Business Implications of the President’s NSA Review Group

Peter Swire

Huang Professor of Law and EthicsScheller College of Business

Georgia Institute of Technology

Law Seminars International: 3/28/14

Overview of the Talk

Intro to Review Group Four business issues:

Business & economics issues into the IC calculus US-based global businesses affected by IC decisions Lean toward defense in cyber-security Support better Internet governance

Creation of the Review Group

Snowden leaks of 215 and Prism in June, 2013 August – Review Group 5 members

December 2013: The Situation Room

Our assigned task

Protect national security Advance our foreign policy, including economic

effects Protect privacy and civil liberties Maintain the public trust Reduce the risk of unauthorized disclosure

Our Report

Meetings, briefings, public comments 300+ pages in December 46 recommendations

Section 215 database “not essential” to stopping any attack; recommend government not hold phone records; proposal this week basically agrees

Pres. Obama speech January Adopt 70% in letter or spirit Additional recommendations under study Organizational changes to NSA not adopted

Issue 1: Foreign Affairs/Economics

Major theme of the report is that we face multiple risks, not just national security risks Effects on allies, foreign affairs Risks to privacy & civil liberties Risks to economic growth & business

Historically, intelligence community is heavily walled off, to maintain secrecy Now, convergence of civilian and military/intelligence

communications devices, software & networks Q: How respond to the multiple risks?

Addressing Multiple Risks

RG Recs 16 & 17: New process & WH staff to review sensitive

intelligence collection in advance Senior policymakers from the economic agencies

(NEC, Commerce, USTR) should participate Monitoring to ensure compliance with policy

RG Rec 19: New process for surveillance of foreign leaders Relations with allies, with economic and other

implications, if this surveillance becomes public

Issue 2: US-Based Cloud Companies in a Global Market

The issue: effects on US-based cloud industry Understanding contrasting perspectives of IC and the IT industry Intelligence community perspective:

Snowden a criminal; 0% say whistleblower Substantial assistance to adversaries by ongoing revelations

of sources & methods E.g., reports on techniques for entering into “air-gapped”

computer systems IC Tradition of expecting secrecy over long time scale, so

details of intelligence activities rarely disclosed and harms from disclosures rarely experienced

Tech Industry Perspective

Tech industry perspective: Silicon Valley – 90% say whistleblower Snowden has informed us about Internet realities Tech industry libertarianism: “information wants to be

free” and suspicion of government & secrecy Anger at undermining encryption standards More anger for stories that leased lines for Yahoo and

Google servers were tapped Microsoft GC: the US Government as an

“advanced persistent threat”

What is at Stake for the IT Industry Biggest focus on public cloud computing market

Double in size 2012-2016 Studies estimate US business losses from NSA

revelations: tens of billions $/year An opening for non-U.S. providers

Market has been dominated by US companies Deutsche Telecomm and others: “Don’t put your data in the

hands of the NSA and US providers” US industry response: more transparency

Boost consumer confidence that the amount of government orders is modest

Moving to More Transparency

RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing

RG Rec 31: US should advocate to ensure transparency for requests by other governments Put more focus on actions of other governments

DOJ agreement with companies in January

Issue 3: Offense v. Defense for Cyber-security

The issue of trading off offense & defense: NSA/IC offensive missions

Foreign intelligence surveillance Title 10 – military authorities US Cyber Command

NSA/IC defensive missions Information Assurance Directorate of NSA Protect government systems Counter-intelligence

We use precisely one communications infrastructure for both offense and defense

Conflict between Offense & Defense Has Increased

(1) Before: separate communications system behind the Iron Curtain; nation-state actors

Now: same Internet for civilians, terrorists & military

(2) Before: military protected its communication security within the chain of command

Now: critical infrastructure largely civilian; tips to defense get known to attackers

(3) Before: episodic flares of military action

Now: daily & hourly cyber-attacks, to businesses and others, right here at home

Strong Crypto for Defense

RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense)

No announcement yet on this recommendation – it is a tech industry priority

Zero Days & the Equities Process

A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond

Press reports of USG stockpiling zero days, for intelligence & military use

RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret.

Software vendors and owners of corporate systems have strong interest in good defense

No announcement yet on this recommendation

Issue 4: Internet Governance

The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business.

International Telecommunications Union?

US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy.

Russia & China: push for major ITU role. Governance by governments. Respect local norms (called “cyber-security” but meaning “censorship”). Oppose “chaos” of current approach.

Swing votes at the ITU: medium-sized economies pay more for Internet service than rich countries, lose inter-connection fees, don’t know how to have a voice in W3C & IETF.

How to Bolster Multi-stakeholder

US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights.

Russia & China: Snowden shows US hypocrisy. Response: legal checks & balances in US; First Amendment;

emphatically not used for political repression RG Rec 32: senior State Department official on these issues RG Rec 33: support multi-stakeholder approach Many RG recs: reinforce privacy & civil liberties & oversight in

foreign surveillance PPD-28: extend protections to non-US persons

Localization Proposals

Brazil, Vietnam, Indonesia proposals to require storage locally

EU proposals to restrict data transfers to US; using T-TIP & Safe Harbor as bargaining chips for less US surveillance

RG: emphasize economic & other harms from localization/”splinternet”

Strengthen relations with allies RG Rec 31: build international norm against localization RG Rec 34: streamline multi-lateral assistance treaties

(MLATs), so no need to hold data there, can get it in US

The Lessons for Business

Business & economics issues into the IC calculus

US-based global businesses affected by IC decisions

Lean toward defense Support better Internet governance

Conclusion

Are pessimists correct that nothing will change? Section 215 program quite possibly will end DOJ agreed to the transparency agreement EU privacy regulation seemed dead, but Snowden-

related sentiments resulted this month in EU Parliament 621-10 in favor

We are in a period where change is possible Businesses, and their advisors, should support changes

that meet the multiple goals of our national and economic security