The revelations late last year on the extent to which the
National Security Agency (NSA) has encroached upon both corporate and citizens’
information have rapidly had an impact on everything from lost
(and massive) technology deals with foreign customers to common information
security (InfoSec)
practices in the enterprise. This morning, President Obama addressed the
media and the nation in a speech about the NSA program that gathers the private
phone records of billions of Americans. Saying that he had not seen any
indication of abuses of the program, he admitted that he recognized the
potential for abuse and is requesting reforms to address these concerns.
The president announced the call for a “new approach” to
phone-records collection, saying also that he is “ordering a transition that
will end the…bulk metadata program as it currently exists” and establish a new
mechanism that equips the NSA with the intelligence capabilities they need
without the requirement to store what
might be called “big metadata.” “This will not be simple,” President
Obama noted, and said that a decision will need to be made on which entity will
store the data and under which conditions the database can be queried. These
are meaningful promises about important first steps that should be taken.
The Intelligence Agency and the Private-Sector Giants
The NSA has been far from alone in their secret infiltration,
of course. Intelligence agencies in other countries and giant corporations such
as Google and Facebook have been collecting the same—and increasingly
more—types of data from the public for years with only minimal attempts at
notification and consent. Today, based on the metadata collected to date, the
NSA, Google, and Facebook can all determine with whom you associate and who your friends are. Based on the recent acquisition by Google of home thermostat maker Nest Labs, it may soon be able to determine which room of
my home I’m currently occupying and whether I’m home or not.
As a society, we’re uncomfortable with these other large
organizations having access to this information, and there seems no reason to
be more comfortable with the NSA having access to it. Large corporations, after
all, are accountable to stockholders and are subject to lawsuits, while the NSA
is mostly invisible and has little public accountability.
The president promised some new controls on NSA collection
practices today. However, when the specter of terrorism can rightly be invoked
to justify much of what is done within intelligence agencies, we must ask, how
likely is it that the NSA will dramatically improve the way it collects and
handles data?
Truth be told, if more of the public were aware that any other government collected this type of data on American citizens, it would be considered the biggest data breach in history. From a security and privacy perspective, that's exactly what these NSA programs are—breaches. They circumvent the security systems designed to keep the data private and exfiltrate the data from its original location to an NSA-controlled site.
The Questions I'd Still Like to See Answered
I’m looking for three things in particular from the
president following this address—orders or policies that could go a long way toward
alleviating these concerns.
No. 1 - Who will have access to the data? It's very difficult to limit access to big data. Anyone
asking a valid question of the data needs access to all the data, and that
means that the NSA’s data scientists need to be highly vetted and monitored
carefully to make sure they don’t abuse their position of privilege. In an
ideal world, the president would solve all the issues around access by denying
any access to the data without a warrant specifying exactly what the user is
allowed to look for, and how they will use the data.
Failing that, I’d hope for more rigorous access controls in
which only a few selected individuals have the ability to work with the data,
and only under the appropriate oversight. We’ve already seen problems with
Google, where employees of that company abused their access to the company’s
data stores for personal purposes; we need to avoid that with this data.
No. 2 - How is the data secured? Big data is notoriously difficult to protect—it
takes a lot of computing infrastructure to store and work with, and that means
a bigger network perimeter to protect. And let’s not forget that simply by
storing all this data in one location the NSA has just opened a hugely valuable
new target for true black-hat attackers. Imagine what would happen if a team of
thieves knew who your friends were and how often you spoke. You could become
the target of some incredibly sophisticated phishing attacks. An executive
order to take the data offline, so that it could only be accessed in person, or
to anonymize it, so that anyone breaching the NSA’s security would only get
limited information, would provide a very welcome level of protection.
No. 3 - How long can the NSA retain the data? Can they keep it 30 days? Six months?
Indefinitely? The idea that our actions persist for years and years, perhaps
decades in electronic format is a frightening one. Shouldn’t there be a
“statute of limitations” on your phone calls and email communications? We’d
like to see orders limiting the lifespan of the data retention to a relatively
short period.
As citizens, we need the protection from terrorism that
intelligence agencies can give us. But we also need to ensure that our rights
are being protected just as stringently. We must balance the good that examining
this data can do against the dangers that access to it presents (attack or opportunities
for abuse). In the IT industry, the concepts outlined above are well-understood
and accepted. All security professionals, for instance, understand that they
need to secure access to their data, protect it against intrusion, and limit
its lifespan, in order to reduce the risk of abuse or outside attack. The current
administration and Congress should take this opportunity to make a significant
difference in how we as a society view these programs and the data they
collect.
Have questions of
your own? Opinions? I welcome discussion in the Comments section below.
No comments :
Post a Comment