The U.S. State Part 1: Early Answers in Washington DC – Guest Contribution by Jim Farmer

(This is the first of three Guest Contributions by US-based Jim Farmer [biography, email jfx "AT" immagic "DOT" com]. Jim has contributed occasionally to Fortnightly Mailing over the years.)

Several months after (NSA) documents were revealed by , the impact on higher education remains unclear clear. Some differences between the explanations from the intelligence establishment and observations from the Washington “think tank” writers and scholars are emerging.

On Friday, 6 September 2013 Guardian reporter James Ball and cryptology expert Bruce Schneier answered reader questions. Three questions are key to better understanding the extent of the public awareness of the intelligence community’s practices, and its likely impact.

Here the responses of are compared to those of the intelligence establishment and “think tank” scholars in recent Washington DC presentations. All presentations were scheduled before and held after ’s 5 June report about NSA’s collection of phone records. The answers provide some insight into the U.S. government’s position.

The questions and answers

Question 1. Reader SteppenHerring asked:

How hard do you think it will be to get people to take security seriously when people are willing to type so much personal data into Facebook/Google+ etc?

The Guardian’s James Ball answers:

I think we need more awareness of privacy and security generally, and I think as generations grow up net-native (as today’s teens are), that’s taking care of itself. I don’t think people who volunteer information to a strictly-controlled network on Facebook (or webmail, etc) are automatically willing to share that same information with their governments. That’s a large part of what the whole privacy and security debate the NSA files are fuelling is about, I think.

In Washington:

From fm.schmo ller.net/2013/10/the-us-surveillance-state-part-1.html 16 October 2013 Robert C. Litt, General Counsel of the U.S. Office of the Director of National Intelligence (DNI) posed the same question in his presentation at the Brookings Institution on 19 July. His answer:

And this leads me to what I consider to be the key question. Why is it that people are willing to expose large quantities of information to private parties, but don’t want the government to have that same information? Why, for example, don’t we care very much if the telephone company keeps records of all of our phone calls, but we feel very differently about the prospect of the same information going to NSA?

This actually is not a very difficult question to answer. We care because of what the government could do with the information. Unlike a phone company, the government has the power to audit our tax returns, to prosecute and imprison us, to grant or deny licenses to do business, and many other things. And so, there’s an entirely understandable concern that the government might abuse this power.

I don’t mean to say that private companies don’t also have a lot of power over us. Indeed, the growth of corporate privacy policies and the strong public reaction to the inadvertent release or commercial use of personal information by those companies reinforces my belief that our primary privacy concern today is less with who has information than what they can and do with it. But there is no question that the government, because of its powers, is properly viewed in a different light.

A transcript of Litt’s full presentation is available here [PDF immagic.com/eLibrary/ARCHIVES/GENERAL/BROOK_US/B130719L.pdf].

It is surprising that Litt would suggest a citizen’s view of their data on social network sites was different from government intercept practices. This view contradicts other government statements. Litt’s reason for the difference was rarely included in subsequent press reports.

Sceptical questions from the audience suggest the government’s legal interpretation was not judged to be credible by this Washington-based audience.

Question 2. Reader dellcam asked:

Your article states: “$250m-a-year US program works covertly with tech companies to insert weaknesses into products.” I don't see tech industry and their lobbyists rallying to put a stop to this. Won't this revelation -- that the US government is undermining the quality of their products damaging their reputation with consumers -- as well as affect the ability of the US tech industry to export their products around the world?

The Guardian’s James Ball:

I think this is a serious risk of what the NSA has been doing: if I ran a US security company, I’d be concerned about my reputation (maybe deservedly so, though) – and I’m

From fm.schmo ller.net/2013/10/the-us-surveillance-state-part-1.html 16 October 2013 sure overseas competition will be stressing their ability to refuse US government requests in their advertising (though maybe their own government have similar programs).

That does seem to have been a concern of the NSA and GCHQ. I find that quite telling: if companies are just doing what the government requires, and no more, why such a need for secrecy around it? Why can’t they level? I think the efforts some of the silicon valley firms seem to be making are a good start – though what seems to be happening with Lavabit (a secure email company that shut down) are concerning.

Finally: this could be a boost to the free software / open source movement, too. That would be no bad thing.

In Washington:

More broadly to include cloud computing, David Castro, Senior Analyst, Information Technology and Innovation Foundation—sponsored in part by the technology industry—led a panel discussion of this question on 24 July. He summarized [PDF www2.itif.org/2013-cloud- computing-costs.pdf] the panel discussion thus:

The recent revelations about the extent to which the National Security Agency (NSA) and other U.S. law enforcement and national security agencies have used provisions in the Foreign Intelligence Surveillance Act (FISA) and USA PATRIOT Act to obtain electronic data from third parties will likely have an immediate and lasting impact on the competitiveness of the U.S. cloud computing industry if foreign customers decide the risks of storing data with a U.S. company outweigh the benefits.

Castro then estimates:

Thus we might reasonably conclude that given current conditions U.S. cloud service providers stand to lose somewhere between 10 and 20 percent of the foreign market in the next few years.

Using Castro’s 20%, the U.S. cloud computing industry stands to lose $22 to $35 billion over the next three years.

Castro’s estimates were widely reported in the technology press. Because of the close relationship between NSA and GCHQ (UK Government Communications Headquarters), this will likely also affect British suppliers.

Forrester analyst James Staten wrote that Castro should also have included U.S. customers that would bypass U.S. cloud providers for their international and overseas business and Non-U.S. cloud providers will lose as much as 20% because of other governments taking similar actions.

Add it all up and you have a net loss for the service provider space of about $180 billion by 2016 which would be roughly a 25% decline in the overall IT services market by that final year, using

From fm.schmo ller.net/2013/10/the-us-surveillance-state-part-1.html 16 October 2013 Forrester market estimates. All from the unveiling of a single kangaroo-court action called PRISM. (The PRISM program collects stored Internet communications based on demands made to Internet companies such as Google Inc. Currently a request for PRISM data does not require court approval; the decision is made by a NSA analyst.)

This is certainly a scary picture even if business takes some action to ameliorate their losses.

Separately the Cloud Security Alliance’s July survey - before the compromised hardware and software revelations - reported 10% of non-US residents responding had cancelled a project to use US-based cloud providers and 56% are less likely to use US-based cloud providers. 36% of US residents responding said the Snowden incident made it more difficult for their company to conduct business outside the US. 86% of the respondents believe the US’s Patriot Act should be repealed or modified to tighten oversight and to provide greater transparency.

The world market for routers and switches is estimated to be US$ 81.4 billion in 2015. Using Castro’s 20%, this means a US$16.2 billion decrease in the market for U.S. firms. The European Market is 31.7% of the world market, that is, say, US$ 26 billion). Thus the increased sales from the U.S. market loss might be as much as US$5.1 billion for European countries.

The revelation that NSA is building or paying for compromised hardware and software designs was reported in The Guardian on 5 September. In a Wired Magazine interview on 7 September David Castro said:

This just further erodes the competitiveness of U.S. tech companies. In particular, I think this enlarges the scope of companies that will suffer backlash since cryptographic standards are often embedded in hardware.

So the answer to dellcam’s question is yes, there will be a major, and growing, economic impact of the NSA revelations on the market for U.S. Internet software and hardware, with a similar gain for China, Russia and the EU. But US law prevents the manufacturers from admitting or denying their collaboration.

The Guardian’s cryptography expert Bruce Schneier also said: “Finally: this could be a boost to the free software / open source movement, too.” This could sharply increase the use of open source software, often from universities, because it can be fully inspected and rigorously tested.

Question 3. Reader geoffk asked:

Could the spooks sell the information or keys when they retire?... Would it be impossible?

The Guardian’s James Ball:

If the NSA’s internal security was perfect, Edward Snowden would never have been able to leak. We’re essentially lucky he chose to release to the press – and it’s worth

From fm.schmo ller.net/2013/10/the-us-surveillance-state-part-1.html 16 October 2013 remembering he asked for responsible, measured publication, not mass-release – rather than simply sell it to hackers or criminals.

If someone in a similar position to Snowden decided to just take what they could and sell it to a foreign government, or criminal gang, would we ever know? It seems unlikely we’d be told. And given the NSA has repeatedly said they don’t know which documents Snowden accessed, maybe they wouldn’t know either.

That’s an important, additional, reason to be very concerned about the scope of NSA surveillance and activities, in my view – whatever your take on the need/legitimacy of mass-surveillance in general.

In Washington, drawing on a Information and Technology Innovation Foundation panel that I attended on “Viral Hate: Containing Its Spread on the Internet”, at which the following people spoke: Adam Thierer, George Mason University; Lelie Harris, Center for Democracy and Technology; Daniel Castro, Information Technology and Innovation Foundation; Chrisopher Wolf, Hogan Lovbells LLP. (Wolf is the author, with Abe Foxman, of the Anti-Defamation League’s “Viral Hate: Containing Its Spread on the Internet”.) They concluded that the Internet is on the path to balkanization as a network of national networks. Censoring by all nations is expected following local standards for content. Economic espionage will increase from both government and private sectors.

The “market price” for NSA keys to access computers, routers, and switches could be very high, but there is no evidence, and likely would be no evidence if these were compromised, since neither the perpetrators or NSA would want the public to know. An Atlantic Council 24 June presentation on the Chinese Cyber Challenge identified several organizations that do “hacking for hire” creating high value intercepts. Citing an example, one panellist said knowing the bid of a competitor for a large procurement or project could be worth millions of pounds.

The experts on cyber warfare at the Atlantic Council panel discussion I attended expect further growth of “hackers for hire” because of the economic incentives. (My requests for an opportunity to review the recording of the discussion were denied “this event was off-the-record, so we do not have any audio or video recordings”. All Internet references to the meeting now are “not found.” No reason was given.)

The Atlantic Council panellists also made these observations:

· The technology to monitor the content of Internet—deep packet inspection—is available and can be and is being deployed nationally, and will be universally deployed before long.

· Cyber warfare will be unannounced and continuous as an instrument of national policy.

From fm.schmo ller.net/2013/10/the-us-surveillance-state-part-1.html 16 October 2013 · Cyber espionage will be directed at economic targets with U.S. intellectual property endangered, not foreign intelligence.

Thus, based on the cited presentations and others, the intelligence establishment’s talking points:

· The activities of NSA comply with U.S. law.

· U.S. citizen’s privacy is fully protected by the oversight of the Federal Intelligence Surveillance Court (FISC) and the Congress.

· The surveillance effort (and its expansion) has been and now is vital to protect U.S. citizens from terrorists.

Think-tank scholars, however, are beginning to identify the “costs” of the surveillance state to foreign relations, U.S. businesses, the Internet itself, and citizen privacy.

The impact on colleges and universities will depend upon how the US and UK governments react to current and future revelations. Transnational cooperation will become more difficult as communications are even more closely monitored by all nations. Topics for discussion will have to be constrained to avoid either party becoming, potentially, a “person of interest” subject to further analysis. Censorship may become ubiquitous as now commercially available Internet monitoring equipment is viable and can be implemented by any nation - Syria and Pakistan are examples. Internet governance likely will change with balkanization. This new global environment is inconsistent with the typically open principles and practices of higher education and the research and scholarly communities more generally.

My next Guest Contribution will cover these issues in more detail.

Posted on 16/10/2013 in Guest contribution, Jim Farmer

From fm.schmo ller.net/2013/10/the-us-surveillance-state-part-1.html 16 October 2013