SAN FRANCISCO -- Revelations about NSA monitoring activities over the last year show the potential for a police...
state mechanism, according to the former U.S. cybersecurity czar, but there is still time to avoid the dire consequences.
The U.S. government has to get out of the business of f***ing with encryption standards.
chairman, Good Harbor Consulting
At the 2014 Cloud Security Alliance Summit, unofficial RSA Conference opener Richard Clarke, chairman of Washington, D.C.-based Good Harbor Consulting LLC, spoke to a packed audience. The former cybersecurity advisor to President Barack Obama discussed his involvement in the December 2013 report reviewing the data collection and monitoring capabilities at the National Security Agency, Central Intelligence Agency and the Federal Bureau of Investigation.
Clarke said that the reaction to leaks by former NSA contractor Edward Snowden has perhaps been overblown, because he described the employees at the three-letter agencies as "incredibly intelligent people" who are focused on combating terrorism and punishing violations of human rights. As part of the review process, Clarke and his group were given what he called carte blanche security clearances to review all of the agencies' intelligence-gathering capabilities.
Those employees are not currently listening to random phone calls and reading email, Clarke said, but that doesn't mean U.S. citizens should ignore the agencies' growing capabilities.
"In terms of collecting intelligence, they are very good. Far better than you could imagine," Clarke said. "But they have created, with the growth of technologies, the potential for a police state."
Clarke said such concerns are hardly new, pointing to the government committee headed by Sen. Frank Church in the 1970s. Church warned at the time that the technologies at intelligence agencies were developing at such an alarming rate that, if they were all turned on, the U.S. would never be able to turn them off, effectively creating a permanent police state in which the entire popular would be under constant surveillance.
Though such warnings seem dire, Clarke noted that the seemingly endless scope of current government surveillance activities stemmed largely from a lack of strict guidance from policy makers. He said a major aspect of the report to the White House was simply prompting the questions that were previously unasked: What are our intelligence agencies collecting? What should they be collecting? If we should be collecting data, how do we safeguard it? If we're collecting data, how do we stay consistent with U.S. traditions of privacy and government oversight?
Those senior policymakers who he said have been disconnected from the process now need to spend a "great deal of time" determining what types of data intelligence agencies should collect and what types of data should not be collected.
"If you're not specific, an agency that bugs phones is going to bug phones," Clarke said. "The NSA is an organization that's like a hammer, and everything looks like a nail."
Clarke warned that such measures are needed sooner rather than later. Harkening back to the terrorist attacks on September 11, 2001, which triggered a rash of security-focused legislation such as the Patriot Act that laid the foundation for the intelligence-gathering capabilities the U.S. government has today, he said another large terrorism event could push the country further toward a police state.
"The NSA, despite all the hoopla, has been a force of good. It could, with another president or after another 9/11, be a force not for good," Clarke said. "Once you give up your rights, you can never get them back. Once you turn on that police state, you can never turn it off."
Attendee David Ross, a consultant with Australia-based ANTACS Group, said that the Clarke talk drew many parallels to the political situation in Australia, where Indonesia and other nations in the region have been outraged by surveillance activities conducted by the Australian Signals Directorate. He said such discussions are largely "political point-scoring," though.
He personally isn't seriously concerned with government surveillance in Australia or the U.S., especially as his expertise in regard to encryption leads him to be careful about which standards he uses. Ross essentially agreed with Clarke's analogy of the NSA and other such agencies being hammers in search of nails.
"It's strange the public is amazed that the spying agencies are spying on people," said Ross.
Neil MacDonald, vice president at Stamford, Conn.-based Gartner Inc., said he thinks most people agree that the nation needs the intelligence these agencies provide, but that the real issues of concern are the breadth of what's being captured, the legal framework in which it's being captured and the oversight of who is capturing it.
"As we move forward," MacDonald said, "we need to proactively put the oversight in place so surveillance in the future is not misused."
U.S. cloud providers losing market share
Much of the discussion around the NSA revelations rightfully has been around civil liberties and personal privacy, but according to Clarke, the "policy mistakes" that led to widespread data surveillance are also having a negative impact on the business of U.S. cloud providers.
Though the scope is unclear, Clarke said that rival cloud providers in Europe and particularly Asia are successfully playing up the fears of potential NSA back doors in U.S.-based cloud services to their clients. Such selling points are laughable, he noted, considering government agencies around the world are engaged in many of the same activities as the NSA.
More RSA stories
View all of our RSA 2014 Conference coverage.
"The hilarious part is [U.S. cloud providers] don't have those back doors, but some of the Asian products do," said Clarke.
He also warned that calls from the European Union and elsewhere for data localization -- basically, measures to ensure that data is only stored within servers that are physically located in certain countries or regions -- are largely being driven by "economic considerations." Those countries want local companies to be more competitive against international cloud providers, Clarke said. Those countries have no real concern for whether such measures will mitigate surveillance activities.
"If you think that by passing a law requiring data localization stops the NSA from getting into those databases, think again," Clarke said. "It's being pushed by the bottom line."
Instead of relying on data localization, Clarke instead suggested that companies focus on actually securing their respective cloud environments, including taking steps to implement the standards provided by the Cloud Security Alliance.
Clarke did not absolve the U.S. government of responsibility, however. He said there are recommendations in the report to the White House that have yet to be adopted, but would improve the trust of U.S.-based cloud providers.
For example, government spy agencies should notify the world anytime they discover a potential zero-day vulnerability, according to Clarke, instead of stashing them away in an arsenal for future use. He said such measures are needed to protect U.S. companies against a barrage of nation-state-sponsored hackers and cybercriminal cartels, many of which rely on a growing black market of zero days to compromise organizations, ultimately costing the economy "hundreds of billions of dollars."
Clarke also recommended that the government appoint a strong and independent advisory board to oversee issues of privacy and civil liberties. A group known as the P Club does already exist within the government, he noted, but it currently lacks the needed authority to provide true oversight over intelligence agencies. U.S. citizens need a visible, accountable presence to be reassured that such matters are being tended to, said Clarke.
Perhaps the most vital area where the government needs to regain confidence is that of encryption, Clarke suggested, especially after reports surfaced late last year showing that the NSA may have paid security vendor RSA $10 million to implement a purposefully weakened random number-generation algorithm as the default option in its Bsafe line of products.
This is especially true in cloud environments, where perhaps the best route to data security is implementing trusted encryption standards for data in transmission, in use and at rest.
"Not much really happened, but enough happened so that the trust in encryption has been greatly eroded," Clarke said. "The U.S. government has to get out of the business of f---ing with encryption standards."