1 / 22

Business Implications of the President ’ s NSA Review Group

This talk discusses the business and economic implications of the President's NSA Review Group, including issues related to foreign affairs, US-based cloud companies, and offense versus defense in cybersecurity.

rwillbanks
Download Presentation

Business Implications of the President ’ s NSA Review Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Implications of the President’s NSA Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology Law Seminars International: 3/28/14

  2. Overview of the Talk • Intro to Review Group • Four business issues: • Business & economics issues into the IC calculus • US-based global businesses affected by IC decisions • Lean toward defense in cyber-security • Support better Internet governance

  3. Creation of the Review Group • Snowden leaks of 215 and Prism in June, 2013 • August – Review Group • 5 members

  4. December 2013: The Situation Room

  5. Our assigned task • Protect national security • Advance our foreign policy, including economic effects • Protect privacy and civil liberties • Maintain the public trust • Reduce the risk of unauthorized disclosure

  6. Our Report • Meetings, briefings, public comments • 300+ pages in December • 46 recommendations • Section 215 database “not essential” to stopping any attack; recommend government not hold phone records; proposal this week basically agrees • Pres. Obama speech January • Adopt 70% in letter or spirit • Additional recommendations under study • Organizational changes to NSA not adopted

  7. Issue 1: Foreign Affairs/Economics • Major theme of the report is that we face multiple risks, not just national security risks • Effects on allies, foreign affairs • Risks to privacy & civil liberties • Risks to economic growth & business • Historically, intelligence community is heavily walled off, to maintain secrecy • Now, convergence of civilian and military/intelligence communications devices, software & networks • Q: How respond to the multiple risks?

  8. Addressing Multiple Risks • RG Recs 16 & 17: • New process & WH staff to review sensitive intelligence collection in advance • Senior policymakers from the economic agencies (NEC, Commerce, USTR) should participate • Monitoring to ensure compliance with policy • RG Rec 19: New process for surveillance of foreign leaders • Relations with allies, with economic and other implications, if this surveillance becomes public

  9. Issue 2: US-Based Cloud Companies in a Global Market • The issue: effects on US-based cloud industry • Understanding contrasting perspectives of IC and the IT industry • Intelligence community perspective: • Snowden a criminal; 0% say whistleblower • Substantial assistance to adversaries by ongoing revelations of sources & methods • E.g., reports on techniques for entering into “air-gapped” computer systems • IC Tradition of expecting secrecy over long time scale, so details of intelligence activities rarely disclosed and harms from disclosures rarely experienced

  10. Tech Industry Perspective • Tech industry perspective: • Silicon Valley – 90% say whistleblower • Snowden has informed us about Internet realities • Tech industry libertarianism: “information wants to be free” and suspicion of government & secrecy • Anger at undermining encryption standards • More anger for stories that leased lines for Yahoo and Google servers were tapped • Microsoft GC: the US Government as an “advanced persistent threat”

  11. What is at Stake for the IT Industry • Biggest focus on public cloud computing market • Double in size 2012-2016 • Studies estimate US business losses from NSA revelations: tens of billions $/year • An opening for non-U.S. providers • Market has been dominated by US companies • Deutsche Telecomm and others: “Don’t put your data in the hands of the NSA and US providers” • US industry response: more transparency • Boost consumer confidence that the amount of government orders is modest

  12. Moving to More Transparency • RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing • RG Rec 31: US should advocate to ensure transparency for requests by other governments • Put more focus on actions of other governments • DOJ agreement with companies in January

  13. Issue 3: Offense v. Defense for Cyber-security • The issue of trading off offense & defense: • NSA/IC offensive missions • Foreign intelligence surveillance • Title 10 – military authorities • US Cyber Command • NSA/IC defensive missions • Information Assurance Directorate of NSA • Protect government systems • Counter-intelligence • We use precisely one communications infrastructure for both offense and defense

  14. Conflict between Offense & Defense Has Increased (1) Before: separate communications system behind the Iron Curtain; nation-state actors Now: same Internet for civilians, terrorists & military (2) Before: military protected its communication security within the chain of command Now: critical infrastructure largely civilian; tips to defense get known to attackers (3) Before: episodic flares of military action Now: daily & hourly cyber-attacks, to businesses and others, right here at home

  15. Strong Crypto for Defense • RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense) • No announcement yet on this recommendation – it is a tech industry priority

  16. Zero Days & the Equities Process • A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond • Press reports of USG stockpiling zero days, for intelligence & military use • RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret. • Software vendors and owners of corporate systems have strong interest in good defense • No announcement yet on this recommendation

  17. Issue 4: Internet Governance • The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business.

  18. International Telecommunications Union? • US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy. • Russia & China: push for major ITU role. Governance by governments. Respect local norms (called “cyber-security” but meaning “censorship”). Oppose “chaos” of current approach. • Swing votes at the ITU: medium-sized economies pay more for Internet service than rich countries, lose inter-connection fees, don’t know how to have a voice in W3C & IETF.

  19. How to Bolster Multi-stakeholder • US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights. • Russia & China: Snowden shows US hypocrisy. • Response: legal checks & balances in US; First Amendment; emphatically not used for political repression • RG Rec 32: senior State Department official on these issues • RG Rec 33: support multi-stakeholder approach • Many RG recs: reinforce privacy & civil liberties & oversight in foreign surveillance • PPD-28: extend protections to non-US persons

  20. Localization Proposals • Brazil, Vietnam, Indonesia proposals to require storage locally • EU proposals to restrict data transfers to US; using T-TIP & Safe Harbor as bargaining chips for less US surveillance • RG: emphasize economic & other harms from localization/”splinternet” • Strengthen relations with allies • RG Rec 31: build international norm against localization • RG Rec 34: streamline multi-lateral assistance treaties (MLATs), so no need to hold data there, can get it in US

  21. The Lessons for Business • Business & economics issues into the IC calculus • US-based global businesses affected by IC decisions • Lean toward defense • Support better Internet governance

  22. Conclusion • Are pessimists correct that nothing will change? • Section 215 program quite possibly will end • DOJ agreed to the transparency agreement • EU privacy regulation seemed dead, but Snowden-related sentiments resulted this month in EU Parliament 621-10 in favor • We are in a period where change is possible • Businesses, and their advisors, should support changes that meet the multiple goals of our national and economic security

More Related