Business Implications of the President’s NSA Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology Law Seminars International: 3/28/14

Overview of the Talk  Intro to Review Group  Four business issues:  Business & economics issues into the IC calculus  US-based global businesses affected by IC decisions  Lean toward defense in cyber-security  Support better Internet governance

Creation of the Review Group  Snowden leaks of 215 and Prism in June, 2013  August – Review Group  5 members

December 2013: The Situation Room

Our assigned task  Protect national security  Advance our foreign policy, including economic effects  Protect privacy and civil liberties  Maintain the public trust  Reduce the risk of unauthorized disclosure

Our Report  Meetings, briefings, public comments  300+ pages in December  46 recommendations  Section 215 database “not essential” to stopping any attack; recommend government not hold phone records; proposal this week basically agrees  Pres. Obama speech January  Adopt 70% in letter or spirit  Additional recommendations under study  Organizational changes to NSA not adopted

Issue 1: Foreign Affairs/Economics  Major theme of the report is that we face multiple risks, not just national security risks  Effects on allies, foreign affairs  Risks to privacy & civil liberties  Risks to economic growth & business  Historically, intelligence community is heavily walled off, to maintain secrecy  Now, convergence of civilian and military/intelligence communications devices, software & networks  Q: How respond to the multiple risks?

Addressing Multiple Risks  RG Recs 16 & 17:  New process & WH staff to review sensitive intelligence collection in advance  Senior policymakers from the economic agencies (NEC, Commerce, USTR) should participate  Monitoring to ensure compliance with policy  RG Rec 19: New process for surveillance of foreign leaders  Relations with allies, with economic and other implications, if this surveillance becomes public

Issue 2: US-Based Cloud Companies in a Global Market  The issue: effects on US-based cloud industry  Understanding contrasting perspectives of IC and the IT industry  Intelligence community perspective:  Snowden a criminal; 0% say whistleblower  Substantial assistance to adversaries by ongoing revelations of sources & methods  E.g., reports on techniques for entering into “air- gapped” computer systems  IC Tradition of expecting secrecy over long time scale, so details of intelligence activities rarely disclosed and harms from disclosures rarely experienced

Tech Industry Perspective  Tech industry perspective:  Silicon Valley – 90% say whistleblower  Snowden has informed us about Internet realities  Tech industry libertarianism: “information wants to be free” and suspicion of government & secrecy  Anger at undermining encryption standards  More anger for stories that leased lines for Yahoo and Google servers were tapped  Microsoft GC: the US Government as an “advanced persistent threat”

What is at Stake for the IT Industry  Biggest focus on public cloud computing market  Double in size  Studies estimate US business losses from NSA revelations: tens of billions $/year  An opening for non-U.S. providers  Market has been dominated by US companies  Deutsche Telecomm and others: “Don’t put your data in the hands of the NSA and US providers”  US industry response: more transparency  Boost consumer confidence that the amount of government orders is modest

Moving to More Transparency  RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing  RG Rec 31: US should advocate to ensure transparency for requests by other governments  Put more focus on actions of other governments  DOJ agreement with companies in January

Issue 3: Offense v. Defense for Cyber- security  The issue of trading off offense & defense:  NSA/IC offensive missions  Foreign intelligence surveillance  Title 10 – military authorities  US Cyber Command  NSA/IC defensive missions  Information Assurance Directorate of NSA  Protect government systems  Counter-intelligence  We use precisely one communications infrastructure for both offense and defense

Conflict between Offense & Defense Has Increased (1) Before: separate communications system behind the Iron Curtain; nation-state actors Now: same Internet for civilians, terrorists & military (2) Before: military protected its communication security within the chain of command Now: critical infrastructure largely civilian; tips to defense get known to attackers (3) Before: episodic flares of military action Now: daily & hourly cyber-attacks, to businesses and others, right here at home

Strong Crypto for Defense  RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense)  No announcement yet on this recommendation – it is a tech industry priority

Zero Days & the Equities Process  A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond  Press reports of USG stockpiling zero days, for intelligence & military use  RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret.  Software vendors and owners of corporate systems have strong interest in good defense  No announcement yet on this recommendation

Issue 4: Internet Governance  The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business.

International Telecommunications Union?  US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy.  Russia & China: push for major ITU role. Governance by governments. Respect local norms (called “cyber- security” but meaning “censorship”). Oppose “chaos” of current approach.  Swing votes at the ITU: medium-sized economies pay more for Internet service than rich countries, lose inter- connection fees, don’t know how to have a voice in W3C & IETF.

How to Bolster Multi-stakeholder  US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights.  Russia & China: Snowden shows US hypocrisy.  Response: legal checks & balances in US; First Amendment; emphatically not used for political repression  RG Rec 32: senior State Department official on these issues  RG Rec 33: support multi-stakeholder approach  Many RG recs: reinforce privacy & civil liberties & oversight in foreign surveillance  PPD-28: extend protections to non-US persons

Localization Proposals  Brazil, Vietnam, Indonesia proposals to require storage locally  EU proposals to restrict data transfers to US; using T- TIP & Safe Harbor as bargaining chips for less US surveillance  RG: emphasize economic & other harms from localization/”splinternet”  Strengthen relations with allies  RG Rec 31: build international norm against localization  RG Rec 34: streamline multi-lateral assistance treaties (MLATs), so no need to hold data there, can get it in US

The Lessons for Business  Business & economics issues into the IC calculus  US-based global businesses affected by IC decisions  Lean toward defense  Support better Internet governance

Conclusion  Are pessimists correct that nothing will change?  Section 215 program quite possibly will end  DOJ agreed to the transparency agreement  EU privacy regulation seemed dead, but Snowden- related sentiments resulted this month in EU Parliament in favor  We are in a period where change is possible  Businesses, and their advisors, should support changes that meet the multiple goals of our national and economic security