Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security & Privacy After Snowden: The Review Group & the USA Freedom Act Gartner Security & Risk Management Summit Peter Swire Senior Counsel, Alston &

Published byLoreen Simpson Modified over 8 years ago

Similar presentations

Presentation on theme: "Security & Privacy After Snowden: The Review Group & the USA Freedom Act Gartner Security & Risk Management Summit Peter Swire Senior Counsel, Alston &"— Presentation transcript:

1 Security & Privacy After Snowden: The Review Group & the USA Freedom Act Gartner Security & Risk Management Summit Peter Swire Senior Counsel, Alston & Bird LLP Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology June 10, 2015

2 Overview of the Talk  USA Freedom Act passed last week  Link between President’s Review Group and USA Freedom  NSA reform has gone surprisingly far  That story at www.peterswire.netwww.peterswire.net  Technology issues raised by the Review Group report  Tension between cyber offense and defense, for crypto and zero days  The role of IT professionals

3 This happened last week: coincidence? Last Triple Crown Winner: Affirmed (1978); American Pharaoh (2015) Last Foreign Intel Reform: FISA (1978); USA Freedom (2015)

4 Creation of the Review Group  Snowden leaks of 215 and Prism in June, 2013  August – Review Group named  Report due in December  5 members

5 December 2013: The Situation Room

6 Our assigned task  Protect national security  Advance our foreign policy, including economic effects  Protect privacy and civil liberties  Maintain the public trust  Reduce the risk of unauthorized disclosure

7 Our Report  Meetings, briefings, public comments  300+ pages in December, 2013, republished Princeton University Press  46 recommendations  Section 215 database “not essential” to stopping any attack; recommend government not hold phone records  Pres. Obama speech January 2014  Adopt 70% in letter or spirit

8 USA Freedom Act & RG Recommendations  Section 215 order only with judicial approval and heightened standard (Rec 1)  End government storage of bulk telephone data and have records held in private sector, accessible only with a judicial order (Rec 5)  Similar limits on bulk collection: National Security Letters (Rec 2) and FISA pen/trap  General rule limiting bulk collection (Rec 4) – the new law as a message to agency lawyers to watch out  Greater transparency by government about foreign intelligence orders (Rec 9 & 10)  Congressional approval of public interest advocates to represent privacy and civil liberties interests before the FISC (Rec 28)

9 Administration Measures  In 2014, Administration already required judge before looking at a phone number under Section 215  Transparency, including FISC opinions, company transparency reports  Some limits on “incidental collection” under Prism (Section 702)  National Security Letters  Previously stayed secret 50 years (or longer)  New rule that secret no longer than 3 years, unless senior DOJ official finds essential

10 Administration Measures (2)  White House oversight of the intelligence community:  More on this later in the talk  Sensitive intelligence collection  Surveillance of foreign leaders  Zero-day equities process  Funding increases  In place for Privacy & Civil Liberties Oversight Board  Pending for Mutual Legal Assistance Treaty staffing and tech upgrades (current topic of my research)

11 Measures Affecting Non-US Persons  Presidential Policy Directive 28  History of spying – open season on foreign nationals outside your boundaries  New human rights-style declaration that will treat non US persons the same as US persons for foreign intelligence purposes, except where that won’t work  For Germany? Syria?  Minimization and dissemination rules apply. Privacy recognized as an integral part of intelligence process.  Hard to assess scope from the outside but a change in philosophy

12 Measures Affecting Non-US Persons (2)  US Privacy Act reform  History that applies to US persons (citizens and lawful permanent residents), but not to non-US persons  Dept. of Homeland Security treats the same  Administration support for this in statute, including judicial redress for non-US persons.  Good step, although limited scope of Privacy Act protections

13 Summary on NSA Reform  What we have seen:  Biggest pro-privacy legal reform in intelligence since enactment of FISA in 1978  The administration’s multiple reforms  USA Freedom sends a democratic message for agencies to be thoughtful about privacy  RG factual finding of strong compliance system in NSA  Tech companies have strengthened encryption & security for users in multiple ways  To me, an encouraging response compared to the debates immediately after 9/11

14 Part 2: One Internet, Multiple Equities  The same Internet for:  Intelligence, law enforcement  E-Commerce  Free speech & political dissent  All the fun stuff – cat videos  Military theaters of combat

15 One Internet -- Outline  Effects are larger due to convergence of:  Domestic and civilian communications, with  Foreign, intelligence, and military communications  One major area of debate for IT:  Larger tensions between offense and defense in cybersecurity

16 IC: Convergence of Communications  Cold War  Soviet systems separate from U.S. systems  Main threat from nation states  U.S. citizens rarely made “long-distance” or “international” calls  Today  One global Internet  Main threat from terrorists and others who swim in a sea of civilian communications  U.S. citizens have many communications that route outside of the U.S., where FISA rules are different  Mayer: “pervasive” information from U.S. browsing goes outside of U.S.

17 Offense & Defense in Cybersecurity in Era of Converging Communications  Offense was easier when there was a target “there” (in Warsaw Pact or military theater)  Convergence means we are often targeting the same hardware, software, and systems that the good guys use  Strong intelligence and military reasons for offensive capabilities  Intelligence advantages if can access bulk data, globally, with lower risk of casualties than physical entry  Historical role of full-throttle offense for the military: crack Enigma and save the convoys  Military in the future - Cyber Command, analogous to the way the Air Force became key to offense  Where more critical infrastructure is online, then offense against it more valuable

18 Defense and Cybersecurity  Old days:  Military (and NSA) have long had “information assurance,” to protect own codes and communications  Where find a flaw, then use chain of command to fix it  Command and control, so “patch” is installed  Operational security, with goal that only the defenders learn of the patch  Today:  Over 90% of critical infrastructure privately held  If install a patch, then tip off outsiders: can’t defend the “good guys” and still attack the “bad guys”  Cybersecurity has daily attacks against civilians, so defense is more important  No magic bullets to target only “them”; the offense also works against “us”

19 Review Group and Defense  With convergence, much bigger effects on civilian-side defense if IC & military lean toward offense  RG: Areas to strengthen defense:  Improve security of government systems  Address insider threat, etc.  Zero days  Encryption

20 Zero Days & the Equities Process  A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond  Press reports of USG stockpiling zero days, for intelligence & military use  RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret.  Software vendors and owners of corporate systems have strong interest in good defense  WH adopted this this year

21 Strong Crypto for Defense  Crypto Wars of the 1990’s showed NSA & FBI interest in breaking encryption (offense)  1999 policy shift to permit export globally of strong encryption, necessary for Internet (defense)  Press reports of recent NSA actions to undermine encryption standards & defeat encryption (offense)  RG Rec 29: support strong crypto standards and software; secure communications a priority on the insecure Internet; don’t push vendors to have back doors (defense)  No announcement yet on this recommendation

22 Strong Crypto for Defense: The 90’s  Crypto Wars of the 1990’s showed NSA & FBI interest in breaking encryption (offense)  1999 policy shift to permit export globally of strong encryption, necessary for Internet, to protect civil liberties (defense)  Clipper Chip: proposal to build a back door (key escrow) into the hardware chips  Prohibit export of strong encryption because crypto was a “munition”  A lesson learned: key escrow doesn’t work because the method of entry used by the “good guys” is a vulnerability to exploit for the bad guys  Plus, other governments will insist on the keys – the least trusted country

23 Strong Crypto for Defense: Today  Press reports of NSA actions to undermine encryption standards & defeat encryption (offense)  RG Rec 29: support strong crypto standards and software; secure communications a priority on the insecure Internet; don’t push vendors to have back doors (defense)  FBI Director Comey: criticize Apple & Google when they decided not to have a “master key” for phones  He worries about “going dark” due to strong crypto  A & G: this is good defense, good protection for our customers

24 “Going Dark” vs. “Golden Age of Surveillance”  “Going Dark”: when have the phone, no way for FBI to open it  May be true, in small number of cases  Golden Age of Surveillance:  We all carry tracking devices  Meta-data of email, text, phone, SNS shows the co- conspirators  LOTS of other databases that didn’t use to exist  If compare 1990 to 2015, the FBI has far greater capabilities today. Not “dark.”  My view: better to have effective defense against attackers with effective encryption

25 Internet Policy: Addressing Multiple Risks  In addition to strengthening cyber-defense, there are multiple risks/equities in addition to national security:  Privacy & civil liberties  Allies  Business and the economy  Internet governance  RG Recs 16 & 17: Weigh the multiple risks  New process & WH staff to review sensitive intelligence collection in advance  Senior policymakers from the economic agencies (NEC, Commerce, USTR) should participate

26 Summary on One Internet, Multiple Equities  In addition to national security, have crucial other equities:  Strengthen cyber-defense  Privacy & civil liberties  Allies  Business and the economy  Internet governance  IC decisions in the context of these other equities  Strong crypto for defense more important than broken crypto for surveillance access  Fix zero days for defense more important than having a shelf full of attacks

27 Part 3: The Role of IT Professionals  You are at the center of all of the equities of the “One Internet, Multiple Equities” clash of goals  ACM code of ethics – confidentiality & security  New Internet Society/IETF security efforts, with ethics for IT professionals  Lean toward defense for your own systems  Inform the policy makers of what can be done and should be done=

28 The 3 Themes  NSA reform has out-performed the skeptics  A democratic affirmation of privacy checks and balances on surveillance  One Internet, multiple equities  The IC cannot decide for all these equities  The role of IT professionals  You build these systems

29 Conclusion  There was no optimizing algorithm for the multiple tasks of the Review Group  There is no optimizing algorithm for your tasks as IT professionals, to conduct surveillance, prevent intrusion, govern the Internet, etc.  You are in the center of the great moral issues of our time  We all need your participation and insights  Let’s get to work

Download ppt "Security & Privacy After Snowden: The Review Group & the USA Freedom Act Gartner Security & Risk Management Summit Peter Swire Senior Counsel, Alston &"

Similar presentations

TECHNO-TONOMY Privacy & Autonomy in a Networked World Learning Module 2: Legislating Privacy: Your Rights.

TECHNO-TONOMY Privacy & Autonomy in a Networked World Learning Module 2: Legislating Privacy: Your Rights.
Telecom, Privacy & Security After September 11 Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001.

Telecom, Privacy & Security After September 11 Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001.
Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.

Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.
Gag Rules and Information Flows: Or, How to Do Secret Surveillance in an Open Society Peter P. Swire Ohio State University Modest Proposals Conference.

Gag Rules and Information Flows: Or, How to Do Secret Surveillance in an Open Society Peter P. Swire Ohio State University Modest Proposals Conference.
Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud Peter Swire Moritz College of Law Ohio State.

From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud Peter Swire Moritz College of Law Ohio State.
The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,

The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.

The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.
AFCEA DC Cyber Security Symposium Military Joint Cyber Command Panel Harry Raduege Lieutenant General, USAF (Ret) Chairman, Center for Network Innovation.

AFCEA DC Cyber Security Symposium Military Joint Cyber Command Panel Harry Raduege Lieutenant General, USAF (Ret) Chairman, Center for Network Innovation.
Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Spies, Drones, and Snowden: What’s the Future of US Intelligence? Dennis Bowden Adjunct Professor University of Central Florida.

Spies, Drones, and Snowden: What’s the Future of US Intelligence? Dennis Bowden Adjunct Professor University of Central Florida.
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
Information Technology Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia.

Information Technology Implications of the President’s Review Group Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia.
Privacy & Cybersecurity Compliance in the Post-Snowden World Compliance Week 2014 Conference Peter Swire Huang Professor of Law and Ethics.

Privacy & Cybersecurity Compliance in the Post-Snowden World Compliance Week 2014 Conference Peter Swire Huang Professor of Law and Ethics.
Some Thoughts on Cyber-Resiliency, Time, and Surveillance Peter Swire Huang Professor of Law and Ethics Georgia Institute of Technology NAS/NRC Forum on.

Some Thoughts on Cyber-Resiliency, Time, and Surveillance Peter Swire Huang Professor of Law and Ethics Georgia Institute of Technology NAS/NRC Forum on.
“Encryption’s Vital Role in Safeguarding the Digital Economy” Professor Peter Swire Ohio State University ASSOCHAM International Conference Safeguarding.

“Encryption’s Vital Role in Safeguarding the Digital Economy” Professor Peter Swire Ohio State University ASSOCHAM International Conference Safeguarding.
Electronic Privacy Does it exist?. Issue: Privacy concerns with library and bookseller records continue due to the reauthorization of Section 215. The.

Electronic Privacy Does it exist?. Issue: Privacy concerns with library and bookseller records continue due to the reauthorization of Section 215. The.
Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.

Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures

Similar presentations

Ads by Google