1 / 32

“Telecom, Privacy & Security After September 11”

“Telecom, Privacy & Security After September 11” . Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001 . Overview of the Talk. My background Critical infrastructure and your computer security Wiretaps and surveillance today.

tress
Download Presentation

“Telecom, Privacy & Security After September 11”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Telecom, Privacy & Security After September 11” Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001

  2. Overview of the Talk • My background • Critical infrastructure and your computer security • Wiretaps and surveillance today

  3. I. My Background • First Internet law article in 1992 • Wrote on encryption, privacy, and international e-commerce issues • 1999 & 2000 -- Clinton Administration • Chief Counselor for Privacy • 2001 return to Ohio State Law • now visiting at George Washington • consultant with Morrison & Foerster

  4. In the Administration • Privacy issues • Medical privacy proposed and final rule • Financial privacy law and rules • Internet privacy policy • Government databases and privacy • Website privacy policies • Cookies on website policy

  5. In the Administration • Encryption policy shift 1999 • Strong encryption necessary for strong military, e-commerce, and civil society • Computer security • Government data for security and privacy • FIDNet • Other critical infrastructure issues

  6. In the Administration • Wiretap and surveillance • Headed 15-agency White House working group on how to update these laws • Legislation proposed June, 2000 • S. 3083 • Hearings and mark-up in House Judiciary

  7. II. Computer Security & Critical Infrastructure • Security after Y2K • Openness in computer security • ISACs and critical infrastructure

  8. A. Security after Y2K • In late 90s, was conventional wisdom that security would be the next big computer thing once Y2K was addressed • Security not a new issue since September 11 • Security is an even bigger issue now • It’s important • It’s hard

  9. Why Security is Important • Information is valuable in an information society • Personal data is more valuable today • Customer info is important to customers and to your business model • Prevent identity theft • Safeguard that customer data

  10. Why Security is Important • Potential losses to your business if insecure • Interruption of business - DDOS • Loss of data and expensive IT assets • Reputation and confidence loss • Credible threats of loss • Terrorists • Other malicious actors

  11. Why Security is Hard • PC enormous growth since 1980s • Internet enormous growth since early 1990s • Applications have outstripped security • The rush to get products to market • Legacy systems and inconsistent platforms • The opportunities and risks of networks • User autonomy rather than IT dictators • Security has not been the driver

  12. Some lessons on security • Security is an issue whose time was coming • Clearly a bigger issue today • What lessons for you?

  13. B. Lesson 1: Openness in Security • Subject of my current research: • Openness and hiddenness in computer security • Historic link between hiddenness and security • Openness and inter-operability • Openness and updating your security

  14. Security and hiddenness • Would a military base reveal the location of its defenses and booby traps? • No. • That’s the historic link between security and hiddenness.

  15. Computer security and openness • Computers and inter-operability • Will you trust software or hardware into your system if you can’t test it? Can’t know what’s in it? • Will you trust partners in your extranet or grid unless you know how they handle data?

  16. Computer security and openness • Computers and updating your security • New patches daily • New systems also needed often • How get these to all your users and systems that need them? Other company’s users? • Moral: with this broad dissemination, the determined bad guy will learn the weakness and patch, too

  17. C. ISACs and Critical Infrastructure • Computer security requires much more openness than traditional security • Must share information to inter-operate and to update patches and other security approaches • How do this information sharing?

  18. ISACs • Information Sharing and Analysis Centers • Banking • Telecommunications • Electric Power • IT • Industry groupings to share information about attacks and responses

  19. ISACs • The security pro at your competitor has much the same job as the security pro in your company • Networked systems and critical infrastructure • Cooperation dominates competition here • Not price setting, low antitrust risk • Regulators should encourage this sharing

  20. Summary on computer security • Security bigger issue now • Openness much greater in computer security • Use ISACs and other sharing systems so the defenders learn what the attackers already know

  21. III. Wiretaps and Surveillance • Last year, Clinton proposal to update both for privacy and surveillance • House Judiciary then farther toward privacy • Now, Ashcroft proposal all in the direction of surveillance • Compromise in House yesterday with smaller move toward surveillance than Ashcroft

  22. FISA Changes • Foreign Intelligence Surveillance Act • Special court, wiretap never revealed • Roving wiretap • One order, multiple phones • More FISA orders and more sharing with law enforcement • Likely bigger requests for you to have employees with clearance

  23. Trap and Trace • “Transactional” or to/from information • Need some updating of language • Nationwide order • Challenge, if needed, far from you • Emergency orders • Any computer attack • Anything affecting “a national security interest” • Go to a judge after the trap is in place

  24. Trap and Trace (continued) • For phones, is to/from information • Ashcroft asks for “dialing, routing, addressing, or signaling” • Issue: get urls and other content? • Variation: “DRAS that identifies the destination” of a communication

  25. Hacker trespasser • Issue: the government can’t “look over your shoulder” when you monitor your system • Proposal: • (1) you authorize the government • (2) legitimate part of an investigation • (3) no communications other than those to or from the trespasser • (4) for trespasser who “accesses a protected computer without authorization”

  26. Voice mail • Current law, stored voice mail to government only under the strict Title III rules for phone wiretaps • Proposal to treat like stored e-mail • Get with a subpoena

  27. Administrative subpoenas • Current law: disclose name, address, local and long distance telephone toll billing records, telephone number, and length of service • Proposal: add “means and source of payment (including any credit card or bank account number)”

  28. Concluding Remarks • For computer security, how to do more and more effective sharing of information • For surveillance, last year had consensus that need greater judicial oversight for trap and trace • Consider that still, not just law enforcement “certifying” that the standard has been met

  29. Conclusions • To address the current emergency, Administration calling for rapid passage of all their proposals, with essentially no hearings • One choice: take time to examine closely • Other choice: sunset after 2 years, so we can re-examine with greater calm

  30. Concluding Thoughts • For you in telecommunications • Security will be a bigger issue • Compliance with new laws will take your attention • Corporate decisions about how to assist law enforcement and national security while also safeguarding your customers’ records • Big challenges, and it’s an important job where we will see great progress

  31. Contact Information • Professor Peter P. Swire • phone: (301) 213-9587 • email: pswire@law.gwu.edu • web: www.osu.edu/units/law/swire.htm

  32. Comments: the Emergency

More Related