Only in San Francisco would Art Coviello end a keynote address to a security audience with those lyrics, which he called “the immortal words of Twisted Sister.” But the feeling of inspiration soon changed into questioning: Amidst information security’s gathering storm, how do we “fight” but still be “right” and “free”?
I found this question woven into the subtext of two RSA Conference presentations (so far) and then in some discussions over dinner last night. It started with calls for the U.S. National Security Agency (NSA) to be given more power to combat cybercrime.
First – Mike McConnell, a former Director of NSA kicked off the Cloud Security Alliance (CSA) Summit by saying that the U.S. has the most to lose from cyber-attacks. At one end of the spectrum is the chilling possibility that fanatic cyberterrorists who can’t be attributed or deterred obtain military-grade cyber-weapons and launch an attack. At the other end of the spectrum is cyber-espionage “where our IP is being taken from us on a regular and consistent basis.”
McConnel said that “NSA is doing better at its mission than ever before.” The agency has a clear picture into global activity except but “the U.S. is a black hole” because by law NSA can’t conduct warrantless electronic monitoring there. Thus, threat actors could cover their tracks by diverting communications through the U.S.
Second – in James Lewis’s panel on active defense – another former NSA director Michael Hayden said “My instinct is that the NSA represents too much capacity to be [on the bench]. I’m comfortable with a dialogue that says, how do we want to get this team on the field?”
But other voices counsel moderation. Lewis asked “How did we get to the point that the best resources we have are in a top secret agency? It’s not too late to reverse course…”
Cut to dinnertime, I’m sitting next to Bob Blakley discussing the panel. We both agreed, by the way, on our respect for the integrity and skill of the people at the NSA.
But I noted my own confused frustration from time to time, that whereas some nations conduct industrial cyber-espionage as a matter of policy, the U.S. does not. Although many nations’ intelligence agencies spy on citizens or visitors if they sense a threat, the U.S. seems to be taking all the flack over the Patriot Act for putting it on the record. And yet former NSA directors are saying they don’t have enough authority. Haven’t NSA and other sponsors of the Patriot Act already gotten us into enough trouble with Allies? Or is the U.S. too idealistic? Some countries would just spy away and cynically deny everything.
But Bob countered: “What I love about this country is its idealism. I don’t want to lose that. I want us to be right.”
It was one of those moments when the scales fall from your eyes. You see that when issues get confusing, one must return to one’s principles. I felt like we can’t just give lip service to “a balance of security and privacy” or something like that. We have to keep on being, in the words of Ronald Reagan, “a shining city upon a hill whose beacon light guides freedom-loving people everywhere.”
So what does that mean? Getting better at catching cybercriminals will require more electronic monitoring, no getting around that. But why can’t monitoring be done with appropriate levels of accountability, transparency, and oversight? No one has shown why due process won’t work if you think outside the box. For example, what if an electronic search warrant could be implemented for electronic searches with fast enough turnaround time but full accountability? What if Patriot Act 2.0 could say that foreign governments, in general, would get notified when their citizens’ data is acquired from a provider via blind administrative subpoena – provided, of course, that government offered reciprocity for us?
We have to “fight” cybercrime and cyber-espionage, but we still need to be “right.”