“Telecom, Privacy & Security After September 11” Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001
Jan 01, 2016
“Telecom, Privacy & Security After September 11”
Professor Peter P. Swire
Ohio State University
Ohio Telecommunications Industry Association
October 2, 2001
Overview of the Talk
My background Critical infrastructure and your computer
security Wiretaps and surveillance today
I. My Background
First Internet law article in 1992 Wrote on encryption, privacy, and
international e-commerce issues 1999 & 2000 -- Clinton Administration
– Chief Counselor for Privacy 2001 return to Ohio State Law
– now visiting at George Washington– consultant with Morrison & Foerster
In the Administration
Privacy issues– Medical privacy proposed and final rule– Financial privacy law and rules– Internet privacy policy– Government databases and privacy
Website privacy policies Cookies on website policy
In the Administration
Encryption policy shift 1999– Strong encryption necessary for strong military,
e-commerce, and civil society Computer security
– Government data for security and privacy– FIDNet– Other critical infrastructure issues
In the Administration
Wiretap and surveillance Headed 15-agency White House working
group on how to update these laws Legislation proposed June, 2000
– S. 3083– Hearings and mark-up in House Judiciary
II. Computer Security & Critical Infrastructure Security after Y2K Openness in computer security ISACs and critical infrastructure
A. Security after Y2K
In late 90s, was conventional wisdom that security would be the next big computer thing once Y2K was addressed
Security not a new issue since September 11
Security is an even bigger issue now– It’s important– It’s hard
Why Security is Important
Information is valuable in an information society
Personal data is more valuable today– Customer info is important to customers and to
your business model– Prevent identity theft– Safeguard that customer data
Why Security is Important
Potential losses to your business if insecure– Interruption of business - DDOS– Loss of data and expensive IT assets– Reputation and confidence loss
Credible threats of loss– Terrorists– Other malicious actors
Why Security is Hard
PC enormous growth since 1980s Internet enormous growth since early 1990s Applications have outstripped security
– The rush to get products to market– Legacy systems and inconsistent platforms– The opportunities and risks of networks– User autonomy rather than IT dictators– Security has not been the driver
Some lessons on security
Security is an issue whose time was coming Clearly a bigger issue today What lessons for you?
B. Lesson 1: Openness in Security
Subject of my current research:– Openness and hiddenness in computer security
Historic link between hiddenness and security
Openness and inter-operability Openness and updating your security
Security and hiddenness
Would a military base reveal the location of its defenses and booby traps?
No. That’s the historic link between security
and hiddenness.
Computer security and openness
Computers and inter-operability– Will you trust software or hardware into your
system if you can’t test it? Can’t know what’s in it?
– Will you trust partners in your extranet or grid unless you know how they handle data?
Computer security and openness
Computers and updating your security New patches daily New systems also needed often How get these to all your users and systems
that need them? Other company’s users? Moral: with this broad dissemination, the
determined bad guy will learn the weakness and patch, too
C. ISACs and Critical Infrastructure Computer security requires much more
openness than traditional security Must share information to inter-operate and
to update patches and other security approaches
How do this information sharing?
ISACs
Information Sharing and Analysis Centers– Banking– Telecommunications– Electric Power– IT
Industry groupings to share information about attacks and responses
ISACs
The security pro at your competitor has much the same job as the security pro in your company
Networked systems and critical infrastructure Cooperation dominates competition here
– Not price setting, low antitrust risk Regulators should encourage this sharing
Summary on computer security
Security bigger issue now Openness much greater in computer
security Use ISACs and other sharing systems so the
defenders learn what the attackers already know
III. Wiretaps and Surveillance
Last year, Clinton proposal to update both for privacy and surveillance
House Judiciary then farther toward privacy Now, Ashcroft proposal all in the direction
of surveillance Compromise in House yesterday with
smaller move toward surveillance than Ashcroft
FISA Changes
Foreign Intelligence Surveillance Act Special court, wiretap never revealed Roving wiretap
– One order, multiple phones More FISA orders and more sharing with law
enforcement Likely bigger requests for you to have
employees with clearance
Trap and Trace
“Transactional” or to/from information Need some updating of language Nationwide order
– Challenge, if needed, far from you Emergency orders
– Any computer attack– Anything affecting “a national security interest”– Go to a judge after the trap is in place
Trap and Trace (continued)
For phones, is to/from information Ashcroft asks for “dialing, routing,
addressing, or signaling” Issue: get urls and other content? Variation: “DRAS that identifies the
destination” of a communication
Hacker trespasser
Issue: the government can’t “look over your shoulder” when you monitor your system
Proposal:– (1) you authorize the government– (2) legitimate part of an investigation– (3) no communications other than those to or from
the trespasser– (4) for trespasser who “accesses a protected
computer without authorization”
Voice mail
Current law, stored voice mail to government only under the strict Title III rules for phone wiretaps
Proposal to treat like stored e-mail– Get with a subpoena
Administrative subpoenas
Current law: disclose name, address, local and long distance telephone toll billing records, telephone number, and length of service
Proposal: add “means and source of payment (including any credit card or bank account number)”
Concluding Remarks
For computer security, how to do more and more effective sharing of information
For surveillance, last year had consensus that need greater judicial oversight for trap and trace
Consider that still, not just law enforcement “certifying” that the standard has been met
Conclusions
To address the current emergency, Administration calling for rapid passage of all their proposals, with essentially no hearings
One choice: take time to examine closely Other choice: sunset after 2 years, so we
can re-examine with greater calm
Concluding Thoughts
For you in telecommunications– Security will be a bigger issue– Compliance with new laws will take your attention– Corporate decisions about how to assist law
enforcement and national security while also safeguarding your customers’ records
Big challenges, and it’s an important job where we will see great progress
Contact Information
Professor Peter P. Swire phone: (301) 213-9587 email: [email protected] web: www.osu.edu/units/law/swire.htm