Presentation is loading. Please wait.

Presentation is loading. Please wait.

Business Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology.

Published byLily Casey Modified over 9 years ago

Similar presentations

Presentation on theme: "Business Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology."— Presentation transcript:

1 Business Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology

2 Preface  Thank you for welcoming me to Scheller  A law professor, with business as well:  IT/privacy/cybersecurity  Housing finance & health care, including in government  Taught corporations, torts, antitrust, law & economics  Grew up in a family business and had real law clients  Look forward to getting to know more of you

3 Overview of the Talk  Intro to Review Group  Five business issues:  Business & economics issues into the IC calculus  US-based global businesses affected by IC decisions  Lean toward defense in cyber-security  Support better Internet governance  Upgrade against insider attacks  Two themes:  Same Internet for multiple purposes  Declining half life of secrets

4 Creation of the Review Group  Snowden leaks of 215 and Prism in June, 2013  August – Review Group  5 members  Diversity of backgrounds  Technology  Business  Insider status

5 Our assigned task  Protect national security  Advance our foreign policy, including economic effects  Protect privacy and civil liberties  Maintain the public trust  Reduce the risk of unauthorized disclosure

6 Our assigned task (2)  Protect national security  Advance our foreign policy, including economic effects  Protect privacy and civil liberties  Maintain the public trust  Reduce the risk of unauthorized disclosure  Q: A simple task for operations research maximization?  Focus today: implications for business/econ

7 Our Report  Meetings, briefings, public comments  300+ pages in December  46 recommendations  Section 215 database “not essential” to stopping any attack; recommend government not hold phone records  Pres. Obama speech January  Adopt 70% in letter or spirit  Additional recommendations under study  Organizational changes to NSA not adopted

8 Issue 1: Foreign Affairs/Economics  Major theme of the report is that we face multiple risks, not just national security risks  Effects on allies, foreign affairs  Risks to privacy & civil liberties  Risks to economic growth & business  Historically, intelligence community is heavily walled off, to maintain secrecy  NSA especially, signals intelligence, secret and dauntingly complex  Now, convergence of civilian and military/intelligence communications devices, software & networks  Q: How respond to the multiple risks?

9 Addressing Multiple Risks  RG Recs 16 & 17:  New process & WH staff to review sensitive intelligence collection in advance  Senior policymakers from the economic agencies (NEC, Commerce, USTR) should participate  Monitoring to ensure compliance with policy  RG Rec 19: New process for surveillance of foreign leaders  Relations with allies, with economic and other implications, if this surveillance becomes public

10 Issue 2: US-Based Cloud Companies in a Global Market  The issue: effects on US-based cloud industry  Understanding contrasting perspectives of IC and the IT industry  Intelligence community perspective:  Snowden a criminal; 0% say whistleblower  Substantial assistance to adversaries by ongoing revelations of sources & methods  E.g., reports on techniques for entering into “air- gapped” computer systems  IC Tradition of expecting secrecy over long time scale, so details of intelligence activities rarely disclosed and harms from disclosures rarely experienced

11 Tech Industry Perspective  Tech industry perspective:  Silicon Valley – 90% say whistleblower  Snowden has informed us about Internet realities  Tech industry libertarianism: “information wants to be free” and suspicion of government & secrecy  Anger at undermining encryption standards  More anger for stories that leased lines for Yahoo and Google servers were tapped  Microsoft GC: the US Government as an “advanced persistent threat”

12 What is at Stake for the IT Industry  Biggest focus on public cloud computing market  Double in size 2012-2016  Initial study estimated losses from Snowden at $21.5 billion/year  Cloud Security Alliance estimates up to $180 billion/year by 2016 – biggest effect from lower market share for new business  An opening for non-U.S. providers  Market currently dominated by US companies  Deutsche Telecomm and others: “Don’t put your data in the hands of the NSA and US providers”

13 The IT Industry Response  Focus of industry response: more transparency  Regular transparency reports already  One goal already had been to boost consumer confidence, especially overseas, such as for previous Patriot Act accusations  Lawsuit and lobbying to expand these reports  Industry opposition to non-disclosure (gag) orders for National Security Letters, etc.  Yahoo 2009 lost one then-secret challenge

14 Moving to More Transparency  RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing  RG Rec 31: US should advocate to ensure transparency for requests by other governments  Put more focus on actions of other governments  DOJ agreement with companies in January  More transparency, but not listed by legal authority  Ongoing debate, but companies want to stress this issue, to send message of security and public trust

15 Issue 3: Offense v. Defense for Cyber- security  The issue of trading off offense & defense:  NSA/IC offensive missions  Foreign intelligence surveillance  Title 10 – military authorities  US Cyber Command  NSA/IC defensive missions  Information Assurance Directorate of NSA  Protect government systems  Counter-intelligence  We use precisely one communications infrastructure for both offense and defense

16 Conflict between Offense & Defense Has Increased (1) Before: separate communications system behind the Iron Curtain; nation-state actors Now: same Internet for civilians, terrorists & military (2) Before: military protected its communication security within the chain of command Now: critical infrastructure largely civilian; tips to defense get known to attackers (3) Before: episodic flares of military action Now: daily & hourly cyber-attacks, to businesses and others, right here at home

17 Institutional Changes for Defense  RG Rec 24: split leadership of NSA and DoD’s Cyber Command  RG Rec 25: split Information Assurance Directorate of NSA into separate agency  Would put leadership on the side of defense  Asymmetric incentives in agency between offense and defense  These recommendations will not be adopted now, for plausible factual reasons

18 Strong Crypto for Defense  Crypto Wars of the 1990’s showed NSA & FBI interest in breaking encryption (offense)  1999 policy shift to permit export globally of strong encryption, necessary for Internet (defense)  Press reports of recent NSA actions to undermine encryption standards & break encryption  RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense)  No announcement yet on this recommendation – it is a tech industry priority

19 Zero Days & the Equities Process  A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond  Press reports of USG stockpiling zero days, for intelligence & military use  RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret.  Software vendors and owners of corporate systems have strong interest in good defense  No announcement yet on this recommendation

20 Issue 4: Internet Governance  The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business.  Bottom-up vs. top-down Internet governance?  Localization rules – split the Internet?  Confidence (re)building and fostering international norms

21 International Telecommunications Union  US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy.  Russia & China: push for major ITU role. Governance by governments. Respect local norms (called “cyber- security” but meaning “censorship”). Oppose “chaos” of current approach.  Swing votes at the ITU: medium-sized economies pay more for Internet service than rich countries, lose inter- connection fees, don’t know how to have a voice in W3C & IETF.

22 How to Bolster Multi-stakeholder  US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights.  Russia & China: Snowden shows US hypocrisy.  Response: legal checks & balances in US; First Amendment; emphatically not used for political repression  RG Rec 32: senior State Department official on these issues  RG Rec 33: support multi-stakeholder approach  Many RG recs: reinforce privacy & civil liberties & oversight in foreign surveillance  PPD-28: extend protections to non-US persons

23 Localization Proposals  Brazil, Vietnam, Indonesia proposals to require storage locally  EU proposals to restrict data transfers to US; using T- TIP & Safe Harbor as bargaining chips for less US surveillance  RG: emphasize economic & other harms from localization/”splinternet”  Strengthen relations with allies  RG Rec 31: build international norm against localization  RG Rec 34: streamline multi-lateral assistance treaties (MLATs), so no need to hold data there, can get it in US

24 Issue 5: Insider Threats  The issue: if Snowden can happen to the NSA, is your company more secure than that?  Many RG recs to protect better against insider threats  Theme: system administrator as important threat  Snowden’s job was to move files  He did that  Response: separation of functions, reduce sys admin privileges  Theme: USG classified systems followed M&M model  Response: new access controls, auditing, and other measures within classified systems  Similar threats to business systems

25 The Lessons for Business  Business & economics issues into the IC calculus  US-based global businesses affected by IC decisions  Lean toward defense  Support better Internet governance  Upgrade against insider attacks

26 Broader themes: One Internet  The same communications infrastructure for numerous purposes – which should drive policy  IC and police have seen it as a surveillance Internet, after 9/11  Business sees it as E-commerce, for internal communications and to reach customers  Individual users – social networks, email, online shopping, much more  Political speech – a global engine for democracy and civil liberties  Global business & others will have to decide how to help build the Internet it wants

27 Theme: Declining Half Life of Secrets  The IC assumption was that secrets lasted a long time, such as 25-50 years  My belief – the half life of secrets has declined sharply  Electronic: “my goal is that leaks happen only by a printer”  No gatekeeper: Ellsberg needed NY Times; Manning has Wikileaks  Global dissemination: once it leaks, it’s gone  Crowd-sourcing – hard to penetrate massive networks at scale and not provide clues  Civil disobedience by younger techies

28 Implications of Declining Half Life of Secrets  Previously, the IC often ignored the “front page test”  Jack Nicholson & “you can’t handle the truth” in A Few Good Men  But, how many front page stories this year?  Declining half life of secrets means higher expected value of revelations – bigger negative effect if ignore the front page test  RG: effects on foreign affairs, economics, Internet governance, so USG should consider these multiple effects and not isolate IC decisions  For business, how well can you keep secrets if the NSA can’t?

29 Conclusion  Pessimists inclined to think that nothing will change  The RNC has endorsed ending 215 telephone program, plus many Democrats  Section 215 program quite possibly will end  DOJ agreed to the transparency agreement  EU privacy regulation seemed dead, but Snowden- related sentiments resulted this week in EU Parliament 621-10 in favor  We are in a period where change is possible here, even in Congress  I look forward to talking with you about what should come next

Download ppt "Business Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology."

Similar presentations

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud Peter Swire Moritz College of Law Ohio State.

From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud Peter Swire Moritz College of Law Ohio State.
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.

The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.
Freedom of Speech (Part 3)

Freedom of Speech (Part 3)
Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Spies, Drones, and Snowden: What’s the Future of US Intelligence? Dennis Bowden Adjunct Professor University of Central Florida.

Spies, Drones, and Snowden: What’s the Future of US Intelligence? Dennis Bowden Adjunct Professor University of Central Florida.
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
Information Technology Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia.

Information Technology Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia.
Privacy & Cybersecurity Compliance in the Post-Snowden World Compliance Week 2014 Conference Peter Swire Huang Professor of Law and Ethics.

Privacy & Cybersecurity Compliance in the Post-Snowden World Compliance Week 2014 Conference Peter Swire Huang Professor of Law and Ethics.
Cyber Security and the Global Business Environment Jeremy Schaar:)

Cyber Security and the Global Business Environment Jeremy Schaar:)
“Encryption’s Vital Role in Safeguarding the Digital Economy” Professor Peter Swire Ohio State University ASSOCHAM International Conference Safeguarding.

“Encryption’s Vital Role in Safeguarding the Digital Economy” Professor Peter Swire Ohio State University ASSOCHAM International Conference Safeguarding.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Electronic Privacy Does it exist?. Issue: Privacy concerns with library and bookseller records continue due to the reauthorization of Section 215. The.

Electronic Privacy Does it exist?. Issue: Privacy concerns with library and bookseller records continue due to the reauthorization of Section 215. The.
Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.

Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.
Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.

Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
2015 Predicted Threats C YBER S ECURITY I NTELLIGENCE You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi.

2015 Predicted Threats C YBER S ECURITY I NTELLIGENCE You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Why Privacy Now Goes Far Beyond Complying With Your Privacy Policy Peter Swire Facebook: June 3, 2015.

Why Privacy Now Goes Far Beyond Complying With Your Privacy Policy Peter Swire Facebook: June 3, 2015.

Similar presentations

Ads by Google