Counter-terrorism expert lists 10 impacts of NSA on cloud security

Counter-terrorism expert lists 10 impacts of NSA on cloud security

Summary: Keep close eye on government, don't trade civil liberties for greater security, Richard Clarke tells RSA audience

TOPICS: Cloud, Security

San Francisco - The NSA is so good at collecting intelligence that it has the potential to create a police surveillance state that could never be shut off, counter-terrorism expert Richard Clarke said during his keynote address at the Cloud Security Alliance Summit taking place Monday at the RSA Conference.

"We are not there yet, but the technology is," said Clarke, the former National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism for the United States and advisor to presidents dating back to Ronald Reagan.

Since such technology is available around the world to many governments, "the task of controlling them is more important than it has ever been," Clarke said.

He concluded his talk by saying, "I believe we can have both security and civil liberties, but we can only do that if we keep a very close eye on the government and demand transparency and oversight and tell them we are not willing to trade our civil liberties for greater security."

Clarke was one of five experts hand-picked by President Obama for The President’s Review Group on Intelligence. In December, the five published publicly 46 recommendations to protect national security while respecting privacy and civil liberties in a 304-page document entitled "Liberty and Security in a Changing World." The report was produced in response to the NSA surveillance and data mining program.

"We found at NSA ­– and the FBI and CIA – a group of incredibly talented people, incredibly dedicated to protecting this country. We found people who were working everyday to find terrorists, to find people trafficking in weapons of mass destruction, people engaged in nuclear proliferation, people engaged in trafficking in humans, engaged in human rights violations, people threatening the security of the United States and its allies," said Clarke.

"What did we not find? People regularly listening to your emails or your phone calls. They are not doing that, but they could. And that brings me back to the issue of control," said Clarke.

He then described 10 observations he made about the NSA controversy and how it relates to cloud security.

1. There was a complete disconnect from the policy makers and their desire to collect information and the people who were actually collecting it.  Clarke said, "the collectors were doing what they thought they should do - if they could collect it, they did collect it."  He said that translates to senior policy makers having to be very specific on what they want and need, and what they don't want us to collect. Obama's reaction, he said, was "just because we can collect it doesn't mean we should."

2. For as good as NSA is on the offensive, it was abysmally poor, almost criminally negligent poor, on the security of its own network.  The lesson there, Clarke said, is when you say you put perimeter-defense-as-a-model behind you, that's good record, but implement it; add good internal security as well.

3. As a result of these revelations, U.S. companies are losing market share in Europe, the Middle East, and South America. "There are consequences for mistakes in public policy."

4. One of the reasons for loss in U.S. market share is that non-U.S. companies are using NSA revelations as a marketing tool. "There are companies in Asia saying don't buy American products because they are bugged by the NSA. The hilarious part of that is that they are not, but the ones from certain Asian manufacturers are," Clarke said. His comments, however, hit at one of the controversies brewing at this year's RSA Conference, the accusations by some and the conference boycott by others who claim there was a $10 million RSA/NSA deal to bug RSA's BSAFE encryption libraries.

5. Governments around the world, particularly in Europe, are using NSA revelations to push the concept of localization of data.

6. The real solution to any fears about people hacking into databases, hacking into the cloud, is not to play with the geo-location of the servers; the real solutions is to secure what is in the cloud, he said. "It does not matter where the servers sit."  Clarke said organizations should be implementing the CSA guidelines. Clarke's observation was later disputed by Udo Helmbrecht, executive director of the European Union Agency for Network and Information Security (ENISA), who took the CSA stage after Clarke and presented his own keynote focused on Europe.

7. To secure data effectively, you need to encrypt it in transit, in use and at rest, and that means encryption standards have to be trustworthy. "One of the 46 recommendations we made to the president, which has not yet been adopted by the president, is the U.S. government has to get out of the business, if it was ever in the business, of "f*cking around with encryption standards." (Clapping from the audience followed Clarke's frank statement). "Like so much of the NSA scandal, the encryption story is greatly exaggerated. Not much really happened, but enough happened to erode trust. We need to rebuild that trust," said Clarke. "The only way to do that is to have the U.S. government force by executive order, or force by public law, to uphold encryption standards, to strengthen encryption standards and to promote encryption - not the other way around."

8. The U.S. government needs to inform everyone right away as a general matter of policy when it discovers or becomes aware of vulnerabilities that can create a zero-day [exploit]. "It doesn't do that all the time," Clarke said.

9. If we are going to go ahead as a democracy with intelligence, we need a strong and independent privacy and civil liberties oversight board, and it has to have the right to see everything.

10. These issues are not just U.S. concerns. "The U.S. is not the only country that does this; we are just the best - by far," Clarke said. What we need are some international standards. "Let's say things like we as  governments agree that we will not attack the international financial system.  That is a good starting point," he said.


Topics: Cloud, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • No to cloud, yes to common sense

    Nobody should be using cloud services when hard drives are so cheap.

    Who in their right mind trusts Google Drive with data when everybody knows the NSA and Google are the same thing? It is crazy, and crazy will get what crazy does.
  • In a perfect world, what the NSA is doing would be a good thing.

    As mentioned in the article, the law enforcement side of all this data collection have noble intentions. I believe that. They want to do good, they believe they are doing good, and they are doing what is being asked of them very well. The problem is they work for politicians, or political appointees.

    It's relevant that the president, the person that asked this group for their opinion, has decided to ignore everything they have recommended. It's relevant that many members of congress that voted for the Patriot Act are saying in the media they are outraged by all this data collection, even though the Patriot Act could REALLY be called the Data Collection Act. It's relevant that the head of the NSA lied to congress, under oath, that NSA was not collecting data about domestic email.

    So the president, members of congress, and Mr. Holder, head of NSA, have lied about what NSA actually does. Why wouldn't that bother me?

    Look, I don't care so much that the government tracks where I am, who I've talked to, and what was said. I have a job. I'm not running whores or trafficking heroin, nor am I an International Supercriminal. I don't have time. I have to go to work. So go ahead, track me. Read my email. As I have always believed, if I want to say something personal and private to someone, I'll do it in person privately.

    But don't track me and tell me you're not. I didn't trust you to begin with. A politician would pick a dead puppy up from the street if a TV camera was there, to show how much he cares about puppies. But the moment the camera is off, he'd throw the puppy back on the street, get in his limo, and race to the next photo op. These are the people that are in charge of all this surveillance. That's my problem.

    I'd like to think that in this great nation in 2016 we can fine eight honest, honorable and smart people. Four democrat, four republican. Whatever. We need someone smart AND honest in the White House. Eight years of Obama, after eight years of Bush, have degraded the standing of the United States for the rest of the world. We are no longer the moral voice we once were. After 16 years of Washington lying to everyone constantly, about every little thing, why would another government take our counsel. They lie to me. The United States would apparently lie to anyone.

    I'd like to see someone honorable hold the office of President of the United States.

    I won't hold my breath. And I'm not sure it will ever happen again.
    • A Correction.

      Eric Holder is the Attorney General, not head of NSA. In fact it was James Clapper, Director of National Intelligence, that lied to congress under oath. My bad.
  • Another ominous cloud

    The laws of physics & divine nature are also at work against foul play by governmental authority. See my report on this subject and on the immoral efforts to reduce mankind to a fearful, trembling species: