I'm in San Francisco this week to attend the RSA security conference, and to cover the Cloud Security Alliance summit for security professionals. The CSA is a terrific organization, a non-profit founded with the purpose of promoting best security practices for cloud computing. I've watched this summit grow over the years commensurate with the increase in visibility of cloud security concerns, and once again attendees filled up the largest venue yet.
The opening keynote speaker was Richard A. Clarke, chairman and CEO of Good Harbor and former advisor to several presidents on counter-terrorism subjects. His keynote was based on his tenure last fall on the highly select Review Group on Intelligence and Communications Technology requested by President Obama in the wake of the Snowden revelations. (There were only five men in this group.) Given carte blanche intelligence clearance to every program, this group issued a 300-page unclassified report*, with 46 recommendations on intelligence collection, specifically how the United States should improve privacy and civil liberties while continuing to protect national security. Clarke’s short but very interesting keynote focused on his takeaways and his top 10 observations in the 46 recommendations.
His big-picture takeaway was that “In terms of collecting intelligence, (the NSA and other intelligence agencies) are very good – far better than you can imagine. But they have created the potential for a police surveillance state.” As a result, the task of controlling them is more urgent than it ever was. The group found that the intelligence agencies were full of very talented individuals dedicated to the protection of the United States and its allies. What they did not find “was a bunch of people randomly (reading) your emails.” But the potential is there.
Here are 10 key observations from a Washington veteran who had the opportunity to see everything under the intelligence kimono.
There is a complete disconnect between the policy makers who want the information, and the people who are collecting it. “The collectors were doing exactly what they thought they should be doing; if they could collect it, they did collect it within the law (which is pretty broad).” If the policy makers didn’t specify how (and how not) to collect the information they wanted, agencies would use every means at their disposal. The disconnect has now been fixed, but senior policy makers must now spend a great deal of time being very specific about what intelligence they want and need…and what they don’t. The new mantra from the President is, “Just because we can collect it, doesn't mean we should collect it.”
As good as NSA was on collecting external intelligence, it was abysmally, almost criminally poor, on the internal security of its own network. It was based on a perimeter security concept with little internal oversight.
As a result of the NSA revelations, US companies are losing market share, particularly in Europe.
One of the reasons for this loss of marketing share is because non-US companies, particularly Asian companies, are using the NSA revelations as a marketing tool to say that US products are untrustworthy because they’re bugged by the NSA. Clarke said “The hilarious part is that they’re not. But the products you can get from certain Asian manufacturers are.”
The push for localization of data was and is driven by economic considerations because they boost local companies vs. international competitors - not because of security or privacy. The idea of data localization and privacy doesn’t make sense. “The idea that data localization will somehow make you immune to NSA or other countries’ intelligence collection is laughable. I don’t think I’m revealing any secrets when I say that NSA, or any other world class intelligence agency, can hack into databases even if they’re not in the United States. And if you think a data localization law in a foreign country stops the NSA from getting into those databases, think again.”
The real solution for privacy isn’t data localization; the real solution is to secure the data in the cloud. Where the server sits is unimportant.
And to secure your data effectively, you need to encrypt your data at rest, in transit, and in use. That means encryption standards have to be trustworthy. “The US government has to get out of the business – if it ever were in the business – of f*cking around with encryption standards.” He says the encryption scandal was greatly over exaggerated. He can’t say exactly, but “if you read our report you’ll get an idea.”
When it discovers a vulnerability, the US government needs, as a general matter of policy, to tell everyone right away – all the time. 99% percent of the time, the role of government should be to protect. When everything it takes for our country to work is as vulnerable as it is, “It is more important that we defend ourselves against the ongoing Chinese assaults on our intellectual property and from the ongoing cybercriminal assault – which costs us hundreds of billions of dollars a year – than to say ‘Oh, we can use that (vulnerability) too.’”
There's a little group called the “P club”, a little organization hidden away in the government with little authorization and a narrow mission: the privacy and civil liberties oversight board. This needs to be a very strong and independent organization with the authority to see everything. The “P club” as constituted today cannot do that.
- These are not just American concerns. We're just the best at it, by far. We need international standards so everyone (including “the hypocrites around the world who criticize the United States while doing the same thing”) can have a dialog about international norms of what is appropriate and what is not (for example, not attacking each other’s financial systems).
In summary, Clarke said that if you're worried about nations getting nuclear weapons, or chemical weapons, you want NSA. Syrian chemical weapons were discovered thanks to NSA. He has no proof – but no doubt - it was because of NSA that the top Mexican drug cartel kingpin was recently caught.
The reason that other countries are secure is because of US intelligence and NSA. He strongly believes that, despite the hoopla, NSA has been a force for good.
But after a 9/11-type incident, it could become not a force for good, because in times of crises people are willing to trade rights for security. If we have another 9/11, it'll be hard to stop people from throwing out the Bill of Rights. Therefore, we need to put roadblocks in the way now, before there's another crises, so we can at least slow down the loss of privacy. Once you give away rights, you can't get them back.
* There is no classified report.
Follow Sean at @shorinsean.