Business Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology
Preface Thank you for welcoming me to Scheller A law professor, with business as well: IT/privacy/cybersecurity Housing finance & health care, including in government Taught corporations, torts, antitrust, law & economics Grew up in a family business and had real law clients Look forward to getting to know more of you
Overview of the Talk Intro to Review Group Five business issues: Business & economics issues into the IC calculus US-based global businesses affected by IC decisions Lean toward defense in cyber-security Support better Internet governance Upgrade against insider attacks Two themes: Same Internet for multiple purposes Declining half life of secrets
Creation of the Review Group Snowden leaks of 215 and Prism in June, 2013 August – Review Group 5 members Diversity of backgrounds Technology Business Insider status
Our assigned task Protect national security Advance our foreign policy, including economic effects Protect privacy and civil liberties Maintain the public trust Reduce the risk of unauthorized disclosure
Our assigned task (2) Protect national security Advance our foreign policy, including economic effects Protect privacy and civil liberties Maintain the public trust Reduce the risk of unauthorized disclosure Q: A simple task for operations research maximization? Focus today: implications for business/econ
Our Report Meetings, briefings, public comments 300+ pages in December 46 recommendations Section 215 database “not essential” to stopping any attack; recommend government not hold phone records Pres. Obama speech January Adopt 70% in letter or spirit Additional recommendations under study Organizational changes to NSA not adopted
Issue 1: Foreign Affairs/Economics Major theme of the report is that we face multiple risks, not just national security risks Effects on allies, foreign affairs Risks to privacy & civil liberties Risks to economic growth & business Historically, intelligence community is heavily walled off, to maintain secrecy NSA especially, signals intelligence, secret and dauntingly complex Now, convergence of civilian and military/intelligence communications devices, software & networks Q: How respond to the multiple risks?
Addressing Multiple Risks RG Recs 16 & 17: New process & WH staff to review sensitive intelligence collection in advance Senior policymakers from the economic agencies (NEC, Commerce, USTR) should participate Monitoring to ensure compliance with policy RG Rec 19: New process for surveillance of foreign leaders Relations with allies, with economic and other implications, if this surveillance becomes public
Issue 2: US-Based Cloud Companies in a Global Market The issue: effects on US-based cloud industry Understanding contrasting perspectives of IC and the IT industry Intelligence community perspective: Snowden a criminal; 0% say whistleblower Substantial assistance to adversaries by ongoing revelations of sources & methods E.g., reports on techniques for entering into “air- gapped” computer systems IC Tradition of expecting secrecy over long time scale, so details of intelligence activities rarely disclosed and harms from disclosures rarely experienced
Tech Industry Perspective Tech industry perspective: Silicon Valley – 90% say whistleblower Snowden has informed us about Internet realities Tech industry libertarianism: “information wants to be free” and suspicion of government & secrecy Anger at undermining encryption standards More anger for stories that leased lines for Yahoo and Google servers were tapped Microsoft GC: the US Government as an “advanced persistent threat”
What is at Stake for the IT Industry Biggest focus on public cloud computing market Double in size Initial study estimated losses from Snowden at $21.5 billion/year Cloud Security Alliance estimates up to $180 billion/year by 2016 – biggest effect from lower market share for new business An opening for non-U.S. providers Market currently dominated by US companies Deutsche Telecomm and others: “Don’t put your data in the hands of the NSA and US providers”
The IT Industry Response Focus of industry response: more transparency Regular transparency reports already One goal already had been to boost consumer confidence, especially overseas, such as for previous Patriot Act accusations Lawsuit and lobbying to expand these reports Industry opposition to non-disclosure (gag) orders for National Security Letters, etc. Yahoo 2009 lost one then-secret challenge
Moving to More Transparency RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing RG Rec 31: US should advocate to ensure transparency for requests by other governments Put more focus on actions of other governments DOJ agreement with companies in January More transparency, but not listed by legal authority Ongoing debate, but companies want to stress this issue, to send message of security and public trust
Issue 3: Offense v. Defense for Cyber- security The issue of trading off offense & defense: NSA/IC offensive missions Foreign intelligence surveillance Title 10 – military authorities US Cyber Command NSA/IC defensive missions Information Assurance Directorate of NSA Protect government systems Counter-intelligence We use precisely one communications infrastructure for both offense and defense
Conflict between Offense & Defense Has Increased (1) Before: separate communications system behind the Iron Curtain; nation-state actors Now: same Internet for civilians, terrorists & military (2) Before: military protected its communication security within the chain of command Now: critical infrastructure largely civilian; tips to defense get known to attackers (3) Before: episodic flares of military action Now: daily & hourly cyber-attacks, to businesses and others, right here at home
Institutional Changes for Defense RG Rec 24: split leadership of NSA and DoD’s Cyber Command RG Rec 25: split Information Assurance Directorate of NSA into separate agency Would put leadership on the side of defense Asymmetric incentives in agency between offense and defense These recommendations will not be adopted now, for plausible factual reasons
Strong Crypto for Defense Crypto Wars of the 1990’s showed NSA & FBI interest in breaking encryption (offense) 1999 policy shift to permit export globally of strong encryption, necessary for Internet (defense) Press reports of recent NSA actions to undermine encryption standards & break encryption RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense) No announcement yet on this recommendation – it is a tech industry priority
Zero Days & the Equities Process A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond Press reports of USG stockpiling zero days, for intelligence & military use RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret. Software vendors and owners of corporate systems have strong interest in good defense No announcement yet on this recommendation
Issue 4: Internet Governance The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business. Bottom-up vs. top-down Internet governance? Localization rules – split the Internet? Confidence (re)building and fostering international norms
International Telecommunications Union US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy. Russia & China: push for major ITU role. Governance by governments. Respect local norms (called “cyber- security” but meaning “censorship”). Oppose “chaos” of current approach. Swing votes at the ITU: medium-sized economies pay more for Internet service than rich countries, lose inter- connection fees, don’t know how to have a voice in W3C & IETF.
How to Bolster Multi-stakeholder US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights. Russia & China: Snowden shows US hypocrisy. Response: legal checks & balances in US; First Amendment; emphatically not used for political repression RG Rec 32: senior State Department official on these issues RG Rec 33: support multi-stakeholder approach Many RG recs: reinforce privacy & civil liberties & oversight in foreign surveillance PPD-28: extend protections to non-US persons
Localization Proposals Brazil, Vietnam, Indonesia proposals to require storage locally EU proposals to restrict data transfers to US; using T- TIP & Safe Harbor as bargaining chips for less US surveillance RG: emphasize economic & other harms from localization/”splinternet” Strengthen relations with allies RG Rec 31: build international norm against localization RG Rec 34: streamline multi-lateral assistance treaties (MLATs), so no need to hold data there, can get it in US
Issue 5: Insider Threats The issue: if Snowden can happen to the NSA, is your company more secure than that? Many RG recs to protect better against insider threats Theme: system administrator as important threat Snowden’s job was to move files He did that Response: separation of functions, reduce sys admin privileges Theme: USG classified systems followed M&M model Response: new access controls, auditing, and other measures within classified systems Similar threats to business systems
The Lessons for Business Business & economics issues into the IC calculus US-based global businesses affected by IC decisions Lean toward defense Support better Internet governance Upgrade against insider attacks
Broader themes: One Internet The same communications infrastructure for numerous purposes – which should drive policy IC and police have seen it as a surveillance Internet, after 9/11 Business sees it as E-commerce, for internal communications and to reach customers Individual users – social networks, , online shopping, much more Political speech – a global engine for democracy and civil liberties Global business & others will have to decide how to help build the Internet it wants
Theme: Declining Half Life of Secrets The IC assumption was that secrets lasted a long time, such as years My belief – the half life of secrets has declined sharply Electronic: “my goal is that leaks happen only by a printer” No gatekeeper: Ellsberg needed NY Times; Manning has Wikileaks Global dissemination: once it leaks, it’s gone Crowd-sourcing – hard to penetrate massive networks at scale and not provide clues Civil disobedience by younger techies
Implications of Declining Half Life of Secrets Previously, the IC often ignored the “front page test” Jack Nicholson & “you can’t handle the truth” in A Few Good Men But, how many front page stories this year? Declining half life of secrets means higher expected value of revelations – bigger negative effect if ignore the front page test RG: effects on foreign affairs, economics, Internet governance, so USG should consider these multiple effects and not isolate IC decisions For business, how well can you keep secrets if the NSA can’t?
Conclusion Pessimists inclined to think that nothing will change The RNC has endorsed ending 215 telephone program, plus many Democrats Section 215 program quite possibly will end DOJ agreed to the transparency agreement EU privacy regulation seemed dead, but Snowden- related sentiments resulted this week in EU Parliament in favor We are in a period where change is possible here, even in Congress I look forward to talking with you about what should come next