Counter-terrorism expert lists 10 impacts of NSA on cloud security

San Francisco - The NSA is so good at collecting intelligence that it has the potential to create a police surveillance state that could never be shut off, counter-terrorism expert Richard Clarke said during his keynote address at the Cloud Security Alliance Summit taking place Monday at the RSA Conference.

"We are not there yet, but the technology is," said Clarke, the former National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism for the United States and advisor to presidents dating back to Ronald Reagan.

Since such technology is available around the world to many governments, "the task of controlling them is more important than it has ever been," Clarke said.

He concluded his talk by saying, "I believe we can have both security and civil liberties, but we can only do that if we keep a very close eye on the government and demand transparency and oversight and tell them we are not willing to trade our civil liberties for greater security."

Clarke was one of five experts hand-picked by President Obama for The President’s Review Group on Intelligence. In December, the five published publicly 46 recommendations to protect national security while respecting privacy and civil liberties in a 304-page document entitled "Liberty and Security in a Changing World." The report was produced in response to the NSA surveillance and data mining program.

"We found at NSA ­– and the FBI and CIA – a group of incredibly talented people, incredibly dedicated to protecting this country. We found people who were working everyday to find terrorists, to find people trafficking in weapons of mass destruction, people engaged in nuclear proliferation, people engaged in trafficking in humans, engaged in human rights violations, people threatening the security of the United States and its allies," said Clarke.

"What did we not find? People regularly listening to your emails or your phone calls. They are not doing that, but they could. And that brings me back to the issue of control," said Clarke.

He then described 10 observations he made about the NSA controversy and how it relates to cloud security.

1. There was a complete disconnect from the policy makers and their desire to collect information and the people who were actually collecting it.  Clarke said, "the collectors were doing what they thought they should do - if they could collect it, they did collect it."  He said that translates to senior policy makers having to be very specific on what they want and need, and what they don't want us to collect. Obama's reaction, he said, was "just because we can collect it doesn't mean we should."

2. For as good as NSA is on the offensive, it was abysmally poor, almost criminally negligent poor, on the security of its own network.  The lesson there, Clarke said, is when you say you put perimeter-defense-as-a-model behind you, that's good record, but implement it; add good internal security as well.

3. As a result of these revelations, U.S. companies are losing market share in Europe, the Middle East, and South America. "There are consequences for mistakes in public policy."

4. One of the reasons for loss in U.S. market share is that non-U.S. companies are using NSA revelations as a marketing tool. "There are companies in Asia saying don't buy American products because they are bugged by the NSA. The hilarious part of that is that they are not, but the ones from certain Asian manufacturers are," Clarke said. His comments, however, hit at one of the controversies brewing at this year's RSA Conference, the accusations by some and the conference boycott by others who claim there was a $10 million RSA/NSA deal to bug RSA's BSAFE encryption libraries.

5. Governments around the world, particularly in Europe, are using NSA revelations to push the concept of localization of data.

6. The real solution to any fears about people hacking into databases, hacking into the cloud, is not to play with the geo-location of the servers; the real solutions is to secure what is in the cloud, he said. "It does not matter where the servers sit."  Clarke said organizations should be implementing the CSA guidelines. Clarke's observation was later disputed by Udo Helmbrecht, executive director of the European Union Agency for Network and Information Security (ENISA), who took the CSA stage after Clarke and presented his own keynote focused on Europe.

7. To secure data effectively, you need to encrypt it in transit, in use and at rest, and that means encryption standards have to be trustworthy. "One of the 46 recommendations we made to the president, which has not yet been adopted by the president, is the U.S. government has to get out of the business, if it was ever in the business, of "f*cking around with encryption standards." (Clapping from the audience followed Clarke's frank statement). "Like so much of the NSA scandal, the encryption story is greatly exaggerated. Not much really happened, but enough happened to erode trust. We need to rebuild that trust," said Clarke. "The only way to do that is to have the U.S. government force by executive order, or force by public law, to uphold encryption standards, to strengthen encryption standards and to promote encryption - not the other way around."

8. The U.S. government needs to inform everyone right away as a general matter of policy when it discovers or becomes aware of vulnerabilities that can create a zero-day [exploit]. "It doesn't do that all the time," Clarke said.

9. If we are going to go ahead as a democracy with intelligence, we need a strong and independent privacy and civil liberties oversight board, and it has to have the right to see everything.

10. These issues are not just U.S. concerns. "The U.S. is not the only country that does this; we are just the best - by far," Clarke said. What we need are some international standards. "Let's say things like we as  governments agree that we will not attack the international financial system.  That is a good starting point," he said.