How does the NSA look from the inside?

A couple of weeks ago I attended the SecureCloud conference in Amsterdam, organized by the Cloud Security Alliance and its partners. As always with CSA conferences, it was packed with solid material: real world experience, actionable advice, very senior government officials, top analysts, interesting panels, and the usual walkway gossip.

One of the most thought provoking presentations, in my mind, was Richard Clarke’s on the review he conducted of the NSA, in the wake of the Snowden revelations, on request of president Obama.

Mr Clarke used to work at the NSA, which makes him pretty believable when he said that the surveillance programs were shockingly expanded, beyond any practical and moral value, in the wake of 9/11. They were collecting because they could, even if the data collection proved to be of limited value (such as telephony metadata), or would actually be very harmful once it would leak out. The ‘front page rule’ is: eventually every classified activity will become public, at which time you should be able to defend the reason for engaging in it. Clearly the NSA failed to live by that rule.

Take a look at my Cloud Security training and get certified by the leading industry coalition and make cloud computing more secure!

One of the recommendations was better external oversight, as the 600 staff internal compliance team had not been effective in this regard. They did their job, but they were not reviewing the relevance of the regulations they were checking against. In relation to this Clarke noticed that judicial courts need to better understand information technology if they are to be capable for this oversight.

According to the review team there is also no need to treat US and non-US persons differently. The same legal controls should be applied on both, which led into Clarke’s remark that your data is actually more safe in the US. Implicit was the assumption that those controls are adequate. I would agree to the statement that there are a lot of nations that have less adequate legal controls, either in theory or in practice. But overall, I am not sure.

The statement that you would least expect to come out of the mouth of a career government national security official was the warning that technology can create a high tech police surveillance state and once it exists it will not go away. It reminded my of Eisenhower’s warning against the military-industrial complex (on which I  presented at CampusEurope: what would Eisenhower say about PRISM).

The US is not a single nation, united. There is a lot of diversity and debate on the proper way forward. And outside of that nation, there is a lot of distrust. As someone in the hallways cynically paraphrased Clarke: “yeah right, you host your servers at us or we will hack them”. And in my cloud security training, I regularly meet people who trust no American business, not even Amazon, with their credit cards. I agree there are risks, but you will run those anyway. Better make sure you understand them.

You might want to look at my CCSK Cloud Security training, more info:

Leave a Reply