Counter-terrorism expert lists 10 impacts of NSA on cloud security
Summary: Keep close eye on government, don't trade civil liberties for
greater security, Richard Clarke tells RSA audience
By John Fontana for Identity Matters | February 24, 2014
San Francisco - The NSA is so good at collecting intelligence that it has
the potential to create a police surveillance state that could never be shut
off, counter-terrorism expert Richard Clarke said during his keynote address
at the Cloud Security Alliance Summit taking place Monday at the RSA
"We are not there yet, but the technology is," said Clarke, the former
National Coordinator for Security, Infrastructure Protection, and
Counter-Terrorism for the United States and advisor to presidents dating
back to Ronald Reagan.
Since such technology is available around the world to many governments,
"the task of controlling them is more important than it has ever been,"
He concluded his talk by saying, "I believe we can have both security and
civil liberties, but we can only do that if we keep a very close eye on the
government and demand transparency and oversight and tell them we are not
willing to trade our civil liberties for greater security."
Clarke was one of five experts hand-picked by President Obama for The
President's Review Group on Intelligence. In December, the five published
publicly 46 recommendations to protect national security while respecting
privacy and civil liberties in a 304-page document entitled "Liberty and
Security in a Changing World." The report was produced in response to the
NSA surveillance and data mining program.
"We found at NSA -- and the FBI and CIA - a group of incredibly talented
people, incredibly dedicated to protecting this country. We found people who
were working everyday to find terrorists, to find people trafficking in
weapons of mass destruction, people engaged in nuclear proliferation, people
engaged in trafficking in humans, engaged in human rights violations, people
threatening the security of the United States and its allies," said Clarke.
"What did we not find? People regularly listening to your emails or your
phone calls. They are not doing that, but they could. And that brings me
back to the issue of control," said Clarke.
He then described 10 observations he made about the NSA controversy and how
it relates to cloud security.
1. There was a complete disconnect from the policy makers and their desire
to collect information and the people who were actually collecting it.
Clarke said, "the collectors were doing what they thought they should do -
if they could collect it, they did collect it." He said that translates to
senior policy makers having to be very specific on what they want and need,
and what they don't want us to collect. Obama's reaction, he said, was "just
because we can collect it doesn't mean we should."
2. For as good as NSA is on the offensive, it was abysmally poor, almost
criminally negligent poor, on the security of its own network. The lesson
there, Clarke said, is when you say you put perimeter-defense-as-a-model
behind you, that's good record, but implement it; add good internal security
3. As a result of these revelations, U.S. companies are losing market share
in Europe, the Middle East, and South America. "There are consequences for
mistakes in public policy."
4. One of the reasons for loss in U.S. market share is that non-U.S.
companies are using NSA revelations as a marketing tool. "There are
companies in Asia saying don't buy American products because they are bugged
by the NSA. The hilarious part of that is that they are not, but the ones
from certain Asian manufacturers are," Clarke said. His comments, however,
hit at one of the controversies brewing at this year's RSA Conference, the
accusations by some and the conference boycott by others who claim there was
a $10 million RSA/NSA deal to bug RSA's BSAFE encryption libraries.
5. Governments around the world, particularly in Europe, are using NSA
revelations to push the concept of localization of data.
6. The real solution to any fears about people hacking into databases,
hacking into the cloud, is not to play with the geo-location of the servers;
the real solutions is to secure what is in the cloud, he said. "It does not
matter where the servers sit." Clarke said organizations should be
implementing the CSA guidelines. Clarke's observation was later disputed by
Udo Helmbrecht, executive director of the European Union Agency for Network
and Information Security (ENISA), who took the CSA stage after Clarke and
presented his own keynote focused on Europe.
7. To secure data effectively, you need to encrypt it in transit, in use and
at rest, and that means encryption standards have to be trustworthy. "One of
the 46 recommendations we made to the president, which has not yet been
adopted by the president, is the U.S. government has to get out of the
business, if it was ever in the business, of "f*cking around with encryption
standards." (Clapping from the audience followed Clarke's frank statement).
"Like so much of the NSA scandal, the encryption story is greatly
exaggerated. Not much really happened, but enough happened to erode trust.
We need to rebuild that trust," said Clarke. "The only way to do that is to
have the U.S. government force by executive order, or force by public law,
to uphold encryption standards, to strengthen encryption standards and to
promote encryption - not the other way around."
8. The U.S. government needs to inform everyone right away as a general
matter of policy when it discovers or becomes aware of vulnerabilities that
can create a zero-day [exploit]. "It doesn't do that all the time," Clarke
9. If we are going to go ahead as a democracy with intelligence, we need a
strong and independent privacy and civil liberties oversight board, and it
has to have the right to see everything.
10. These issues are not just U.S. concerns. "The U.S. is not the only
country that does this; we are just the best - by far," Clarke said. What we
need are some international standards. "Let's say things like we as
governments agree that we will not attack the international financial
system. That is a good starting point," he said.