Business Implications of the President’s NSA Review Group Peter Swire Huang Professor of Law and...
-
Upload
alison-hoover -
Category
Documents
-
view
219 -
download
2
Transcript of Business Implications of the President’s NSA Review Group Peter Swire Huang Professor of Law and...
Business Implications of the President’s NSA Review Group
Peter Swire
Huang Professor of Law and EthicsScheller College of Business
Georgia Institute of Technology
Law Seminars International: 3/28/14
Overview of the Talk
Intro to Review Group Four business issues:
Business & economics issues into the IC calculus US-based global businesses affected by IC decisions Lean toward defense in cyber-security Support better Internet governance
Creation of the Review Group
Snowden leaks of 215 and Prism in June, 2013 August – Review Group 5 members
Our assigned task
Protect national security Advance our foreign policy, including economic
effects Protect privacy and civil liberties Maintain the public trust Reduce the risk of unauthorized disclosure
Our Report
Meetings, briefings, public comments 300+ pages in December 46 recommendations
Section 215 database “not essential” to stopping any attack; recommend government not hold phone records; proposal this week basically agrees
Pres. Obama speech January Adopt 70% in letter or spirit Additional recommendations under study Organizational changes to NSA not adopted
Issue 1: Foreign Affairs/Economics
Major theme of the report is that we face multiple risks, not just national security risks Effects on allies, foreign affairs Risks to privacy & civil liberties Risks to economic growth & business
Historically, intelligence community is heavily walled off, to maintain secrecy Now, convergence of civilian and military/intelligence
communications devices, software & networks Q: How respond to the multiple risks?
Addressing Multiple Risks
RG Recs 16 & 17: New process & WH staff to review sensitive
intelligence collection in advance Senior policymakers from the economic agencies
(NEC, Commerce, USTR) should participate Monitoring to ensure compliance with policy
RG Rec 19: New process for surveillance of foreign leaders Relations with allies, with economic and other
implications, if this surveillance becomes public
Issue 2: US-Based Cloud Companies in a Global Market
The issue: effects on US-based cloud industry Understanding contrasting perspectives of IC and the IT industry Intelligence community perspective:
Snowden a criminal; 0% say whistleblower Substantial assistance to adversaries by ongoing revelations
of sources & methods E.g., reports on techniques for entering into “air-gapped”
computer systems IC Tradition of expecting secrecy over long time scale, so
details of intelligence activities rarely disclosed and harms from disclosures rarely experienced
Tech Industry Perspective
Tech industry perspective: Silicon Valley – 90% say whistleblower Snowden has informed us about Internet realities Tech industry libertarianism: “information wants to be
free” and suspicion of government & secrecy Anger at undermining encryption standards More anger for stories that leased lines for Yahoo and
Google servers were tapped Microsoft GC: the US Government as an
“advanced persistent threat”
What is at Stake for the IT Industry Biggest focus on public cloud computing market
Double in size 2012-2016 Studies estimate US business losses from NSA
revelations: tens of billions $/year An opening for non-U.S. providers
Market has been dominated by US companies Deutsche Telecomm and others: “Don’t put your data in the
hands of the NSA and US providers” US industry response: more transparency
Boost consumer confidence that the amount of government orders is modest
Moving to More Transparency
RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing
RG Rec 31: US should advocate to ensure transparency for requests by other governments Put more focus on actions of other governments
DOJ agreement with companies in January
Issue 3: Offense v. Defense for Cyber-security
The issue of trading off offense & defense: NSA/IC offensive missions
Foreign intelligence surveillance Title 10 – military authorities US Cyber Command
NSA/IC defensive missions Information Assurance Directorate of NSA Protect government systems Counter-intelligence
We use precisely one communications infrastructure for both offense and defense
Conflict between Offense & Defense Has Increased
(1) Before: separate communications system behind the Iron Curtain; nation-state actors
Now: same Internet for civilians, terrorists & military
(2) Before: military protected its communication security within the chain of command
Now: critical infrastructure largely civilian; tips to defense get known to attackers
(3) Before: episodic flares of military action
Now: daily & hourly cyber-attacks, to businesses and others, right here at home
Strong Crypto for Defense
RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense)
No announcement yet on this recommendation – it is a tech industry priority
Zero Days & the Equities Process
A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond
Press reports of USG stockpiling zero days, for intelligence & military use
RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret.
Software vendors and owners of corporate systems have strong interest in good defense
No announcement yet on this recommendation
Issue 4: Internet Governance
The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business.
International Telecommunications Union?
US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy.
Russia & China: push for major ITU role. Governance by governments. Respect local norms (called “cyber-security” but meaning “censorship”). Oppose “chaos” of current approach.
Swing votes at the ITU: medium-sized economies pay more for Internet service than rich countries, lose inter-connection fees, don’t know how to have a voice in W3C & IETF.
How to Bolster Multi-stakeholder
US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights.
Russia & China: Snowden shows US hypocrisy. Response: legal checks & balances in US; First Amendment;
emphatically not used for political repression RG Rec 32: senior State Department official on these issues RG Rec 33: support multi-stakeholder approach Many RG recs: reinforce privacy & civil liberties & oversight in
foreign surveillance PPD-28: extend protections to non-US persons
Localization Proposals
Brazil, Vietnam, Indonesia proposals to require storage locally
EU proposals to restrict data transfers to US; using T-TIP & Safe Harbor as bargaining chips for less US surveillance
RG: emphasize economic & other harms from localization/”splinternet”
Strengthen relations with allies RG Rec 31: build international norm against localization RG Rec 34: streamline multi-lateral assistance treaties
(MLATs), so no need to hold data there, can get it in US
The Lessons for Business
Business & economics issues into the IC calculus
US-based global businesses affected by IC decisions
Lean toward defense Support better Internet governance
Conclusion
Are pessimists correct that nothing will change? Section 215 program quite possibly will end DOJ agreed to the transparency agreement EU privacy regulation seemed dead, but Snowden-
related sentiments resulted this month in EU Parliament 621-10 in favor
We are in a period where change is possible Businesses, and their advisors, should support changes
that meet the multiple goals of our national and economic security