As the debacle over Edward Snowden’s leak of information about alleged NSA surveillance continues to unfold, numerous cybersecurity lessons have been learned and threats revealed. The most obvious lesson, of course, is that the biggest threat to networks and systems, whether they belong to the government or the private sector, comes from inside organizations. Snowden’s revelations have potentially caused more harm than any breaches by foreign nations such as China or Russia.
A less obvious lesson is one that has been playing out this week: How do we ensure that the private sector’s efforts to contribute to national security is robust yet reasonable? We know that those who would steal our information or intellectual property or spy on us are using technology and the Internet to do so. Why wouldn’t they? Our society is dependent on bits and bytes, whether on the Internet, on mobile, or in the cloud. At the same time, the ease of communicating globally has become easier with emerging technologies. Given this, the U.S. government must use the best technology to counter the threats.
But the information the government needs to review often sits with third party companies whose business models are based on a level of perceived trust with their customers regarding how their information is protected or shared. While sophisticated users may recognize that little we do online is truly private, we still expect that the companies we work with do what they can to protect our privacy and security. Unfortunately, consumers have too little understanding of the evolving nature of government-private sector cooperation.
This battlefield on the intelligence and national security front requires the U.S. government to adjust its way of interacting with companies. It requires agencies to adjust their expectations of companies, as well as what they allow companies to reveal to their users. Transparency must be at the center of any public-private cooperation, partnership, or interaction.
This morning, 50 technology companies and civil liberties groups sent a letter to the Obama Administration and Congress urging the government to allow companies to reveal the amount and type of information they can report publicly about what they are and are not doing to cooperate with surveillance requests. Specifically, the group requested that they be allowed to report on:
- The number of requests for information about their users under FISA, the Patriot Act, and in compliance with National Security Letters, and
- The number of requests that sought content, subscriber information and related information.
The group also requested that the government issue its own transparency report letting the public know how many requests were made for what type of data and how many people were impacted. As noted in the letter, the government already does some type of similar reporting for criminal law enforcement investigations so it only makes sense to expand to do the same for national security investigations. In addition to the letter sent today, Reps. Zoe Lofgren (D-Calif.) and Jim Sensenbrenner (R-Wis.) sent a letter earlier this week asking the FBI and DNI to give tech companies permission to disclose the number of requests they receive from the government.
The requests make sense and are good for our nation’s cybersecurity efforts. For one, the letter supports what has been a fundamental principle of U.S. cybersecurity efforts: developing “interoperable, secure and reliable information and communications infrastructure that supports international trade and commerce, strengthens international security, and fosters free expression and innovation.”
As discussed in the Administration’s May 2011 International Strategy to Secure Cyberspace, openness and innovation in Internet governance and international freedom are key to our cybersecurity efforts. This view contrasts with the views of other nations that have promoted cultural and Internet sovereignty within their borders over Internet liberty. Being transparent about how the government is interacting with those who are providing the products and services underlying the Internet, mobile applications, and the cloud is not only consistent with but critical to U.S. efforts to formulate a global vision of cybersecurity based on liberty and innovation.
In addition to promoting U.S. values, transparency will help mitigate a potentially significant amount of harm caused by Snowden’s irresponsible and seemingly self-promoting revelations. The leakage of bits and pieces of slides and documents does not give anyone a full picture of what is really happening. As anyone who has seen a PowerPoint presentation can attest, context is everything in understanding what words on a slide mean. Unfortunately, the information leaked has placed tech companies in the awkward position of defending actions (or non-actions) they cannot speak of because of the classified nature of the subject -- not only to their U.S. users but to users globally. Allowing companies to be transparent about basic aggregate information they are sharing under legal processes would be helpful in assuring that those companies can continue to compete effectively in the global economy.
We can expect continued scrutiny on domestic surveillance efforts over the next few months. The real policy issue should not be whether a spy agency should conduct surveillance, but rather how do we assure that the proper safeguards are in place to protect the Constitutional rights of our citizens and promote our nation’s innovation economy beyond our borders.