“Telecom, Privacy & Security After September 11”

Professor Peter P. Swire

Ohio State University

Ohio Telecommunications Industry Association

October 2, 2001

Overview of the Talk

My background Critical infrastructure and your computer

security Wiretaps and surveillance today

I. My Background

First Internet law article in 1992 Wrote on encryption, privacy, and

international e-commerce issues 1999 & 2000 -- Clinton Administration

– Chief Counselor for Privacy 2001 return to Ohio State Law

– now visiting at George Washington– consultant with Morrison & Foerster

In the Administration

Privacy issues– Medical privacy proposed and final rule– Financial privacy law and rules– Internet privacy policy– Government databases and privacy

Website privacy policies Cookies on website policy

In the Administration

Encryption policy shift 1999– Strong encryption necessary for strong military,

e-commerce, and civil society Computer security

– Government data for security and privacy– FIDNet– Other critical infrastructure issues

In the Administration

Wiretap and surveillance Headed 15-agency White House working

group on how to update these laws Legislation proposed June, 2000

– S. 3083– Hearings and mark-up in House Judiciary

II. Computer Security & Critical Infrastructure Security after Y2K Openness in computer security ISACs and critical infrastructure

A. Security after Y2K

In late 90s, was conventional wisdom that security would be the next big computer thing once Y2K was addressed

Security not a new issue since September 11

Security is an even bigger issue now– It’s important– It’s hard

Why Security is Important

Information is valuable in an information society

Personal data is more valuable today– Customer info is important to customers and to

your business model– Prevent identity theft– Safeguard that customer data

Why Security is Important

Potential losses to your business if insecure– Interruption of business - DDOS– Loss of data and expensive IT assets– Reputation and confidence loss

Credible threats of loss– Terrorists– Other malicious actors

Why Security is Hard

PC enormous growth since 1980s Internet enormous growth since early 1990s Applications have outstripped security

– The rush to get products to market– Legacy systems and inconsistent platforms– The opportunities and risks of networks– User autonomy rather than IT dictators– Security has not been the driver

Some lessons on security

Security is an issue whose time was coming Clearly a bigger issue today What lessons for you?

B. Lesson 1: Openness in Security

Subject of my current research:– Openness and hiddenness in computer security

Historic link between hiddenness and security

Openness and inter-operability Openness and updating your security

Security and hiddenness

Would a military base reveal the location of its defenses and booby traps?

No. That’s the historic link between security

and hiddenness.

Computer security and openness

Computers and inter-operability– Will you trust software or hardware into your

system if you can’t test it? Can’t know what’s in it?

– Will you trust partners in your extranet or grid unless you know how they handle data?

Computer security and openness

Computers and updating your security New patches daily New systems also needed often How get these to all your users and systems

that need them? Other company’s users? Moral: with this broad dissemination, the

determined bad guy will learn the weakness and patch, too

C. ISACs and Critical Infrastructure Computer security requires much more

openness than traditional security Must share information to inter-operate and

to update patches and other security approaches

How do this information sharing?

ISACs

Information Sharing and Analysis Centers– Banking– Telecommunications– Electric Power– IT

Industry groupings to share information about attacks and responses

ISACs

The security pro at your competitor has much the same job as the security pro in your company

Networked systems and critical infrastructure Cooperation dominates competition here

– Not price setting, low antitrust risk Regulators should encourage this sharing

Summary on computer security

Security bigger issue now Openness much greater in computer

security Use ISACs and other sharing systems so the

defenders learn what the attackers already know

III. Wiretaps and Surveillance

Last year, Clinton proposal to update both for privacy and surveillance

House Judiciary then farther toward privacy Now, Ashcroft proposal all in the direction

of surveillance Compromise in House yesterday with

smaller move toward surveillance than Ashcroft

FISA Changes

Foreign Intelligence Surveillance Act Special court, wiretap never revealed Roving wiretap

– One order, multiple phones More FISA orders and more sharing with law

enforcement Likely bigger requests for you to have

employees with clearance

Trap and Trace

“Transactional” or to/from information Need some updating of language Nationwide order

– Challenge, if needed, far from you Emergency orders

– Any computer attack– Anything affecting “a national security interest”– Go to a judge after the trap is in place

Trap and Trace (continued)

For phones, is to/from information Ashcroft asks for “dialing, routing,

addressing, or signaling” Issue: get urls and other content? Variation: “DRAS that identifies the

destination” of a communication

Hacker trespasser

Issue: the government can’t “look over your shoulder” when you monitor your system

Proposal:– (1) you authorize the government– (2) legitimate part of an investigation– (3) no communications other than those to or from

the trespasser– (4) for trespasser who “accesses a protected

computer without authorization”

Voice mail

Current law, stored voice mail to government only under the strict Title III rules for phone wiretaps

Proposal to treat like stored e-mail– Get with a subpoena

Administrative subpoenas

Current law: disclose name, address, local and long distance telephone toll billing records, telephone number, and length of service

Proposal: add “means and source of payment (including any credit card or bank account number)”

Concluding Remarks

For computer security, how to do more and more effective sharing of information

For surveillance, last year had consensus that need greater judicial oversight for trap and trace

Consider that still, not just law enforcement “certifying” that the standard has been met

Conclusions

To address the current emergency, Administration calling for rapid passage of all their proposals, with essentially no hearings

One choice: take time to examine closely Other choice: sunset after 2 years, so we

can re-examine with greater calm

Concluding Thoughts

For you in telecommunications– Security will be a bigger issue– Compliance with new laws will take your attention– Corporate decisions about how to assist law

enforcement and national security while also safeguarding your customers’ records

Big challenges, and it’s an important job where we will see great progress

Contact Information

Professor Peter P. Swire phone: (301) 213-9587 email: pswire@law.gwu.edu web: www.osu.edu/units/law/swire.htm

Comments: the Emergency