Intro to Review Group



Yüklə 497 b.
tarix20.02.2018
ölçüsü497 b.
#43214



Intro to Review Group

  • Intro to Review Group

  • Four business issues:

    • Business & economics issues into the IC calculus
    • US-based global businesses affected by IC decisions
    • Lean toward defense in cyber-security
    • Support better Internet governance


Snowden leaks of 215 and Prism in June, 2013

  • Snowden leaks of 215 and Prism in June, 2013

  • August – Review Group

  • 5 members



December 2013: The Situation Room

  • December 2013: The Situation Room



Protect national security

  • Protect national security

  • Advance our foreign policy, including economic effects

  • Protect privacy and civil liberties

  • Maintain the public trust

  • Reduce the risk of unauthorized disclosure



Meetings, briefings, public comments

  • Meetings, briefings, public comments

  • 300+ pages in December

  • 46 recommendations

    • Section 215 database “not essential” to stopping any attack; recommend government not hold phone records; proposal this week basically agrees
  • Pres. Obama speech January

    • Adopt 70% in letter or spirit
    • Additional recommendations under study
    • Organizational changes to NSA not adopted


Major theme of the report is that we face multiple risks, not just national security risks

  • Major theme of the report is that we face multiple risks, not just national security risks

    • Effects on allies, foreign affairs
    • Risks to privacy & civil liberties
    • Risks to economic growth & business
  • Historically, intelligence community is heavily walled off, to maintain secrecy

    • Now, convergence of civilian and military/intelligence communications devices, software & networks
  • Q: How respond to the multiple risks?



RG Recs 16 & 17:

  • RG Recs 16 & 17:

    • New process & WH staff to review sensitive intelligence collection in advance
    • Senior policymakers from the economic agencies (NEC, Commerce, USTR) should participate
    • Monitoring to ensure compliance with policy
  • RG Rec 19: New process for surveillance of foreign leaders



The issue: effects on US-based cloud industry

  • The issue: effects on US-based cloud industry

  • Understanding contrasting perspectives of IC and the IT industry

  • Intelligence community perspective:

    • Snowden a criminal; 0% say whistleblower
    • Substantial assistance to adversaries by ongoing revelations of sources & methods
      • E.g., reports on techniques for entering into “air-gapped” computer systems
    • IC Tradition of expecting secrecy over long time scale, so details of intelligence activities rarely disclosed and harms from disclosures rarely experienced


Tech industry perspective:

  • Tech industry perspective:

    • Silicon Valley – 90% say whistleblower
    • Snowden has informed us about Internet realities
    • Tech industry libertarianism: “information wants to be free” and suspicion of government & secrecy
    • Anger at undermining encryption standards
    • More anger for stories that leased lines for Yahoo and Google servers were tapped
      • Microsoft GC: the US Government as an “advanced persistent threat”


Biggest focus on public cloud computing market

  • Biggest focus on public cloud computing market

    • Double in size 2012-2016
    • Studies estimate US business losses from NSA revelations: tens of billions $/year
  • An opening for non-U.S. providers

    • Market has been dominated by US companies
    • Deutsche Telecomm and others: “Don’t put your data in the hands of the NSA and US providers”
  • US industry response: more transparency

      • Boost consumer confidence that the amount of government orders is modest


RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing

  • RG Rec 9: OK to reveal number of orders, number they have complied with, information produced, and number for each legal authority (215, 702, NSL, etc.), unless compelling national security showing

  • RG Rec 31: US should advocate to ensure transparency for requests by other governments

    • Put more focus on actions of other governments
  • DOJ agreement with companies in January



The issue of trading off offense & defense:

  • The issue of trading off offense & defense:

    • NSA/IC offensive missions
    • NSA/IC defensive missions
      • Information Assurance Directorate of NSA
      • Protect government systems
      • Counter-intelligence
    • We use precisely one communications infrastructure for both offense and defense


(1) Before: separate communications system behind the Iron Curtain; nation-state actors

  • (1) Before: separate communications system behind the Iron Curtain; nation-state actors

  • Now: same Internet for civilians, terrorists & military

  • (2) Before: military protected its communication security within the chain of command

  • Now: critical infrastructure largely civilian; tips to defense get known to attackers

  • (3) Before: episodic flares of military action

  • Now: daily & hourly cyber-attacks, to businesses and others, right here at home



RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense)

  • RG Rec 29: support strong crypto standards and software; secure communications a priority; don’t push vendors to have back doors (defense)

  • No announcement yet on this recommendation – it is a tech industry priority



A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond

  • A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond

  • Press reports of USG stockpiling zero days, for intelligence & military use

  • RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret.

  • Software vendors and owners of corporate systems have strong interest in good defense

  • No announcement yet on this recommendation



The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business.

  • The issue: Snowden becomes a huge talking point against the US approach to Internet governance. Potential harms to business, including US-based business.



US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy.

  • US & US industry position: Internet governance as bottom-up, tech-based, multi-stakeholder process. Outputs: innovation, growth, Internet freedom, democracy.

  • Russia & China: push for major ITU role. Governance by governments. Respect local norms (called “cyber-security” but meaning “censorship”). Oppose “chaos” of current approach.

  • Swing votes at the ITU: medium-sized economies pay more for Internet service than rich countries, lose inter-connection fees, don’t know how to have a voice in W3C & IETF.



US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights.

  • US Internet Freedom agenda – secure communications by dissenters, democratic freedom, human rights.

  • Russia & China: Snowden shows US hypocrisy.

  • Response: legal checks & balances in US; First Amendment; emphatically not used for political repression

  • RG Rec 32: senior State Department official on these issues

  • RG Rec 33: support multi-stakeholder approach

  • Many RG recs: reinforce privacy & civil liberties & oversight in foreign surveillance

  • PPD-28: extend protections to non-US persons



Brazil, Vietnam, Indonesia proposals to require storage locally

  • Brazil, Vietnam, Indonesia proposals to require storage locally

  • EU proposals to restrict data transfers to US; using T-TIP & Safe Harbor as bargaining chips for less US surveillance

  • RG: emphasize economic & other harms from localization/”splinternet”

  • Strengthen relations with allies

  • RG Rec 31: build international norm against localization

  • RG Rec 34: streamline multi-lateral assistance treaties (MLATs), so no need to hold data there, can get it in US



Business & economics issues into the IC calculus

  • Business & economics issues into the IC calculus

  • US-based global businesses affected by IC decisions

  • Lean toward defense

  • Support better Internet governance



Are pessimists correct that nothing will change?

  • Are pessimists correct that nothing will change?

    • Section 215 program quite possibly will end
    • DOJ agreed to the transparency agreement
    • EU privacy regulation seemed dead, but Snowden-related sentiments resulted this month in EU Parliament 621-10 in favor
  • We are in a period where change is possible

  • Businesses, and their advisors, should support changes that meet the multiple goals of our national and economic security



Yüklə 497 b.

Dostları ilə paylaş:




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin