This content is part of the Essential Guide: RSA 2014: News, analysis and video from RSA Conference 2014
News Stay informed about the latest enterprise technology news and product updates.

Richard Clarke: NSA revelations show potential for police state

At the 2014 CSA Summit, presidential cybersecurity advisor Richard Clarke said NSA monitoring efforts are negatively affecting U.S. cloud providers.

SAN FRANCISCO -- Revelations about NSA monitoring activities over the last year show the potential for a police state mechanism, according to the former U.S. cybersecurity czar, but there is still time to avoid the dire consequences.

The U.S. government has to get out of the business of f***ing with encryption standards.

Richard Clarke,
chairman, Good Harbor Consulting

At the 2014 Cloud Security Alliance Summit, unofficial RSA Conference opener Richard Clarke, chairman of Washington, D.C.-based Good Harbor Consulting LLC, spoke to a packed audience. The former cybersecurity advisor to President Barack Obama discussed his involvement in the December 2013 report reviewing the data collection and monitoring capabilities at the National Security Agency, Central Intelligence Agency and the Federal Bureau of Investigation.

Clarke said that the reaction to leaks by former NSA contractor Edward Snowden has perhaps been overblown, because he described the employees at the three-letter agencies as "incredibly intelligent people" who are focused on combating terrorism and punishing violations of human rights. As part of the review process, Clarke and his group were given what he called carte blanche security clearances to review all of the agencies' intelligence-gathering capabilities.

Those employees are not currently listening to random phone calls and reading email, Clarke said, but that doesn't mean U.S. citizens should ignore the agencies' growing capabilities.

"In terms of collecting intelligence, they are very good. Far better than you could imagine," Clarke said. "But they have created, with the growth of technologies, the potential for a police state."

Richard ClarkeRichard Clarke

Clarke said such concerns are hardly new, pointing to the government committee headed by Sen. Frank Church in the 1970s. Church warned at the time that the technologies at intelligence agencies were developing at such an alarming rate that, if they were all turned on, the U.S. would never be able to turn them off, effectively creating a permanent police state in which the entire popular would be under constant surveillance.

Though such warnings seem dire, Clarke noted that the seemingly endless scope of current government surveillance activities stemmed largely from a lack of strict guidance from policy makers. He said a major aspect of the report to the White House was simply prompting the questions that were previously unasked: What are our intelligence agencies collecting? What should they be collecting? If we should be collecting data, how do we safeguard it? If we're collecting data, how do we stay consistent with U.S. traditions of privacy and government oversight?

Those senior policymakers who he said have been disconnected from the process now need to spend a "great deal of time" determining what types of data intelligence agencies should collect and what types of data should not be collected.

"If you're not specific, an agency that bugs phones is going to bug phones," Clarke said. "The NSA is an organization that's like a hammer, and everything looks like a nail."

Clarke warned that such measures are needed sooner rather than later. Harkening back to the terrorist attacks on September 11, 2001, which triggered a rash of security-focused legislation such as the Patriot Act that laid the foundation for the intelligence-gathering capabilities the U.S. government has today, he said another large terrorism event could push the country further toward a police state.

"The NSA, despite all the hoopla, has been a force of good. It could, with another president or after another 9/11, be a force not for good," Clarke said. "Once you give up your rights, you can never get them back. Once you turn on that police state, you can never turn it off."

Attendee David Ross, a consultant with Australia-based ANTACS Group, said that the Clarke talk drew many parallels to the political situation in Australia, where Indonesia and other nations in the region have been outraged by surveillance activities conducted by the Australian Signals Directorate. He said such discussions are largely "political point-scoring," though.

He personally isn't seriously concerned with government surveillance in Australia or the U.S., especially as his expertise in regard to encryption leads him to be careful about which standards he uses. Ross essentially agreed with Clarke's analogy of the NSA and other such agencies being hammers in search of nails.

"It's strange the public is amazed that the spying agencies are spying on people," said Ross.

Neil MacDonald, vice president at Stamford, Conn.-based Gartner Inc., said he thinks most people agree that the nation needs the intelligence these agencies provide, but that the real issues of concern are the breadth of what's being captured, the legal framework in which it's being captured and the oversight of who is capturing it.

"As we move forward," MacDonald said, "we need to proactively put the oversight in place so surveillance in the future is not misused."

U.S. cloud providers losing market share

Much of the discussion around the NSA revelations rightfully has been around civil liberties and personal privacy, but according to Clarke, the "policy mistakes" that led to widespread data surveillance are also having a negative impact on the business of U.S. cloud providers.

Though the scope is unclear, Clarke said that rival cloud providers in Europe and particularly Asia are successfully playing up the fears of potential NSA back doors in U.S.-based cloud services to their clients. Such selling points are laughable, he noted, considering government agencies around the world are engaged in many of the same activities as the NSA. 

More RSA stories

View all of our RSA 2014 Conference coverage.

"The hilarious part is [U.S. cloud providers] don't have those back doors, but some of the Asian products do," said Clarke.

He also warned that calls from the European Union and elsewhere for data localization -- basically, measures to ensure that data is only stored within servers that are physically located in certain countries or regions -- are largely being driven by "economic considerations." Those countries want local companies to be more competitive against international cloud providers, Clarke said. Those countries have no real concern for whether such measures will mitigate surveillance activities.

"If you think that by passing a law requiring data localization stops the NSA from getting into those databases, think again," Clarke said. "It's being pushed by the bottom line."

Instead of relying on data localization, Clarke instead suggested that companies focus on actually securing their respective cloud environments, including taking steps to implement the standards provided by the Cloud Security Alliance.

Clarke did not absolve the U.S. government of responsibility, however. He said there are recommendations in the report to the White House that have yet to be adopted, but would improve the trust of U.S.-based cloud providers.

For example, government spy agencies should notify the world anytime they discover a potential zero-day vulnerability, according to Clarke, instead of stashing them away in an arsenal for future use. He said such measures are needed to protect U.S. companies against a barrage of nation-state-sponsored hackers and cybercriminal cartels, many of which rely on a growing black market of zero days to compromise organizations, ultimately costing the economy "hundreds of billions of dollars."

Clarke also recommended that the government appoint a strong and independent advisory board to oversee issues of privacy and civil liberties. A group known as the P Club does already exist within the government, he noted, but it currently lacks the needed authority to provide true oversight over intelligence agencies. U.S. citizens need a visible, accountable presence to be reassured that such matters are being tended to, said Clarke.

Perhaps the most vital area where the government needs to regain confidence is that of encryption, Clarke suggested, especially after reports surfaced late last year showing that the NSA may have paid security vendor RSA $10 million to implement a purposefully weakened random number-generation algorithm as the default option in its Bsafe line of products.

This is especially true in cloud environments, where perhaps the best route to data security is implementing trusted encryption standards for data in transmission, in use and at rest.

"Not much really happened, but enough happened so that the trust in encryption has been greatly eroded," Clarke said. "The U.S. government has to get out of the business of f---ing with encryption standards."

Dig Deeper on Emerging cyberattacks and threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Americans shouldn't have to choose between new technology and keeping their personal information private. Protections for online privacy are justified and necessary, and the government must help draw boundaries to ensure that Americans’ privacy stays intact in the Digital Age. DOES NOT collect your personal information. Regarding online privacy, we have heard people say they have nothing to hide and don't care if their privacy is violated. Sadly, they are missing the point. As Americans, it is about standing up for our privacy rights as a law abiding citizen per the Constitution.
Our Fourth Amendment protects us against unreasonable searches and seizures which is being violated everyday by many Email providers, hackers and Government agencies through unwarranted searches. One only needs to just read the U.S. Patriot Act or the latest CISPA legislation to verify this disturbing trend.
Good article, needs work.
This document is so flawed, I wonder why it was written. Highlights, (sorry in adv. for my English),,, Speaker, former Govt, Hmmm can only reveal what signed security disclosure will allow him or he goes to jail.. Employees not spying locally, - or watching ex-wives, or activities of said? Humans like you and me. Agency's growing capabilities, what not large enough already? Collecting intelligence, far better than you can imagine - "I dunno I can imagine alot" - Han Solo. 1970' tech, what a diversion? 1970 Tech, Rotary phone? Exploding Pen? Policy makers usually politically motivated 'users' who don’t have a clue on the true nature, or capability of technology. Policy makers asking, What are our intelligence agencies collecting? Really, if you are wondering I would just call Edward Snowden, he seems to have the answer to that one. Policy makers (disconnected, need to spend a great deal of time determining what types of data to collect) -- yeah go to school, get PHD, Spend the time.
Hammer and Nail? Wont justify this one. Also Australia vs Indonesia quick distract from NSA. Americans Amazed at Capabilities? Sure were you amazed?
Also Australia vs Indonesia quick distract from NSA. Americans Amazed at Capabilities? Sure were you amazed?
No Back door in US cloud provider, not needed can read before it gets to cloud - broken encryption, sorry I am a tech. Asian backdoor, really? China? Surprise!!! EU Data Localization "Economic Considerations" will cost $$ to set up, sure cheaper to use in place cloud infrastructure – HMM sure has nothing to do with leaked phone conversations between EU leaders? Worse, if you (EU) think passing a LAW requiring data localization stops the NSA from getting into those databases, Think AGAIN, is that a threat? We will get you? (to Me Implied)
Come on use our Cloud, it makes it easier on us???? (to spy). US companies should be more positioned against their competitors getting in, which security wise would include just about everyone you don’t want to see your data... Economy costs – Hundreds of Billions of Dollars, Point to a program that hasn’t cost Hundreds of Billions and has saved $100.00 (one hundred and 00 cents). Appoint Strong independent advisory, Cool some of my friends will have high level jobs. Cant wait to see that. NSA may have Paid RSA? HUH, MAY? Unofficial RSA Conference Opener Speaking.. AT long last Govt out of our FFING Encryption standards, Really that’s all? What about everything else they are doing, frankly encryption is the least of my worries, are they really so out of touch?????
Sorry for the RANT, ALL MY 2 Cents, I am now officially Broke, and probably arrested. AS far as Edward Snowden ,HE broke the LAW, He ruined his life, credibility, employability, security, freedoms, for what, to let someone who did not take this for 'Granted' know what is going on, I have dealt with Corp security for quite a while. If you protect from other Corp,, imagine how much harder it is to protect from Govt. or from terrorist org. I hear “So what, I have nothing to Hide”, Sure but now do you think I want to take you into my confidence? One thing we should be trying to build – “trust” – not only with the American Public, but with the rest of the World. There is big brother, then to the rest of the world there is BIG BROTHER. Whew.