Wednesday, February 26, 2014

Counter-terrorism expert lists 10 impacts of NSA on cloud security


Counter-terrorism expert lists 10 impacts of NSA on cloud security


Summary: Keep close eye on government, don't trade civil liberties for

greater security, Richard Clarke tells RSA audience

John Fontana


By John Fontana for Identity Matters | February 24, 2014


San Francisco - The NSA is so good at collecting intelligence that it has

the potential to create a police surveillance state that could never be shut

off, counter-terrorism expert Richard Clarke said during his keynote address

at the Cloud Security Alliance Summit taking place Monday at the RSA



"We are not there yet, but the technology is," said Clarke, the former

National Coordinator for Security, Infrastructure Protection, and

Counter-Terrorism for the United States and advisor to presidents dating

back to Ronald Reagan.


Since such technology is available around the world to many governments,

"the task of controlling them is more important than it has ever been,"

Clarke said.


He concluded his talk by saying, "I believe we can have both security and

civil liberties, but we can only do that if we keep a very close eye on the

government and demand transparency and oversight and tell them we are not

willing to trade our civil liberties for greater security."


Clarke was one of five experts hand-picked by President Obama for The

President's Review Group on Intelligence. In December, the five published

publicly 46 recommendations to protect national security while respecting

privacy and civil liberties in a 304-page document entitled "Liberty and

Security in a Changing World." The report was produced in response to the

NSA surveillance and data mining program.


"We found at NSA -- and the FBI and CIA - a group of incredibly talented

people, incredibly dedicated to protecting this country. We found people who

were working everyday to find terrorists, to find people trafficking in

weapons of mass destruction, people engaged in nuclear proliferation, people

engaged in trafficking in humans, engaged in human rights violations, people

threatening the security of the United States and its allies," said Clarke.


"What did we not find? People regularly listening to your emails or your

phone calls. They are not doing that, but they could. And that brings me

back to the issue of control," said Clarke.


He then described 10 observations he made about the NSA controversy and how

it relates to cloud security.


1. There was a complete disconnect from the policy makers and their desire

to collect information and the people who were actually collecting it.

Clarke said, "the collectors were doing what they thought they should do -

if they could collect it, they did collect it."  He said that translates to

senior policy makers having to be very specific on what they want and need,

and what they don't want us to collect. Obama's reaction, he said, was "just

because we can collect it doesn't mean we should."


2. For as good as NSA is on the offensive, it was abysmally poor, almost

criminally negligent poor, on the security of its own network.  The lesson

there, Clarke said, is when you say you put perimeter-defense-as-a-model

behind you, that's good record, but implement it; add good internal security

as well.


3. As a result of these revelations, U.S. companies are losing market share

in Europe, the Middle East, and South America. "There are consequences for

mistakes in public policy."


4. One of the reasons for loss in U.S. market share is that non-U.S.

companies are using NSA revelations as a marketing tool. "There are

companies in Asia saying don't buy American products because they are bugged

by the NSA. The hilarious part of that is that they are not, but the ones

from certain Asian manufacturers are," Clarke said. His comments, however,

hit at one of the controversies brewing at this year's RSA Conference, the

accusations by some and the conference boycott by others who claim there was

a $10 million RSA/NSA deal to bug RSA's BSAFE encryption libraries.


5. Governments around the world, particularly in Europe, are using NSA

revelations to push the concept of localization of data.


6. The real solution to any fears about people hacking into databases,

hacking into the cloud, is not to play with the geo-location of the servers;

the real solutions is to secure what is in the cloud, he said. "It does not

matter where the servers sit."  Clarke said organizations should be

implementing the CSA guidelines. Clarke's observation was later disputed by

Udo Helmbrecht, executive director of the European Union Agency for Network

and Information Security (ENISA), who took the CSA stage after Clarke and

presented his own keynote focused on Europe.


7. To secure data effectively, you need to encrypt it in transit, in use and

at rest, and that means encryption standards have to be trustworthy. "One of

the 46 recommendations we made to the president, which has not yet been

adopted by the president, is the U.S. government has to get out of the

business, if it was ever in the business, of "f*cking around with encryption

standards." (Clapping from the audience followed Clarke's frank statement).

"Like so much of the NSA scandal, the encryption story is greatly

exaggerated. Not much really happened, but enough happened to erode trust.

We need to rebuild that trust," said Clarke. "The only way to do that is to

have the U.S. government force by executive order, or force by public law,

to uphold encryption standards, to strengthen encryption standards and to

promote encryption - not the other way around."


8. The U.S. government needs to inform everyone right away as a general

matter of policy when it discovers or becomes aware of vulnerabilities that

can create a zero-day [exploit]. "It doesn't do that all the time," Clarke



9. If we are going to go ahead as a democracy with intelligence, we need a

strong and independent privacy and civil liberties oversight board, and it

has to have the right to see everything.


10. These issues are not just U.S. concerns. "The U.S. is not the only

country that does this; we are just the best - by far," Clarke said. What we

need are some international standards. "Let's say things like we as

governments agree that we will not attack the international financial

system.  That is a good starting point," he said.

No comments:

Post a Comment