I’m in San Francisco this week to attend the RSA security conference, and to cover the Cloud Security Alliance summit for security professionals. The CSA is a terrific organization, a non-profit founded with the purpose of promoting best security practices for cloud computing. I’ve watched this summit grow over the years commensurate with the increase in visibility of cloud security concerns, and once again attendees filled up the largest venue yet.
The opening keynote speaker was Richard A. Clarke, chairman and CEO of Good Harbor and former advisor to several presidents on counter-terrorism subjects. His keynote was based on his tenure last fall on the highly select Review Group on Intelligence and Communications Technology requested by President Obama in the wake of the Snowden revelations. (There were only five men in this group.) Given carte blanche intelligence clearance to every program, this group issued a 300-page unclassified report*, with 46 recommendations on intelligence collection, specifically how the United States should improve privacy and civil liberties while continuing to protect national security. Clarke’s short but very interesting keynote focused on his takeaways and his top 10 observations in the 46 recommendations.
His big-picture takeaway was that “In terms of collecting intelligence, (the NSA and other intelligence agencies) are very good – far better than you can imagine. But they have created the potential for a police surveillance state.” As a result, the task of controlling them is more urgent than it ever was. The group found that the intelligence agencies were full of very talented individuals dedicated to the protection of the United States and its allies. What they did not find “was a bunch of people randomly (reading) your emails.” But the potential is there.
Here are 10 key observations from a Washington veteran who had the opportunity to see everything under the intelligence kimono.
- There is a complete disconnect between the policy makers who want the information, and the people who are collecting it. “The collectors were doing exactly what they thought they should be doing; if they could collect it, they did collect it within the law (which is pretty broad).” If the policy makers didn’t specify how (and how not) to collect the information they wanted, agencies would use every means at their disposal. The disconnect has now been fixed, but senior policy makers must now spend a great deal of time being very specific about what intelligence they want and need…and what they don’t. The new mantra from the President is, “Just because we can collect it, doesn’t mean we should collect it.”
- As good as NSA was on collecting external intelligence, it was abysmally, almost criminally poor, on the internal security of its own network. It was based on a perimeter security concept with little internal oversight.
- As a result of the NSA revelations, US companies are losing market share, particularly in Europe.
- One of the reasons for this loss of marketing share is because non-US companies, particularly Asian companies, are using the NSA revelations as a marketing tool to say that US products are untrustworthy because they’re bugged by the NSA. Clarke said “The hilarious part is that they’re not. But the products you can get from certain Asian manufacturers are.”
- The push for localization of data was and is driven by economic considerations because they boost local companies vs. international competitors – not because of security or privacy. The idea of data localization and privacy doesn’t make sense. “The idea that data localization will somehow make you immune to NSA or other countries’ intelligence collection is laughable. I don’t think I’m revealing any secrets when I say that NSA, or any other world class intelligence agency, can hack into databases even if they’re not in the United States. And if you think a data localization law in a foreign country stops the NSA from getting into those databases, think again.”
- The real solution for privacy isn’t data localization; the real solution is to secure the data in the cloud. Where the server sits is unimportant.
- And to secure your data effectively, you need to encrypt your data at rest, in transit, and in use. That means encryption standards have to be trustworthy. “The US government has to get out of the business – if it ever were in the business – of f*cking around with encryption standards.” He says the encryption scandal was greatly over exaggerated. He can’t say exactly, but “if you read our report you’ll get an idea.”
- When it discovers a vulnerability, the US government needs, as a general matter of policy, to tell everyone right away – all the time. 99% percent of the time, the role of government should be to protect. When everything it takes for our country to work is as vulnerable as it is, “It is more important that we defend ourselves against the ongoing Chinese assaults on our intellectual property and from the ongoing cybercriminal assault – which costs us hundreds of billions of dollars a year – than to say ‘Oh, we can use that (vulnerability) too.’”
- There’s a little group called the “P club”, a little organization hidden away in the government with little authorization and a narrow mission: the privacy and civil liberties oversight board. This needs to be a very strong and independent organization with the authority to see everything. The “P club” as constituted today cannot do that.
- These are not just American concerns. We’re just the best at it, by far. We need international standards so everyone (including “the hypocrites around the world who criticize the United States while doing the same thing”) can have a dialog about international norms of what is appropriate and what is not (for example, not attacking each other’s financial systems).
In summary, Clarke said that if you’re worried about nations getting nuclear weapons, or chemical weapons, you want NSA. Syrian chemical weapons were discovered thanks to NSA. He has no proof – but no doubt – it was because of NSA that the top Mexican drug cartel kingpin was recently caught.
The reason that other countries are secure is because of US intelligence and NSA. He strongly believes that, despite the hoopla, NSA has been a force for good.
But after a 9/11-type incident, it could become not a force for good, because in times of crises people are willing to trade rights for security. If we have another 9/11, it’ll be hard to stop people from throwing out the Bill of Rights. Therefore, we need to put roadblocks in the way now, before there’s another crises, so we can at least slow down the loss of privacy. Once you give away rights, you can’t get them back.
* There is no classified report.
ROBERT STEELE: All worthwhile, but there is nothing new here, and a number of important points are neglected.
01 Winn Schwartau, Peter Black, I, and others, tried very hard in 1990-1994 to get the US Government to acknowledge that cyber-security was a major area of concern. I wrote the letter to the White House in 1994 sounding the alarm and I was ignored. The fact is that the US Government is corrupt and it’s ability to detect “signals” stinks. Washington runs on who pays to be heard, not on what it needs to know. Even the papers in the early 1990’s by officers at the Air War College on the vulnerability of the financial, power, and other critical systems were ignored, as have been all the 1990’s papers from the U.S. Army Strategic Studies Institute on desperately needed changes to how we train, equip, and organize our defense forces.
02 At the same time, from 1985-1994, a number of us were trying to increase the productivity of US Government personnel across a range of needs from an all-source analysis workstation to proper access to open sources of information. Again, we were ignored. Although I succeeded in getting some memos to Paul Strassmann (then Director of Defense Information), and Gordon Oehler did what he could with the CATALYST initiative, the fact is that the agency heads could have cared less about individual productivity. We appoint people who have been over-promoted for risk avoidance, who sacrifice their integrity to keep the money moving, and who are largely devoid of imagination with respect to serving the public that pays taxes, instead serving the people who loot the public treasury with the active complicity of a very corrupt US Congress.
03 At the same time, in the late 1990’s, NSA was charged with doing everything possible to assure the security of private sector communications and computing. NSA chose to ignore this presidential directive, and instead set about deliberately sabotaging all forms of digitial privacy. I addressed this in my first book and many others have sought to sound the alarm on the malfeasance and dereliction of duty at NSA, to no avail. The US Government, as it is now constituted, listens only to those who incentivize our officials for their attention and their vote. Absent a massive public uprising, the US Government will continue to be ignorant and unethical in how it attends to the people’s business.
04 Clarke touched on the disconnect between the collectors and the policymakers but he fails to mention that we do not process what we collect with technical means at very great expense; and at the same time we access and leverage less than 2% of the human sources we should be accessing and exploiting; we have mediocre analysts with limited cultural, historical, liguistic, and subject matter expertise; and — as Paul Pillar and others have documented — no one in a policy or political job actually cares about evidence-based decision-support. They make decisions on the basis of who pays for the decision, not what the public needs. On its best day, the US Government is operating on the basis of less than 2% of the relevant multi-lingual multi-media information available to it.
05 At a higher moral and intellectual level, Clarke avoids the fact that the rest of the world considers the USA the greatest threat to peace and prosperity. The US Government persists in being oblivious to the legitimate grievances of both its own citizens and those of other countries. Until we know ourselves and know others, we will continue to fail in our duty to the public.
People like Clarke — and Brent Scowcroft and Colin Powell — are good people with the best of intentions who betrayed their Oath to defend the Constitution against all enemies, domestic and foreign, at the singular moments when they were in a position of power and able to make a difference. All three failed to confront Dick Cheney in the aftermath of 9/11. All three failed to blow the whistle, as they were uniquely capable of doing, on the 9/11 Commission cover-up. All three failed to confront Dick Cheney over the now documented 935 lies he led the telling of, lies that have cost us trillions of dollars and hundreds of thousands of dead and a total loss of what little good will we had left in the world.
Three things need to happen to turn the USA around and restore America the Beautiful:
01 Intelligence must be competent at ethical evidence-based decision-support starkly and immediately relevant to strategy, policy, acquisition, and operations. Chuck Hagel’s recent decisions are terrible — of course they are politically mandated but in fairness to Hagel, he has no one showing him how he can BOTH cut 30% of the budget over 4 years AND create a 450 ship Navy and long-haul Air Force and air-mobile Army AND keep Congress off his back. When it comes to intelligence with integrity, Hagel is holding an empty hand — he has no cards to play.
02 Intelligence needs to become a public good. The public needs to learn that it has the power to take down the two-party tyranny and demand electoral reform and restore public agency — public sovereignty — to the public. The people serving in Congress today are good people who once had the best of intentions but quickly lost their integrity and became — as most who preceded them became – obsessed with staying in power. The public is not well-served by Congress today, but that does not mean that in 2014 we cannot restore integrity to the Congress. All it takes is an engaged informed public — a public empowered by intelligence with integrity.
03 The public needs to move beyond the two-party tyranny. The sane Republicans and the sane Democrats need to come together with the Independents, Occupy, and the four small parties that are so very important to the resurrection of democracy in the USA (Libertarian, Green, Constitution, Reform) — we should also embrace and respect the emerging parties — Working Families, Whigs, and Justice. All of these groups need to demand an Electoral Reform Act. There is nothing wrong with America the Beautiful that cannot be fixed, and fixed quickly, by restoring the integrity of our electoral process. IHMO.
DefDog: The infamous ‘take down the Internet in 30 minutes’ hearing from 1998 — Tens of Billions Later, NSA and OMB Have Not Done Their Jobs, US Cyber is Wide Open and Unsafe at Any Speed + Meta-RECAP