Platt Perspective on Business and Technology

From stuxnet to heartbleed – the impact of US national cybersecurity doctrine and practices on businesses and markets 3

Posted in business and convergent technologies, in the News by Timothy Platt on January 12, 2015

This is my 22nd installment in an occasional series on international cyber-security and the changing nature of threats faced and responses offered to them (see Ubiquitous Computing and Communications, postings 58 and loosely following for Parts 1-15 and that directory’s Page 2, posting 296 and following for Parts 16-21.) This is also my seventh installment in a sub-series within that, with its posting titles collectively identified as: From Stuxnet to Heartbleed.

I ended Part 19 of this series with a list of points to cover next, and I began addressing them in Part 20 where I focused in on the first two of them. And I begin this installment by repeating that list, with the rewording for its first two points as offered in Part 20 included:

• The Obama cyber-doctrine and its implementation through open-ended surveillance programs have raised broad-based civil rights and United States Bill of Rights concerns. And from a business and marketplace perspective, this had led to concern over the capability of businesses to even be able to secure personally identifiable and other confidential customer and employee information. This had led to court challenges and imposed operational restrictions and particularly as US based businesses seek to reach out to and do business with customers in countries that like Canada and the nations of the European Union, have very strong privacy and confidentiality protection laws in place. And it has also led to increased anticompetitive barriers to participation in marketplaces in countries such as China – a complex of issues that I will also delve into as part of this discussion, as well as discussing business and marketplace pushback.
• The Obama cyber-doctrine and its implementation, as most recently discussed here in my posting: The Operational Side of National Cybersecurity and its Issues 3 have also directly created avoidable risks for businesses and organizations of all types and for marketplaces and their individual and organizational participants.
• And both of these sets of challenges have served to add significant risk and potential costs, reducing the competitiveness of American businesses and interests – in the name of enhancing overall national security. I could, and I add will argue that this dichotomy of vision and of consideration of consequences limits capability of achieving either full achievable American business competitiveness in world markets, or American national security.

I said at the end of Part 20 that I would at least briefly discuss legal frameworks for regulating proper use of personally identifiable information, and for responding to violations of their standards as legally set. And I added that from that starting point I would more fully discuss how businesses based in the United States and following US data practices have been challenged in court when doing business in countries like Canada and member states of the European Union. Then I stated that I would raise the specter of the USA PATRIOT Act and how it has come to be interpreted, and how some of the United States’ closest ally governments have come to see the US government itself as violating their privacy and confidentiality laws. And I went on to add that I will also discuss China and their actions in this context.

That covers a lot more territory for discussion than I would put into any one posting – and even in a double-sized posting such as offered with Part 20. So I will begin addressing these issues here, and with the issue of pushback.

In the United States, Facebook, Twitter, Microsoft, and a growing number of other software, and I add hardware producers have begun to actively show resistance to the United States government’s National Security Agency (NSA) led cyber-surveillance programs, and particularly to their open ended programs such as PRISM and XKeyscore. And I could add to them, programs such as:

Boundless Informant and more than twenty others,
• Some of which were set up specifically to target foreign nationals (e.g. Dropmire: a program designed to surreptitiously gather information from foreign embassies, and Fairview which was set up to “collect phone, internet and e-mail data in bulk from the computers and mobile telephones of foreign countries’ citizens”),
• And many of which were set up to gather such information regardless of nationality or national boundary considerations.

These companies began adding encryption layers and other security safeguards into their systems, specifically to block these NSA-led surveillance initiatives. And they have publically stated that they are doing this, to safeguard the privacy of people who use their products and systems. And the NSA has taken (much more surreptitious) action against them to block these efforts, by bringing them as defendants to the United States Foreign Intelligence Surveillance Court (FISA Court) to force them to allow covert government surveillance of use of their products.

And a growing number of foreign governments have begun actively, systematically pushing back too, with that number definitely including the governments of some of the United States’ closest allies, including its close allies in the War on Terror, like Germany.

And this brings me to the first issues that I said I would be addressing “next”, as listed after my top three bullet pointed items for further discussion: “legal frameworks for regulating proper use of personally identifiable information, and for responding to violations of their standards as legally set.” Laws were actively set up for protecting online privacy and confidentiality and for explicitly protecting sensitive personal information, starting way before our current era of seemingly ubiquitous government-led open ended online surveillance. And case law precedent was developed as these laws were enforced on a case by case basis, clarifying both realized meaning and intent of these laws. Then governments started putting themselves in the cross hairs that were established by these laws through their active, open ended surveillance and online data gathering programs. And when I use the plural: “governments” there, I include any and all of a growing list of them that engage in online surveillance programs and for a wide range of what would loosely be identifiable as national security reasons.

The United States with its NSA-led programs comes immediately to mind here, and so do their direct allies in the War on Terror. That includes their more obvious allied participants in this endeavor:

• The Five Eyes nations: Canada (with its Communications Security Establishment Canada), Great Britain (with its Government Communications Headquarters), Australia (with its Australian Signals Directorate, New Zealand (with its Government Communications Security Bureau, and of course the United States. I tend to simplify US participation in this by only citing their NSA and leaving it at that, but multiple other agencies are actively involved in this, only some of which fall under the auspices of their Department of Homeland Security.
• And I add France to this list of nations (with its Direction Générale de la Sécurité Extérieure (DGSE) and Germany (with its Bundesnachrichtendienst and note that this list up to here only represents the most visible War on Terror co-participants in all of this, and that a significant number of other allied countries have at least situationally participated in these and related online surveillance activities too.
• And that only includes nations that are engaged in this as part of the United States led War on Terror, and as American allies in that ongoing endeavor. Russia has been very active in online surveillance and both within its own borders and internationally, and as I have been discussing for years, and with its own agendas for doing so. And so have China and I add a growing number of other nations as well.

The private sector business and commerce side to law that would limit and protect against violations of online privacy and confidentiality, and that would protect sensitive personally identifiable information are relatively mature now. These laws have been drafted and enacted and they have been tested in the courts of law and refined, and in both wording through new legislation, and in interpretation as tested in real-world court cases. Parallel law that would address governmental violation of privacy and confidentiality, and without specific cause that could be justified in court through the granting of a warrant or subpoena is far less developed and certainly for this specific context, and largely rests on foreign espionage law.

And this brings me to the third bullet point at the top of this posting, which I repeat here:

• And both of these sets of challenges have served to add significant risk and potential costs, reducing the competitiveness of American businesses and interests – in the name of enhancing overall national security. I could, and I add will argue that this dichotomy of vision and of consideration of consequences limits capability of achieving either full achievable American business competitiveness in world markets, or American national security.

American businesses that cannot, and for whatever reason, securely hold and protect the customer data that they collect, are subject to legal action and both within the United States, and outside of it where they do business with foreign nationals, for how their information security systems leave customer and other sensitive personal information at risk. Ultimately, it does not matter who is conducting this surveillance and sensitive personal data gathering, as far as breach of trust and creation of risk are concerned.

Collectively, this limits the overall competitiveness of American businesses, and certainly as they are more readily targeted for surveillance and as they are included as permitted targets for most of these open ended surveillance programs. And pushback against all of this government surveillance has to have an overall effect of limiting US national security.

And this brings me to an ending point for this posting. I will continue this discussion in a next installment where I will address the last of the “to discuss” points that I listed at the top of this posting and that I have yet to cover:

• The specter of the USA PATRIOT Act and how it has come to be interpreted, and how some of the United States’ closest ally governments have come to see the US government itself as violating their privacy and confidentiality laws.
• And China and their actions in this context as a special case in point.

As a foretaste of this discussion to come, I note here that the PATRIOT Act was signed into law and publically stated as explicitly only allowing surveillance and related activities against foreign nationals and even there only with explicit justifying cause. Then the open ended surveillance programs that are actually in place came to light, that explicitly seem to violate the key terms and requirements of this law as publically stated and justified. That creates consequences. Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: