Telecom, Privacy & Security After September 11 Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001

Overview of the Talk n My background n Critical infrastructure and your computer security n Wiretaps and surveillance today

I. My Background n First Internet law article in 1992 n Wrote on encryption, privacy, and international e-commerce issues n 1999 & Clinton Administration – Chief Counselor for Privacy n 2001 return to Ohio State Law – now visiting at George Washington – consultant with Morrison & Foerster

In the Administration n Privacy issues – Medical privacy proposed and final rule – Financial privacy law and rules – Internet privacy policy – Government databases and privacy n Website privacy policies n Cookies on website policy

In the Administration n Encryption policy shift 1999 – Strong encryption necessary for strong military, e-commerce, and civil society n Computer security – Government data for security and privacy – FIDNet – Other critical infrastructure issues

In the Administration n Wiretap and surveillance n Headed 15-agency White House working group on how to update these laws n Legislation proposed June, 2000 – S – Hearings and mark-up in House Judiciary

II. Computer Security & Critical Infrastructure n Security after Y2K n Openness in computer security n ISACs and critical infrastructure

A. Security after Y2K n In late 90s, was conventional wisdom that security would be the next big computer thing once Y2K was addressed n Security not a new issue since September 11 n Security is an even bigger issue now – Its important – Its hard

Why Security is Important n Information is valuable in an information society n Personal data is more valuable today – Customer info is important to customers and to your business model – Prevent identity theft – Safeguard that customer data

Why Security is Important n Potential losses to your business if insecure – Interruption of business - DDOS – Loss of data and expensive IT assets – Reputation and confidence loss n Credible threats of loss – Terrorists – Other malicious actors

Why Security is Hard n PC enormous growth since 1980s n Internet enormous growth since early 1990s n Applications have outstripped security – The rush to get products to market – Legacy systems and inconsistent platforms – The opportunities and risks of networks – User autonomy rather than IT dictators – Security has not been the driver

Some lessons on security n Security is an issue whose time was coming n Clearly a bigger issue today n What lessons for you?

B. Lesson 1: Openness in Security n Subject of my current research: – Openness and hiddenness in computer security n Historic link between hiddenness and security n Openness and inter-operability n Openness and updating your security

Security and hiddenness n Would a military base reveal the location of its defenses and booby traps? n No. n Thats the historic link between security and hiddenness.

Computer security and openness n Computers and inter-operability – Will you trust software or hardware into your system if you cant test it? Cant know whats in it? – Will you trust partners in your extranet or grid unless you know how they handle data?

Computer security and openness n Computers and updating your security n New patches daily n New systems also needed often n How get these to all your users and systems that need them? Other companys users? n Moral: with this broad dissemination, the determined bad guy will learn the weakness and patch, too

C. ISACs and Critical Infrastructure n Computer security requires much more openness than traditional security n Must share information to inter-operate and to update patches and other security approaches n How do this information sharing?

ISACs n Information Sharing and Analysis Centers – Banking – Telecommunications – Electric Power – IT n Industry groupings to share information about attacks and responses

ISACs n The security pro at your competitor has much the same job as the security pro in your company n Networked systems and critical infrastructure n Cooperation dominates competition here – Not price setting, low antitrust risk n Regulators should encourage this sharing

Summary on computer security n Security bigger issue now n Openness much greater in computer security n Use ISACs and other sharing systems so the defenders learn what the attackers already know

III. Wiretaps and Surveillance n Last year, Clinton proposal to update both for privacy and surveillance n House Judiciary then farther toward privacy n Now, Ashcroft proposal all in the direction of surveillance n Compromise in House yesterday with smaller move toward surveillance than Ashcroft

FISA Changes n Foreign Intelligence Surveillance Act n Special court, wiretap never revealed n Roving wiretap – One order, multiple phones n More FISA orders and more sharing with law enforcement n Likely bigger requests for you to have employees with clearance

Trap and Trace n Transactional or to/from information n Need some updating of language n Nationwide order – Challenge, if needed, far from you n Emergency orders – Any computer attack – Anything affecting a national security interest – Go to a judge after the trap is in place

Trap and Trace (continued) n For phones, is to/from information n Ashcroft asks for dialing, routing, addressing, or signaling n Issue: get urls and other content? n Variation: DRAS that identifies the destination of a communication

Hacker trespasser n Issue: the government cant look over your shoulder when you monitor your system n Proposal: – (1) you authorize the government – (2) legitimate part of an investigation – (3) no communications other than those to or from the trespasser – (4) for trespasser who accesses a protected computer without authorization

Voice mail n Current law, stored voice mail to government only under the strict Title III rules for phone wiretaps n Proposal to treat like stored – Get with a subpoena

Administrative subpoenas n Current law: disclose name, address, local and long distance telephone toll billing records, telephone number, and length of service n Proposal: add means and source of payment (including any credit card or bank account number)

Concluding Remarks n For computer security, how to do more and more effective sharing of information n For surveillance, last year had consensus that need greater judicial oversight for trap and trace n Consider that still, not just law enforcement certifying that the standard has been met

Conclusions n To address the current emergency, Administration calling for rapid passage of all their proposals, with essentially no hearings n One choice: take time to examine closely n Other choice: sunset after 2 years, so we can re-examine with greater calm

Concluding Thoughts n For you in telecommunications – Security will be a bigger issue – Compliance with new laws will take your attention – Corporate decisions about how to assist law enforcement and national security while also safeguarding your customers records n Big challenges, and its an important job where we will see great progress

Contact Information n Professor Peter P. Swire n phone: (301) n n web:

Comments: the Emergency