Act accusations
Lawsuit and lobbying to expand these reports Industry opposition to non-disclosure (gag) orders
for National Security Letters, etc. Yahoo 2009 lost one then-secret challenge
Moving to More Transparency
RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing
RG Rec 31: US should advocate to ensure transparency for requests by other governments Put more focus on actions of other governments
DOJ agreement with companies in January More transparency, but not listed by legal authority Ongoing debate, but companies want to stress this issue,
to send message of security and public trust
Issue 3: Offense v. Defense for Cyber-security
The issue of trading off offense & defense: NSA/IC offensive missions
Foreign intelligence surveillance Title 10 – military authorities US Cyber Command
NSA/IC defensive missions Information Assurance Directorate of NSA Protect government systems Counter-intelligence
We use precisely one communications infrastructure for both offense and defense
Conflict between Offense & Defense Has Increased
(1) Before: separate communications system behind the Iron Curtain; nation-state actors
Now: same Internet for civilians, terrorists & military
(2) Before: military protected its communication security within the chain of command
Now: critical infrastructure largely civilian; tips to defense get known to attackers
(3) Before: episodic flares of military action
Now: daily & hourly cyber-attacks, to businesses and others, right here at home
Institutional Changes for Defense
RG Rec 24: split leadership of NSA and DoD’s Cyber Command
RG Rec 25: split Information Assurance Directorate of NSA into separate agency Would put leadership on the side of defense Asymmetric incentives in agency between offense
and defense These recommendations will not be adopted now, for
plausible factual reasons
Strong Crypto for Defense
Crypto Wars of the 1990’s showed NSA & FBI interest in breaking encryption (offense)
1999 policy shift to permit export globally of strong encryption, necessary for Internet (defense)
Press reports of recent NSA actions to undermine encryption standards & break encryption
RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense)
No announcement yet on this recommendation – it is a tech industry priority
Zero Days & the Equities Process
A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond
Press reports of USG stockpiling zero days, for intelligence & military use
RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret.
Software vendors and owners of corporate systems have strong interest in good defense
No announcement yet on this recommendation
Issue 4: Internet Governance
The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business.
Bottom-up vs. top-down Internet governance? Localization rules – split the Internet? Confidence (re)building and fostering international norms
International Telecommunications Union
US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy.
Russia & China: push for major ITU role. Governance by governments. Respect local norms (called “cyber-security” but meaning “censorship”). Oppose “chaos” of current approach.
Swing votes at the ITU: medium-sized economies pay more for Internet service than rich countries, lose inter-connection fees, don’t know how to have a voice in W3C & IETF.
How to Bolster Multi-stakeholder
US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights.
Russia & China: Snowden shows US hypocrisy. Response: legal checks & balances in US; First Amendment;
emphatically not used for political repression RG Rec 32: senior State Department official on these issues RG Rec 33: support multi-stakeholder approach Many RG recs: reinforce privacy & civil liberties & oversight in
foreign surveillance PPD-28: extend protections to non-US persons
Localization Proposals
Brazil, Vietnam, Indonesia proposals to require storage locally
EU proposals to restrict data transfers to US; using T-TIP & Safe Harbor as bargaining chips for less US surveillance
RG: emphasize economic & other harms from localization/”splinternet”
Strengthen relations with allies RG Rec 31: build international norm against localization RG Rec 34: streamline multi-lateral assistance treaties
(MLATs), so no need to hold data there, can get it in US
Issue 5: Insider Threats
The issue: if Snowden can happen to the NSA, is your company more secure than that?
Many RG recs to protect better against insider threats Theme: system administrator as important threat
Snowden’s job was to move files He did that Response: separation of functions, reduce sys admin privileges
Theme: USG classified systems followed M&M model Response: new access controls, auditing, and other measures
within classified systems Similar threats to business systems
The Lessons for Business
Business & economics issues into the IC calculus
US-based global businesses affected by IC decisions
Lean toward defense Support better Internet governance Upgrade against insider attacks
Broader themes: One Internet The same communications infrastructure for numerous purposes
– which should drive policy IC and police have seen it as a surveillance Internet, after
9/11 Business sees it as E-commerce, for internal communications
and to reach customers Individual users – social networks, email, online shopping,
much more Political speech – a global engine for democracy and civil
liberties Global business & others will have to decide how to help build the
Internet it wants
Theme: Declining Half Life of Secrets The IC assumption was that secrets lasted a long time, such
as 25-50 years My belief – the half life of secrets has declined sharply
Electronic: “my goal is that leaks happen only by a printer” No gatekeeper: Ellsberg needed NY Times; Manning has
Wikileaks Global dissemination: once it leaks, it’s gone Crowd-sourcing – hard to penetrate massive networks at
scale and not provide clues Civil disobedience by younger techies
Implications of Declining Half Life of Secrets
Previously, the IC often ignored the “front page test” Jack Nicholson & “you can’t handle the truth” in A Few
Good Men But, how many front page stories this year? Declining half life of secrets means higher expected value of
revelations – bigger negative effect if ignore the front page test
RG: effects on foreign affairs, economics, Internet governance, so USG should consider these multiple effects and not isolate IC decisions
For business, how well can you keep secrets if the NSA can’t?
Conclusion
Pessimists inclined to think that nothing will change The RNC has endorsed ending 215 telephone program,
plus many Democrats Section 215 program quite possibly will end DOJ agreed to the transparency agreement EU privacy regulation seemed dead, but Snowden-related
sentiments resulted this week in EU Parliament 621-10 in favor
We are in a period where change is possible here, even in Congress
I look forward to talking with you about what should come next
