320 likes | 421 Views
“Telecom, Privacy & Security After September 11” . Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001 . Overview of the Talk. My background Critical infrastructure and your computer security Wiretaps and surveillance today.
E N D
“Telecom, Privacy & Security After September 11” Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001
Overview of the Talk • My background • Critical infrastructure and your computer security • Wiretaps and surveillance today
I. My Background • First Internet law article in 1992 • Wrote on encryption, privacy, and international e-commerce issues • 1999 & 2000 -- Clinton Administration • Chief Counselor for Privacy • 2001 return to Ohio State Law • now visiting at George Washington • consultant with Morrison & Foerster
In the Administration • Privacy issues • Medical privacy proposed and final rule • Financial privacy law and rules • Internet privacy policy • Government databases and privacy • Website privacy policies • Cookies on website policy
In the Administration • Encryption policy shift 1999 • Strong encryption necessary for strong military, e-commerce, and civil society • Computer security • Government data for security and privacy • FIDNet • Other critical infrastructure issues
In the Administration • Wiretap and surveillance • Headed 15-agency White House working group on how to update these laws • Legislation proposed June, 2000 • S. 3083 • Hearings and mark-up in House Judiciary
II. Computer Security & Critical Infrastructure • Security after Y2K • Openness in computer security • ISACs and critical infrastructure
A. Security after Y2K • In late 90s, was conventional wisdom that security would be the next big computer thing once Y2K was addressed • Security not a new issue since September 11 • Security is an even bigger issue now • It’s important • It’s hard
Why Security is Important • Information is valuable in an information society • Personal data is more valuable today • Customer info is important to customers and to your business model • Prevent identity theft • Safeguard that customer data
Why Security is Important • Potential losses to your business if insecure • Interruption of business - DDOS • Loss of data and expensive IT assets • Reputation and confidence loss • Credible threats of loss • Terrorists • Other malicious actors
Why Security is Hard • PC enormous growth since 1980s • Internet enormous growth since early 1990s • Applications have outstripped security • The rush to get products to market • Legacy systems and inconsistent platforms • The opportunities and risks of networks • User autonomy rather than IT dictators • Security has not been the driver
Some lessons on security • Security is an issue whose time was coming • Clearly a bigger issue today • What lessons for you?
B. Lesson 1: Openness in Security • Subject of my current research: • Openness and hiddenness in computer security • Historic link between hiddenness and security • Openness and inter-operability • Openness and updating your security
Security and hiddenness • Would a military base reveal the location of its defenses and booby traps? • No. • That’s the historic link between security and hiddenness.
Computer security and openness • Computers and inter-operability • Will you trust software or hardware into your system if you can’t test it? Can’t know what’s in it? • Will you trust partners in your extranet or grid unless you know how they handle data?
Computer security and openness • Computers and updating your security • New patches daily • New systems also needed often • How get these to all your users and systems that need them? Other company’s users? • Moral: with this broad dissemination, the determined bad guy will learn the weakness and patch, too
C. ISACs and Critical Infrastructure • Computer security requires much more openness than traditional security • Must share information to inter-operate and to update patches and other security approaches • How do this information sharing?
ISACs • Information Sharing and Analysis Centers • Banking • Telecommunications • Electric Power • IT • Industry groupings to share information about attacks and responses
ISACs • The security pro at your competitor has much the same job as the security pro in your company • Networked systems and critical infrastructure • Cooperation dominates competition here • Not price setting, low antitrust risk • Regulators should encourage this sharing
Summary on computer security • Security bigger issue now • Openness much greater in computer security • Use ISACs and other sharing systems so the defenders learn what the attackers already know
III. Wiretaps and Surveillance • Last year, Clinton proposal to update both for privacy and surveillance • House Judiciary then farther toward privacy • Now, Ashcroft proposal all in the direction of surveillance • Compromise in House yesterday with smaller move toward surveillance than Ashcroft
FISA Changes • Foreign Intelligence Surveillance Act • Special court, wiretap never revealed • Roving wiretap • One order, multiple phones • More FISA orders and more sharing with law enforcement • Likely bigger requests for you to have employees with clearance
Trap and Trace • “Transactional” or to/from information • Need some updating of language • Nationwide order • Challenge, if needed, far from you • Emergency orders • Any computer attack • Anything affecting “a national security interest” • Go to a judge after the trap is in place
Trap and Trace (continued) • For phones, is to/from information • Ashcroft asks for “dialing, routing, addressing, or signaling” • Issue: get urls and other content? • Variation: “DRAS that identifies the destination” of a communication
Hacker trespasser • Issue: the government can’t “look over your shoulder” when you monitor your system • Proposal: • (1) you authorize the government • (2) legitimate part of an investigation • (3) no communications other than those to or from the trespasser • (4) for trespasser who “accesses a protected computer without authorization”
Voice mail • Current law, stored voice mail to government only under the strict Title III rules for phone wiretaps • Proposal to treat like stored e-mail • Get with a subpoena
Administrative subpoenas • Current law: disclose name, address, local and long distance telephone toll billing records, telephone number, and length of service • Proposal: add “means and source of payment (including any credit card or bank account number)”
Concluding Remarks • For computer security, how to do more and more effective sharing of information • For surveillance, last year had consensus that need greater judicial oversight for trap and trace • Consider that still, not just law enforcement “certifying” that the standard has been met
Conclusions • To address the current emergency, Administration calling for rapid passage of all their proposals, with essentially no hearings • One choice: take time to examine closely • Other choice: sunset after 2 years, so we can re-examine with greater calm
Concluding Thoughts • For you in telecommunications • Security will be a bigger issue • Compliance with new laws will take your attention • Corporate decisions about how to assist law enforcement and national security while also safeguarding your customers’ records • Big challenges, and it’s an important job where we will see great progress
Contact Information • Professor Peter P. Swire • phone: (301) 213-9587 • email: pswire@law.gwu.edu • web: www.osu.edu/units/law/swire.htm