CSA Summit 2014: NSA Surveillance a Pre-cursor to Police State, Says Former US Cyber Czar

The Moscone Center in San Francisco: Site of today's CSA Summit at this week's RSA Conference
The Moscone Center in San Francisco: Site of today's CSA Summit at this week's RSA Conference

Clarke recently served on President Obama’s Review Group on Intelligence and Communications Technologies, which issued a report in December of 2013 that included 47 recommendations on how intelligence can be gathered to aid national security while at the same time promoting public trust and ensuring privacy and civil liberties. As he recalled, the report’s intent was to consider what information the government was collecting, from whom, and whether it should be doing so.

The unclassified report is available on the White House website. “There is no classified report”, Clarke added, which the group required as a condition for conducting the review. “If we were to establish trust in US intelligence gathering, we couldn’t have a redacted version.”

“The takeaway, in terms of collecting intelligence”, Clarke noted, “is that the NSA is very good – far better than you could ever imagine. But they have created, along with other government agencies, the potential for a police surveillance state.”

“The reason why our allies are as secure as they are today is because of US intelligence”, Clarke claimed. Thus far, he said, the NSA “has been a force for good”, but then detailed a transformational scenario. “It could become, perhaps after another 9/11, something that is not. If another 9/11 occurs, it will be hard to keep people from throwing out the Bill of Rights and ushering in the police surveillance state. So between now and whenever that may happen, we need to put roadblocks in the way that prevent it. Once you turn on the police intelligence state, you can never turn it off.”

The current chairman and CEO of Good Harbor consulting was quick to point out that just because the technology and ability exist, it doesn’t mean that the NSA is subverting current law to gather intelligence data. “We did not find a bunch of people listening to your phone calls – but they could”, he told the audience today in San Francisco.

Clarke noted one of the major problems with the NSA’s data collection efforts was a lack of specific guidance by policy makers. He said the review group found “there was a complete disconnect between policy makers' desire to collect information, and those who actually collect it. The NSA followed the letter of the law, he concluded, but due to a lack of specific guidance, it ended up collecting more data than it may have needed. “Policy makers”, he asserted “need to be specific about what in intelligence they want and need, and what should be collected.”

Despite praise for the NSA’s capabilities, Clark criticized the agency’s internal network security as “abysmally poor, almost criminally negligent” – a not-so-subtle reference to third-party contractor Edward Snowden’s ability to make off with a trove of classified documents that was the nexus of the NSA controversy.

The former cyber czar also pointed out that Snowden’s disclosures not only embarrassed the NSA, but have also hurt the American economy. “As a result of these revelations, US companies are losing market share” – a tangible consequence of the government’s surveillance policies. “We don’t know yet fully the extent of the losses, but we know they are occurring…Some US corporations’ bottom lines are being hurt, especially in Europe.”

Non-US companies, Clarke maintained, are using the NSA controversy as a marketing tool, especially cloud providers based in Asian. The Europeans are also looking to capitalize on US misfortunes, using the issue to push for data localization efforts. New legal proposals from the EU would require that data be geographically housed in certain areas, he observed. “That was a previous agenda, and it was driven by economic considerations, but the idea that data localization will make you immune to the NSA or other countries’ intelligence is laughable. NSA or any other world-class intelligence agency can hack into any databases, even if they are not in the US.”

One key Snowden disclosure was the NSA’s alleged involvement in weakening industry encryption standards. Because these standards enjoy international acceptance, Clarke questioned the logic in emerging data localization initiatives. “The real solution to any fears of people hacking into databases or the cloud is not to play with the geolocation of servers. The real solution is to secure what’s in the cloud”. In other words, Clarke recommended, deploy data encryption, because “it doesn’t matter in what country the server sits.”

“The encryption standards need to be trusted. The US government has to get out of the business of fucking around with encryption standards” he declared, provoking a spirited applause from the audience of information security professionals. “We need to rebuild the trust in encryption; we need to have the US government forced some way into ensuring this happens.”

Clarke concluded by calling on the US government to immediately disclose all previously unknown [zero-day] vulnerabilities, and to take steps to ensure robust oversight of the nation’s surveillance activities. “Ninety-nine percent of the time, the government’s role should first be to defend”, he said, adding that given the vulnerability of critical infrastructure in the US, the “government needs to tell people about [zero-days], and it needs to be a matter of public policy.”

As for oversight, Clarke advocated for the creation of a more effective apparatus to evaluate intelligence activities, including the power to subpoena for information and the ability to issue reports on a regular basis “so the public can be sure that there is someone there every day, accountable to the people, that is ensuring that our privacy rights and civil liberties are being maintained.”

The issue of government surveillance is not solely an American one, Clarke reminded the audience, “because the US isn’t the only country that does this type of intelligence. What we need are international standards, so other countries can be involved in a dialogue about what is and what is not appropriate behavior.”

What’s Hot on Infosecurity Magazine?