Security & Privacy After Snowden: The Review Group & the USA Freedom Act Gartner Security & Risk Management Summit Peter Swire Senior Counsel, Alston & Bird LLP Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology June 10, 2015

Overview of the Talk  USA Freedom Act passed last week  Link between President’s Review Group and USA Freedom  NSA reform has gone surprisingly far  That story at  Technology issues raised by the Review Group report  Tension between cyber offense and defense, for crypto and zero days  The role of IT professionals

This happened last week: coincidence? Last Triple Crown Winner: Affirmed (1978); American Pharaoh (2015) Last Foreign Intel Reform: FISA (1978); USA Freedom (2015)

Creation of the Review Group  Snowden leaks of 215 and Prism in June, 2013  August – Review Group named  Report due in December  5 members

December 2013: The Situation Room

Our assigned task  Protect national security  Advance our foreign policy, including economic effects  Protect privacy and civil liberties  Maintain the public trust  Reduce the risk of unauthorized disclosure

Our Report  Meetings, briefings, public comments  300+ pages in December, 2013, republished Princeton University Press  46 recommendations  Section 215 database “not essential” to stopping any attack; recommend government not hold phone records  Pres. Obama speech January 2014  Adopt 70% in letter or spirit

USA Freedom Act & RG Recommendations  Section 215 order only with judicial approval and heightened standard (Rec 1)  End government storage of bulk telephone data and have records held in private sector, accessible only with a judicial order (Rec 5)  Similar limits on bulk collection: National Security Letters (Rec 2) and FISA pen/trap  General rule limiting bulk collection (Rec 4) – the new law as a message to agency lawyers to watch out  Greater transparency by government about foreign intelligence orders (Rec 9 & 10)  Congressional approval of public interest advocates to represent privacy and civil liberties interests before the FISC (Rec 28)

Administration Measures  In 2014, Administration already required judge before looking at a phone number under Section 215  Transparency, including FISC opinions, company transparency reports  Some limits on “incidental collection” under Prism (Section 702)  National Security Letters  Previously stayed secret 50 years (or longer)  New rule that secret no longer than 3 years, unless senior DOJ official finds essential

Administration Measures (2)  White House oversight of the intelligence community:  More on this later in the talk  Sensitive intelligence collection  Surveillance of foreign leaders  Zero-day equities process  Funding increases  In place for Privacy & Civil Liberties Oversight Board  Pending for Mutual Legal Assistance Treaty staffing and tech upgrades (current topic of my research)

Measures Affecting Non-US Persons  Presidential Policy Directive 28  History of spying – open season on foreign nationals outside your boundaries  New human rights-style declaration that will treat non US persons the same as US persons for foreign intelligence purposes, except where that won’t work  For Germany? Syria?  Minimization and dissemination rules apply. Privacy recognized as an integral part of intelligence process.  Hard to assess scope from the outside but a change in philosophy

Measures Affecting Non-US Persons (2)  US Privacy Act reform  History that applies to US persons (citizens and lawful permanent residents), but not to non-US persons  Dept. of Homeland Security treats the same  Administration support for this in statute, including judicial redress for non-US persons.  Good step, although limited scope of Privacy Act protections

Summary on NSA Reform  What we have seen:  Biggest pro-privacy legal reform in intelligence since enactment of FISA in 1978  The administration’s multiple reforms  USA Freedom sends a democratic message for agencies to be thoughtful about privacy  RG factual finding of strong compliance system in NSA  Tech companies have strengthened encryption & security for users in multiple ways  To me, an encouraging response compared to the debates immediately after 9/11

Part 2: One Internet, Multiple Equities  The same Internet for:  Intelligence, law enforcement  E-Commerce  Free speech & political dissent  All the fun stuff – cat videos  Military theaters of combat

One Internet -- Outline  Effects are larger due to convergence of:  Domestic and civilian communications, with  Foreign, intelligence, and military communications  One major area of debate for IT:  Larger tensions between offense and defense in cybersecurity

IC: Convergence of Communications  Cold War  Soviet systems separate from U.S. systems  Main threat from nation states  U.S. citizens rarely made “long-distance” or “international” calls  Today  One global Internet  Main threat from terrorists and others who swim in a sea of civilian communications  U.S. citizens have many communications that route outside of the U.S., where FISA rules are different  Mayer: “pervasive” information from U.S. browsing goes outside of U.S.

Offense & Defense in Cybersecurity in Era of Converging Communications  Offense was easier when there was a target “there” (in Warsaw Pact or military theater)  Convergence means we are often targeting the same hardware, software, and systems that the good guys use  Strong intelligence and military reasons for offensive capabilities  Intelligence advantages if can access bulk data, globally, with lower risk of casualties than physical entry  Historical role of full-throttle offense for the military: crack Enigma and save the convoys  Military in the future - Cyber Command, analogous to the way the Air Force became key to offense  Where more critical infrastructure is online, then offense against it more valuable

Defense and Cybersecurity  Old days:  Military (and NSA) have long had “information assurance,” to protect own codes and communications  Where find a flaw, then use chain of command to fix it  Command and control, so “patch” is installed  Operational security, with goal that only the defenders learn of the patch  Today:  Over 90% of critical infrastructure privately held  If install a patch, then tip off outsiders: can’t defend the “good guys” and still attack the “bad guys”  Cybersecurity has daily attacks against civilians, so defense is more important  No magic bullets to target only “them”; the offense also works against “us”

Review Group and Defense  With convergence, much bigger effects on civilian-side defense if IC & military lean toward offense  RG: Areas to strengthen defense:  Improve security of government systems  Address insider threat, etc.  Zero days  Encryption

Zero Days & the Equities Process  A “zero day” exploit means previously unused vulnerability, where defenders have had zero days to respond  Press reports of USG stockpiling zero days, for intelligence & military use  RG Rec 30: Lean to defense. New WH equities process to ensure vulnerabilities are blocked for USG and private networks. Exception if inter-agency process finds a priority to retain the zero day as secret.  Software vendors and owners of corporate systems have strong interest in good defense  WH adopted this this year

Strong Crypto for Defense  Crypto Wars of the 1990’s showed NSA & FBI interest in breaking encryption (offense)  1999 policy shift to permit export globally of strong encryption, necessary for Internet (defense)  Press reports of recent NSA actions to undermine encryption standards & defeat encryption (offense)  RG Rec 29: support strong crypto standards and software; secure communications a priority on the insecure Internet; don’t push vendors to have back doors (defense)  No announcement yet on this recommendation

Strong Crypto for Defense: The 90’s  Crypto Wars of the 1990’s showed NSA & FBI interest in breaking encryption (offense)  1999 policy shift to permit export globally of strong encryption, necessary for Internet, to protect civil liberties (defense)  Clipper Chip: proposal to build a back door (key escrow) into the hardware chips  Prohibit export of strong encryption because crypto was a “munition”  A lesson learned: key escrow doesn’t work because the method of entry used by the “good guys” is a vulnerability to exploit for the bad guys  Plus, other governments will insist on the keys – the least trusted country

Strong Crypto for Defense: Today  Press reports of NSA actions to undermine encryption standards & defeat encryption (offense)  RG Rec 29: support strong crypto standards and software; secure communications a priority on the insecure Internet; don’t push vendors to have back doors (defense)  FBI Director Comey: criticize Apple & Google when they decided not to have a “master key” for phones  He worries about “going dark” due to strong crypto  A & G: this is good defense, good protection for our customers

“Going Dark” vs. “Golden Age of Surveillance”  “Going Dark”: when have the phone, no way for FBI to open it  May be true, in small number of cases  Golden Age of Surveillance:  We all carry tracking devices  Meta-data of , text, phone, SNS shows the co- conspirators  LOTS of other databases that didn’t use to exist  If compare 1990 to 2015, the FBI has far greater capabilities today. Not “dark.”  My view: better to have effective defense against attackers with effective encryption

Internet Policy: Addressing Multiple Risks  In addition to strengthening cyber-defense, there are multiple risks/equities in addition to national security:  Privacy & civil liberties  Allies  Business and the economy  Internet governance  RG Recs 16 & 17: Weigh the multiple risks  New process & WH staff to review sensitive intelligence collection in advance  Senior policymakers from the economic agencies (NEC, Commerce, USTR) should participate

Summary on One Internet, Multiple Equities  In addition to national security, have crucial other equities:  Strengthen cyber-defense  Privacy & civil liberties  Allies  Business and the economy  Internet governance  IC decisions in the context of these other equities  Strong crypto for defense more important than broken crypto for surveillance access  Fix zero days for defense more important than having a shelf full of attacks

Part 3: The Role of IT Professionals  You are at the center of all of the equities of the “One Internet, Multiple Equities” clash of goals  ACM code of ethics – confidentiality & security  New Internet Society/IETF security efforts, with ethics for IT professionals  Lean toward defense for your own systems  Inform the policy makers of what can be done and should be done=

The 3 Themes  NSA reform has out-performed the skeptics  A democratic affirmation of privacy checks and balances on surveillance  One Internet, multiple equities  The IC cannot decide for all these equities  The role of IT professionals  You build these systems

Conclusion  There was no optimizing algorithm for the multiple tasks of the Review Group  There is no optimizing algorithm for your tasks as IT professionals, to conduct surveillance, prevent intrusion, govern the Internet, etc.  You are in the center of the great moral issues of our time  We all need your participation and insights  Let’s get to work