Intro to Review Group

Intro to Review Group

• Intro to Review Group

• Four business issues:

• Business & economics issues into the IC calculus
• US-based global businesses affected by IC decisions
• Lean toward defense in cyber-security
• Support better Internet governance

Snowden leaks of 215 and Prism in June, 2013

• Snowden leaks of 215 and Prism in June, 2013

• August – Review Group

• 5 members

December 2013: The Situation Room

• December 2013: The Situation Room

Protect national security

• Protect national security

• Advance our foreign policy, including economic effects

• Protect privacy and civil liberties

• Maintain the public trust

• Reduce the risk of unauthorized disclosure

Meetings, briefings, public comments

• Meetings, briefings, public comments

• 300+ pages in December

• 46 recommendations

• Section 215 database “not essential” to stopping any attack; recommend government not hold phone records; proposal this week basically agrees

• Pres. Obama speech January

• Adopt 70% in letter or spirit
• Additional recommendations under study
• Organizational changes to NSA not adopted

Major theme of the report is that we face multiple risks, not just national security risks

• Major theme of the report is that we face multiple risks, not just national security risks

• Effects on allies, foreign affairs
• Risks to privacy & civil liberties
• Risks to economic growth & business

• Historically, intelligence community is heavily walled off, to maintain secrecy

• Now, convergence of civilian and military/intelligence communications devices, software & networks

• Q: How respond to the multiple risks?

RG Recs 16 & 17:

• RG Recs 16 & 17:

• New process & WH staff to review sensitive intelligence collection in advance
• Senior policymakers from the economic agencies (NEC, Commerce, USTR) should participate
• Monitoring to ensure compliance with policy

• RG Rec 19: New process for surveillance of foreign leaders

• Relations with allies, with economic and other implications, if this surveillance becomes public

The issue: effects on US-based cloud industry

• The issue: effects on US-based cloud industry

• Understanding contrasting perspectives of IC and the IT industry

• Intelligence community perspective:

• Snowden a criminal; 0% say whistleblower
• Substantial assistance to adversaries by ongoing revelations of sources & methods
• E.g., reports on techniques for entering into “air-gapped” computer systems
• IC Tradition of expecting secrecy over long time scale, so details of intelligence activities rarely disclosed and harms from disclosures rarely experienced

Tech industry perspective:

• Tech industry perspective:

• Silicon Valley – 90% say whistleblower
• Snowden has informed us about Internet realities
• Tech industry libertarianism: “information wants to be free” and suspicion of government & secrecy
• Anger at undermining encryption standards
• More anger for stories that leased lines for Yahoo and Google servers were tapped
• Microsoft GC: the US Government as an “advanced persistent threat”

Biggest focus on public cloud computing market

• Biggest focus on public cloud computing market

• Double in size 2012-2016
• Studies estimate US business losses from NSA revelations: tens of billions $/year

• An opening for non-U.S. providers

• Market has been dominated by US companies
• Deutsche Telecomm and others: “Don’t put your data in the hands of the NSA and US providers”

• US industry response: more transparency

• Boost consumer confidence that the amount of government orders is modest

RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing

• RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing

• RG Rec 31: US should advocate to ensure transparency for requests by other governments

• Put more focus on actions of other governments

• DOJ agreement with companies in January

The issue of trading off offense & defense:

• The issue of trading off offense & defense:

• NSA/IC offensive missions
• Foreign intelligence surveillance
• Title 10 – military authorities
• US Cyber Command
• NSA/IC defensive missions
• Information Assurance Directorate of NSA
• Protect government systems
• Counter-intelligence
• We use precisely one communications infrastructure for both offense and defense

(1) Before: separate communications system behind the Iron Curtain; nation-state actors

• (1) Before: separate communications system behind the Iron Curtain; nation-state actors

• Now: same Internet for civilians, terrorists & military

• (2) Before: military protected its communication security within the chain of command

• Now: critical infrastructure largely civilian; tips to defense get known to attackers

• (3) Before: episodic flares of military action

• Now: daily & hourly cyber-attacks, to businesses and others, right here at home

RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense)

• RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense)

• No announcement yet on this recommendation – it is a tech industry priority

A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond

• A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond

• Press reports of USG stockpiling zero days, for intelligence & military use

• RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret.

• Software vendors and owners of corporate systems have strong interest in good defense

• No announcement yet on this recommendation

The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business.

• The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business.

US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy.

• US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy.

• Russia & China: push for major ITU role. Governance by governments. Respect local norms (called “cyber-security” but meaning “censorship”). Oppose “chaos” of current approach.

• Swing votes at the ITU: medium-sized economies pay more for Internet service than rich countries, lose inter-connection fees, don’t know how to have a voice in W3C & IETF.

US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights.

• US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights.

• Russia & China: Snowden shows US hypocrisy.

• Response: legal checks & balances in US; First Amendment; emphatically not used for political repression

• RG Rec 32: senior State Department official on these issues

• RG Rec 33: support multi-stakeholder approach

• Many RG recs: reinforce privacy & civil liberties & oversight in foreign surveillance

• PPD-28: extend protections to non-US persons

Brazil, Vietnam, Indonesia proposals to require storage locally

• Brazil, Vietnam, Indonesia proposals to require storage locally

• EU proposals to restrict data transfers to US; using T-TIP & Safe Harbor as bargaining chips for less US surveillance

• RG: emphasize economic & other harms from localization/”splinternet”

• Strengthen relations with allies

• RG Rec 31: build international norm against localization

• RG Rec 34: streamline multi-lateral assistance treaties (MLATs), so no need to hold data there, can get it in US

Business & economics issues into the IC calculus

• Business & economics issues into the IC calculus

• US-based global businesses affected by IC decisions

• Lean toward defense

• Support better Internet governance

Are pessimists correct that nothing will change?

• Are pessimists correct that nothing will change?

• Section 215 program quite possibly will end
• DOJ agreed to the transparency agreement
• EU privacy regulation seemed dead, but Snowden-related sentiments resulted this month in EU Parliament 621-10 in favor

• We are in a period where change is possible

• Businesses, and their advisors, should support changes that meet the multiple goals of our national and economic security