Presentation is loading. Please wait.

Presentation is loading. Please wait.

The President's NSA Review Group: The Technology Issues" Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of.

Published byClinton Williams Modified over 9 years ago

Similar presentations

Presentation on theme: "The President's NSA Review Group: The Technology Issues" Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of."— Presentation transcript:

1 The President's NSA Review Group: The Technology Issues" Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology GVU Brown Bag: October 2, 2014

2 Overview of the Talk  Intro to the NSA Review Group  Theme 1: The declining half life of secrets  Due in large part to major IT trends  Theme 2: One Internet, multiple equities  Theme 3: The role of IT professionals

3 Creation of the Review Group  Snowden leaks of 215 and Prism in June, 2013  August – Review Group named  Report due in December  5 members

4 December 2013: The Situation Room

5 Our assigned task  Protect national security  Advance our foreign policy, including economic effects  Protect privacy and civil liberties  Maintain the public trust  Reduce the risk of unauthorized disclosure

6 Our assigned task (2)  Protect national security  Advance our foreign policy, including economic effects  Protect privacy and civil liberties  Maintain the public trust  Reduce the risk of unauthorized disclosure  Q: A simple optimization task, and write the algorithm?  Focus today: implications for IT

7 Our Report  Meetings, briefings, public comments  300+ pages in December  46 recommendations  Section 215 database “not essential” to stopping any attack; recommend government not hold phone records  Pres. Obama speech January  Adopt 70% in letter or spirit  Additional recommendations under study

8 Theme 1: Declining Half Life of Secrets  The IC assumption was that secrets lasted a long time, such as 25-50 years  My descriptive claim – the half life of secrets is declining sharply  Multiple computing trends lead to this  Below, discuss implications for the IC if many secrets become known within a few years

9 The Insider, Big Data & the Internet  How much can an insider leak?  A lot. One thumb drive can ruin your whole day.  One CIO: “My goal is that leaks happen only by a printer”  How well can an insider disseminate secrets?  Old days: Ellsberg needed the NY Times  Today: Wikileaks, no gatekeeper to the Internet

10 A New Insider Threat Model  Theme: system administrator as important threat  Snowden’s job was to move files  He did that  Private and public sector face this problem  RG Response: separation of functions, reduce sys admin privileges  But  In anything but biggest organizations, is hard to separate IT functions in a strict way  Even in big organizations, very hard not to trust sys admins

11 Threat: The Sys Admin & Sociology  Contrast of USG & Silicon Valley view of Snowden on traitor v. whistleblower  USG: with all the briefings, I have not yet found an IC or other USG person who says WB  Silicon Valley:  In one company, over 90% say WB  “Thunderous applause” for Snowden at SXSW  Schneier: the civil disobedience of this generation  Sociological chasm between left coast and right coast  Solution: IC shouldn’t hire any techies? EFF membership as disqualification for security clearance?  Those aren’t good counter-measures

12 Crowd-sourcing & the Internet of Things  The mosaic theory historically used by the IC  Now, it turns against the IC  Bigger effort to publicly reveal IC activities  The Internet of Things – more sensors in private hands, networked  Crowd-sourcing – once some data is revealed, the world collaborates to put the pieces together  Hence, major trends in computing speed the revelation of IC secrets  The good old days:  Covert ops – few people knew  Signals -- for radio, often passively pick up signals

13 Private IT Systems as IC Targets  Section 215 & press reports of bulk collection in private telecomm/Internet systems  These systems do daily intrusion detection  They may have EFF-leaning employees,  Risk seems higher than before that someone outside of the IC will detect intrusions/year and report that

14 Descriptive Summary on Half Life of Secrets  Insider threats, with sociology risky for secrets  Big Data  Internet of Things  Crowdsourcing  Private systems can detect intrusions  Decline of gatekeepers  In short, if you were in the IC, would you bet on things staying secret for 25 or 50 years?

15 Policy Implications of Declining Half Life of Secrets  Previously, the IC often ignored the “front page test”  Jack Nicholson & “you can’t handle the truth” in A Few Good Men  But, how many front page stories since Snowden?  When secrets become known:  At time of initial decision, higher expected impact of revelations – bigger negative effect if ignore the front page test  RG: effects on foreign affairs, economics, Internet governance, so USG must consider these multiple effects and not isolate IC decisions

16 Theme 2: One Internet, Multiple Equities  The same Internet for:  Intelligence, law enforcement  E-Commerce  Free speech & political dissent  All the fun stuff – cat videos  Military theaters of combat

17 One Internet -- Outline  Effects of earlier revelation of secrets  Effects are larger due to convergence of:  Domestic and civilian communications, with  Foreign, intelligence, and military communications  One major area of debate for IT:  Larger tensions between offense and defense in cybersecurity

18 Some Effects of Revealing Secrets Since Snowden  In U.S., intense debates about surveillance vs. privacy, civil liberties, and other values  Effects on allies – Merkel, Brazil  Cloud computing & other U.S. business interests  Marketers: “US cloud providers have to give all the customer data to the NSA, so buy our local services”  Internet governance  U.S. Internet Freedom agenda undermined  U.S. leadership in ICANN and standards groups under new challenge by ITU alternative

19 IC: Convergence of Communications  Cold War  Soviet systems separate from U.S. systems  Main threat from nation states  U.S. citizens rarely made “long-distance” or “international” calls  Today  One global Internet  Main threat from terrorists and others who swim in a sea of civilian communications  U.S. citizens have many communications that route outside of the U.S., where FISA rules are different  Mayer: “pervasive” information from U.S. browsing goes outside of U.S.

20 Offense & Defense in Cybersecurity in Era of Converging Communications  Strong intelligence and military reasons for offensive capabilities  Intelligence advantages if can access bulk data, globally, with lower risk of casualties than physical entry  Historical role of full-throttle offense for the military: crack Enigma and save the convoys  Military in the future - Cyber Command, analogous to the way the Air Force became key to offense  Where more critical infrastructure is online, then offense against it more valuable

21 Defense and Cybersecurity  Old days:  Military (and NSA) have long had “information assurance,” to protect own codes and communications  Where find a flaw, then use chain of command to fix it  Command and control, so “patch” is installed  Operational security, with goal that only the defenders learn of the patch  Today:  Over 90% of critical infrastructure privately held  If install a patch, then tip off outsiders: can’t defend the “good guys” and still attack the “bad guys”  Cybersecurity has daily attacks against civilians, so defense is more important

22 Review Group and Defense  With convergence, much bigger effects on civilian-side defense if IC & military lean toward offense  RG: Areas to strengthen defense:  Improve security of government systems  Address insider threat, etc.  Encryption  Zero days

23 Strong Crypto for Defense  Crypto Wars of the 1990’s showed NSA & FBI interest in breaking encryption (offense)  1999 policy shift to permit export globally of strong encryption, necessary for Internet (defense)  Press reports of recent NSA actions to undermine encryption standards & defeat encryption (offense)  RG Rec 29: support strong crypto standards and software; secure communications a priority on the insecure Internet; don’t push vendors to have back doors (defense)  No announcement yet on this recommendation

24 Zero Days & the Equities Process  A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond  Press reports of USG stockpiling zero days, for intelligence & military use  RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret.  Software vendors and owners of corporate systems have strong interest in good defense  No announcement yet on this recommendation

25 Addressing Multiple Risks  In addition to strengthening cyber-defense, there are multiple risks/equities in addition to national security:  Privacy & civil liberties  Allies  Business and the economy  Internet governance  RG Recs 16 & 17: Weigh the multiple risks  New process & WH staff to review sensitive intelligence collection in advance  Senior policymakers from the economic agencies (NEC, Commerce, USTR) should participate

26 Addressing Privacy & Civil Liberties  RG: Numerous proposed changes to U.S. law and institutions:  End current Section 215 program (and administration now agrees)  More judicial oversight  Public advocate participates in the secret court  Stronger tech capability for the court and the Privacy & Civil Liberties Oversight Board  In my view, significant progress and Congress may go further

27 Addressing Business & the Economy  Greater inclusion of economic policy-makers  RG Rec 9: Address the top IT industry request – transparency report  DOJ agreement with companies in January

28 Addressing Foreign Affairs/Allies  RG Rec 19: New process for surveillance of foreign leaders  Presidential Policy Directive 29:  Historically, for surveillance, countries have provided much stronger protections for their citizens than in other countries  PPD-29 a milestone, with “minimization” of data for non-US persons  Big new software project to build that  Details far from clear, but a notable shift

29 Summary on One Internet, Multiple Equities  In addition to national security, have crucial other equities:  Strengthen cyber-defense  Privacy & civil liberties  Allies  Business and the economy  Internet governance  IC decisions in the context of these other equities

30 Theme 3: The Role of IT Professionals  You are at the center of all of the equities of the “One Internet, Multiple Equities” clash of goals  ACM code of ethics – confidentiality & security  New Internet Society/IETF security efforts, with ethics for IT professionals  Lean toward defense for your own systems  Inform the policy makers of what can be done and should be done

31 The 3 Themes  Declining half life of secrets  The IC has to learn to live with the front page test  One Internet, multiple equities  The IC cannot decide for all these equities  The role of IT professionals  You build these systems

32 Conclusion  There was no optimizing algorithm for the multiple tasks of the Review Group  There is no optimizing algorithm for your tasks as IT professionals, to conduct surveillance, prevent intrusion, govern the Internet, etc.  You are in the center of the great moral issues of our time  We all need your participation and insights  Let’s get to work

Download ppt "The President's NSA Review Group: The Technology Issues" Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of."

Similar presentations

Telecom, Privacy & Security After September 11 Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001.

Telecom, Privacy & Security After September 11 Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001.
A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.

Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.
Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud Peter Swire Moritz College of Law Ohio State.

From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud Peter Swire Moritz College of Law Ohio State.
The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,

The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.

The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.
Cybersecurity and UAV Issues John Rose, Deputy-Director, Public Policy, Region VI.

Cybersecurity and UAV Issues John Rose, Deputy-Director, Public Policy, Region VI.
Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Spies, Drones, and Snowden: What’s the Future of US Intelligence? Dennis Bowden Adjunct Professor University of Central Florida.

Spies, Drones, and Snowden: What’s the Future of US Intelligence? Dennis Bowden Adjunct Professor University of Central Florida.
Information Technology Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia.

Information Technology Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia.
Privacy & Cybersecurity Compliance in the Post-Snowden World Compliance Week 2014 Conference Peter Swire Huang Professor of Law and Ethics.

Privacy & Cybersecurity Compliance in the Post-Snowden World Compliance Week 2014 Conference Peter Swire Huang Professor of Law and Ethics.
Some Thoughts on Cyber-Resiliency, Time, and Surveillance Peter Swire Huang Professor of Law and Ethics Georgia Institute of Technology NAS/NRC Forum on.

Some Thoughts on Cyber-Resiliency, Time, and Surveillance Peter Swire Huang Professor of Law and Ethics Georgia Institute of Technology NAS/NRC Forum on.
Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.

Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.
“Encryption’s Vital Role in Safeguarding the Digital Economy” Professor Peter Swire Ohio State University ASSOCHAM International Conference Safeguarding.

“Encryption’s Vital Role in Safeguarding the Digital Economy” Professor Peter Swire Ohio State University ASSOCHAM International Conference Safeguarding.
Texas City Municipal Police Association 2012 Satisfaction Survey.

Texas City Municipal Police Association 2012 Satisfaction Survey.
Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.

Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
CIAO.0209 - July 99 - 1 Critical Infrastructure Assurance Office Protecting America’s Cyberspace: Version 1.0 of the National Plan Jeffrey Hunker National.

CIAO July Critical Infrastructure Assurance Office Protecting America’s Cyberspace: Version 1.0 of the National Plan Jeffrey Hunker National.
Study conducted on behalf of Microsoft by Harris Interactive Inc. Study conducted on behalf of Microsoft by Harris Interactive, Inc. Study conducted on.

Study conducted on behalf of Microsoft by Harris Interactive Inc. Study conducted on behalf of Microsoft by Harris Interactive, Inc. Study conducted on.

Similar presentations

Ads by Google