27 September 2019

The NSA General Counsel's Proposal for a Moonshot

By Susan Landau 

National Security Agency (NSA) General Counsel Glenn Gerstell presented an interesting and surprising challenge last week, writing in the New York Times that the United States must be ready to face the “profound and enduring implications of the digital revolution.” The essay was interesting in that Gerstell’s writing was almost philosophical, rather than a direct call to action (not exactly a common mode of address for general counsels of intelligence agencies), and surprising because Gerstell argued that the solutions to the conundrums he presented “are not easy but very hard.” As John Kennedy said so very long ago, “We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.”


But the challenges Gerstell poses include both technical and political aspects—and it’s not clear which aspect will be more difficult to resolve. Though I disagree with the solutions he proposes, it is encouraging to see the NSA general counsel seriously weighing the importance of improving cybersecurity in the civil sector and clarifying the Fourth Amendment in this new world.

Gerstell starts by noting how tech change is occurring at an unprecedented rate. While computers have been around for three-quarters of a century, the computer in your pocket—your smartphone—is less than a fifth as old. The Digital Revolution really began when Facebook became publicly available (in 2006) and when the iPhone (released in 2007) gave people a way to consult Facebook—constantly. The change has been profound. Two years ago, in my book “Listening In,” I wrote that “[t]he U.S. president can reach out and tweet his message, ignoring the press that previously dominated the transmission of news. Whole swathes of industries and businesses—including brick-and-mortar stores, manufacturers, even law firms—have been upended.” But this change is only just over a decade old.

Contrast that revolution with the Agricultural Revolution. Wherever the transformation from hunter-gatherer to agrarian society occurred, it took between a century and a millennium to happen, a matter of four to 40 generations. Or compare it with the initial Industrial Revolution, which took about 100 years to occur in Europe and North America. As a result, people had time to adjust their social norms to the new world. The same is not true of the Digital Revolution.

Such a profound and rapid dislocation has many consequences. Jobs with benefits have migrated to the gig economy, with disability and health insurance evaporating. The private sector has become the biggest repository of consumers’ private data with little or no reaction by the people concerned. Companies have increasingly made use of the internet only for their data to travel to places they never intended, including to competitors.

There are tremendous benefits to the Digital Revolution, but Gerstell is focused on the national security threats. Cyberinsecurity is pervasive, and it is hard to disagree with Gerstell’s description of the severity of the threat when cybersecurity threats to national security include intellectual property theft (the “greatest transfer of wealth in history[,]” according to then-NSA Director Keith Alexander), theft of weapons design and ransomware.

In his essay, though, Gerstell takes a step outside the narrow box of the NSA to talk about cyberinsecurity, and the necessity of upgrading U.S. government security and surveillance systems, within the context of the bigger problems liberal democracies are facing:

Will Western liberal democracies, already straining under the combined demands of decaying civil infrastructure, aging populations, upgrading militaries and so on, be able to afford these investments? Given that there is no specific forcing event to require greater resources, but rather a trend, history suggests that we will appreciate the seriousness of the underinvestment only when a crisis has occurred.

Gerstell notes the country’s inability to absorb the rate of change occurring as a result of the Digital Revolution. During World War II, the U.S. had five years—the time from Hitler’s invasion of Poland until D-Day—to build up its war machine. But with cyber, the U.S. won’t have two oceans to separate it from the attackers—or five years to prepare. Gerstell’s fear is that the U.S. won’t invest sufficiently in security and surveillance systems—until the country is attacked or held hostage by the threat of a catastrophic attack. And then it will be too late.

Gerstell writes, “Our national security sector does not have an extensive history of marrying intelligence insight and analysis with deep technical expertise across a wide range of scientific disciplines,” arguing that “it is not clear that the intelligence community will be able to attract and retain the necessary talent needed to make sense of how our adversaries will make use of the new technology.” This is inarguably true. As Gerstell notes, “The simple fact of the matter is that no nation has yet devised an effective solution to the conundrum of how to respond in a definitive and dispositive way to another nation-state’s malicious cyberactivity.”

Thus the U.S., which is hyperconnected, is at particular risk. Securing the nation is no longer a matter of protecting against physical invaders at the borders (a situation in which the United States has had tremendous geographic advantages compared with most other nations). And the jewels of the kingdom, whether the intellectual property of pharmaceutical design or the personal data of hundreds of millions of people, are maintained by the private sector, which lacks the capability to repel nation-state adversaries. No matter how much private companies invest, they will never be in a position to thwart attacks from a determined and highly capable nation-state.

Currently the private sector is in a frustrating position—underdefended yet not able to fight back against attackers. Gerstell writes, “National security agencies will need to defuse that frustration and find an effective path for collaboration with the private sector to mitigate cyberthreats. The only practical solution is for the private sector to assume a greater burden in this area, but with the active support of the national security agencies.” He observes that the U.K.'s National Cyber Security Center relies on national security capabilities to secure private-sector companies. (Unlike the U.S., the U.K. has not separated government computer security into national security and non-national security sides of the house.) Likewise, Gerstell asks if “the American business community [would] accept that model [of national security working closely with the private sector], and would our national politics permit its adoption?”

We’ve debated that previously, and the answer has been no.

Many decades ago, in 1965, the U.S. embarked on putting a civilian agency in charge of developing computer security protections for the non-national security sector of the U.S. government. This was an unusual choice—most nations have instead opted for a national security agency to handle such efforts—but it is one that has reaped many benefits.

The National Bureau of Standards, now the National Institute of Standards and Technology (NIST), was charged with establishing federal data processing standards for the non-national security side of the government; this included developing cryptographic standards. In 1987, over the NSA’s objections, Congress reaffirmed that choice with the Computer Security Act.

The U.S. splits responsibility: The NSA takes care of securing the national security side of the government, while NIST prepares cryptographic standards and security guidelines for the non-national security side of the U.S. government. But it’s not just the U.S. government that uses NIST’s cryptographic standards and follows NIST’s guidelines on security.

Over the decades—and not always without hiccups—NIST has done an excellent job of gaining the trust of the private sector. The agency’s Computer Security Division guidelines and cryptographic standards are used widely by industry, around the world, not only substantially increasing security but also creating economic benefit. The fact that NIST and its parent department, the Department of Commerce, are not regulatory arms of the government helps—it’s critically important that NIST is a “fair dealer.” And absolutely crucial to that international trust in NIST’s role is that the agency is not a branch of the U.S. intelligence community. (There have been times when it appeared that NIST was too much influenced or controlled by the NSA, which has far more cryptographic expertise; that is not the subject of this piece.)

NIST’s ability to support private-sector cybersecurity is hampered by a budget not commensurate with the task that needs doing. (Other agencies, including the Department of Homeland Security [DHS] and the FBI, have not been up to the job.) So while Gerstell is right about the problem—the private sector needs help—he is wrong about the solution. We rejected the model of national security being the provider of private-sector cybersecurity—and with good reason. The Snowden disclosures sowed great distrust among the public toward the NSA. NSA involvement with U.S. computer and communication products will not help sales overseas; instead, such “help” is likely to have the opposite effect.

Gerstell also wants to “recalibrate the balance in this area of data privacy between the government and the private sector.” He writes, “But what do our notions of privacy mean anymore when Amazon, Google, Apple, Microsoft, Facebook and so on already know so much about you?”

Indeed, the Digital Revolution has vastly complicated the issue of Fourth Amendment protections. As people share so much information with the Googles and Facebooks of the world, the third-party doctrine in U.S. domestic law, in which data shared with third parties is entitled to decreased privacy protections, makes less and less sense. As Justice Sonia Sotomayor put it in her concurring opinion in Jones v. United States,


More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.... This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers.

Many observers think that a recalibration of Fourth Amendment jurisprudence is overdue in light of new technologies. But what this recalibration should be is not clear (Gerstell mentions the possibility of government regulation to protect privacy, which has already occurred in Europe). Justice Sotomayor would take the fact that so much personal information is held by the private sector as evidence that greater—not lesser—legal protections are needed against government access to such information. Meanwhile, Gerstell’s argument for greater collaboration between the private sector and the national security sector hints at the argument the government should step in to protect the personal data of private citizens held by third parties. This is a way of stating that the intelligence community, and not a civilian agency, should be running civil-sector cybersecurity for the United States—a proposal with which I profoundly disagree.

Such a direction would raise great objections from the public, the civil liberties community and the internet companies. The latter are still smarting from the Snowden disclosures, which pushed companies to fast-track efforts to encrypt inter-data center communications. Gerstell’s suggestion would also run counter to the way the U.S. runs its own government systems: The NSA secures the .mil sites, while the civil-sector agency, the DHS, secures .gov (NIST supplies the guidelines, while the DHS provides the requirements and enforcement levers).

These issues have long been the subject of debate, though for a number of reasons they have been ignored over the past several years. Gerstell is completely on target that the challenges posed by China and other nations through cyber seriously threaten U.S. national security. He is not talking here of a cyber Pearl Harbor, but of complex economic and national security exploits and attacks achieved through cyberspace. Gerstell is correct that the U.S. needs more people with both technical expertise and intelligence insight, and his concerns echo Vannevar Bush’s famous report on the importance of scientific research to the national enterprise, which led to the creation of the National Science Foundation and U.S. government support of scientific research in peacetime. Gerstell is also right that grave economic and national security risks are posed by inadequate cybersecurity protections of private-sector data (certainly inadequate when the opponent is another nation’s national security forces). And Gerstell is correct that the country needs to rethink Fourth Amendment protections in light of the Digital Revolution.

I don’t expect the general counsel and I will agree on what the answers to these questions should be. But I strongly concur on the importance of the questions and that the United States does not have time to waste in responding to them. And I thank him for raising these issues in so public a way.

No comments: