Home  |  Sarah  |  Services  |  Blog  Contact

Saturday, 20 Dec , 2014

Cyber Deterrent or Surveillance Overkill?

Share this article

Will means to enforce proportionality and oversight keep up with the govt vs tech battle over bulk data? The international information arms race is hotting up...

Govt Tech Fight

On 4th November 2014 our new GCHQ chief Robert Hannigan drew some aggressive battle lines for the fight against terrorism (both old fashioned and cyber).
The sides in this fight are not the forces of evil and the forces of good, but the government and tech companies. According to Hannigan;

Privacy has never been “an absolute right”

US tech companies are “the command and control networks of choice” for terrorists.

Tech companies are “in denial” about the way they enable terrorists to communicate and act.

There’s no denying;

  • Good encryption makes surveillance, for whatever purpose, hard
  • Precise, real-time filtering of bulk data to identify traffic relating to crime or criminals is subject to huge limitations and a substantial risk of false positives. Therefore our data will be held for later analysis.
  • Big players in the secret services need cross-border legislation as a mandate to start to tackle the bulk data access and analysis problems.
  • The media message is morphing from anti-pedophilia and anti-terrorism, to pro-business, but anti-tech (for tech read encryption).
  • Confidence in the oversight and controls in place appears very low.
  • Only secret service bosses know whether there are clear and present threats justifying the legislation and attendant media circus.

Perhaps there are not clear and present dangers. Perhaps this is about shifting public opinion to accept more data access for our own good. Predicated on the fact that some scruples and restraints are a luxury we can’t afford. After all, our international competitors and enemies may not exercise the control over personal freedom and privacy that campaigners see as an inalienable right.
It’s a big party. Folk from all over are joining in. The US battle is most visible, but similar things are happening in Australia and Sweden.
Stewart Baker (Former NSA general counsel) claimed that moves by Google, Apple and others to encrypt user data were more hostile to western intelligence gathering than to surveillance by China or Russia.

“The state department has funded some of these tools, such as Tor, which has been used in Arab Spring revolutions or to get past the Chinese firewall, but these crypto wars are mainly being fought between the American government and American companies,”

On the 3rd of November, at Standford University, Admiral Mike Rogers, NSA director and commander of US Cyber Command was banging the same drum.  In a talk ostensibly about the shortage of cyber security skills, he went on to say;
The U.S. is struggling to come to “a broad policy and legal consensus on how we deal with some of these issues. Is it going to take a crisis to wake us up?”

“I don’t want to be at the end of another 9-11 commission saying ‘How did we get here?'”

The example given of an essential enabler for the fight? Cyber legislation the NSA is working to pass, namely the Cybersecurity Information Sharing Act. It would mean telecom, security and Internet companies monitoring their traffic for malicious software and other attacks and then sharing details with the intelligence community in real-time through the Department of Homeland Security (DHS).

“It’s very critical for us. Without it, cyber becomes a huge cost for us as a nation.” said Rogers

Encryption was also raised at the meeting as an issue. Sitting in the front row was Whitfield Diffie, one of the world’s foremost cryptographers. Diffie said he was disturbed by Snowden’s charges that the NSA had “tinkered with” some widely-used cryptographic programs, presumably to make them easier for the agency to circumvent.
As you can imagine the EFF and other privacy and civil liberties groups are up in arms.
Back in July there was much noise about the new US bill. Like the UK Data Retention and Investigatory Powers act (much vaunted as NOT being a rehash of the Communications Data Bill), the new US legislation had a forerunner. Quoting from a 12th July Guardian article by Trevor Tims (Guardian US columnist and executive director of the Freedom of the Press Foundation);

One of the most underrated benefits of Edward Snowden’s leaks was how they forced the US Congress to shelve the dangerous, privacy-destroying legislation– then known as Cispa – that so many politicians had been so eager to pass under the guise of “cybersecurity”. Now a version of the bill is back, and apparently its authors want to keep you in the dark about it for as long as possible.

Going back to Mr Hannigan and the UK furore, Martha Lane Fox (former government tsar for digital inclusion), gently pointed out some home truths today:

“It was a bit reactionary and a bit inflammatory”

Going on to say his Financial Times opinion piece “cleverly” signposted his agenda for GCHQ in the coming months/years. An agenda with access to data at it’s heart.
In another restrained but impactful statement, she drew out the real crux of public fear. Pointing out that there is little distinction between between peoples’ online and physical lives any more.

“I wouldn’t want GCHQ to rummage in my front room. I feel the same way about my iPhone”

For the UK, the data retention and access agenda was intrinsically linked to the successful and ultra-rapid passage of the Data Retention & Investigatory Powers Act. An agenda under unwanted negative scrutiny because of on-going revelations about privacy intrusions. Both about bypassing of control and oversight designed to protect access to our data and doubt over the real crime-fighting value of bulk data retention.
On 24th November 2014 the UK government published their findings following an nquiry into the death of Lee Rigby. It highlights a range of investigatory mistakes by MI5, but all media outlets are leading with the refusal of a US internet company (Facebook according to the Guardian) to release incriminating electronic communications from perpetrators of this horrific crime.
Also this week there’s a debate on the UK government’s Counterterrorism Security Bill. In a Radio 4 interview Malcolm Rifkind was challenged about the timing of these two events. He stated the report release had been scheduled for some time, inviting the reporter to ask the government the same question about the debate.
As a US company being asked by UK secret services to share user communications, they were under no obligation to do so. The crucial question? Could Lee’s death have been prevented? The media message coming out of Number 10 and GCHQ seems to be ‘Yes’ if that data had been shared.
For context, the conversation in question took place months before the actual crime and no-one is definitively stating that this would have effectively triggered preventative action by security services. In fact, while discussing MI5’s mistakes, Mr Rifkind reminded us that sifting through mountains of data and identifying credible threats is a herculean and inexact task.
Will making tech companies responsible for filtering and sharing ‘suspect’ communications content make that science more exact? The current limitations of technical and manual data analysis suggest not, but tech firms continue to innovate tools to tame bulk data at an ultra rapid pace. Will means to demand proportionality and challenge the inevitable mistakes and misteps keep up?
Without friends in ultra high places we are forced to form our own opinions and right now it looks like a re-run of the nuclear arms race, just driven by different technology;

  • Privacy and civil liberties campaigners want unilateral disarmament. Demanding robust oversight and control for data access and use, as befits a democratically elected and accountable government.
  • Governments want a deterrent capability. Getting the mandate for ‘against the day’ access to all data.
  • Globally this forces all administrations (democratic, dictatorial, oligopolistic) to follow suit and tool up. No-one wants to be the visibly weak force in the commercial, national security, or political intelligence data war (and frankly the difference between those fighting fronts is getting very blurred).

Whichever way this cookie crumbles private individuals will struggle to hold ground. There are monolithic powers behind these moves and little people won’t be given the means to truly understand all sides of the argument. Nor should we. National security has a necessary layer of secrecy. What is fundamental is the lack of confidence in the existence, effectiveness, and  transparency of accountability, oversight, and control.
We should all be watching that space with interest.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...