Chairman & CEO of Good Harbor Security Risk Management
Liberty and Security: the President's Review Group's Recommendations (and the issues they address)
October 30, 2014—On the occasion of his induction into the National Cyber Security Hall of Fame, the CyberWire is pleased to present this interview with Richard Clarke, an internationally recognized expert on cyber security, homeland security, national security, and counterterrorism. He has served the last three Presidents as a senior White House Advisor, including appointments as Special Advisor to the President for Cyber Security and National Coordinator for Security and Counterterrorism. His most recent Government service was as a principal member of the President's Review Group on Intelligence and Communications Technologies, whose report was published last December. This interview offers his retrospective look at the Review Group's work.
The CyberWire: Thanks for speaking with us. You, of course, were one of the principals on the President's Review Group on Intelligence and Communications Technologies. The issues the panel grappled with are complex and deal with important issues related to the balance of secrecy and transparency in government. Can you talk a little about your mindset as you began your work?
Clarke: When we began, most of us were a little surprised to learn the extent of what NSA was doing. A first reaction had to be one of being impressed that the government could do it so well, on such a large scale. The second reaction was to ask whether the activity was productive, especially given its inherent potential for abuse.
The CyberWire: Are there particular recommendations from the panel you believe are especially important?
Clarke: I think I would single out the proposal to terminate the telephony metadata program. We found it hadn't been productive. It had run for several years, had confirmed some things, but hadn't yielded results. It was expensive. And, while there was no record of abuse, it surely had the potential for abuse. Retention and accessibility without a court order were problematic. We recommended the program’s termination and this recommendation was adopted.
The CyberWire: Were there particular recommendations that you feel may not have been well understood?
Clarke: A couple of them may have been poorly understood by the public. One was our saying the Government shouldn't undermine encryption. People have to trust encryption. They need it; the financial and medical sectors in particular need it. We don't need Government undermining either encryption or the public's trust in encryption.1
Another recommendation that may be imperfectly understood concerns the question of what should be done when the Government finds a zero-day. The default, we recommended, should be to disclose and fix it. In rare circumstances, we could understand the Government wanting to use vulnerabilities to get into targeted networks overseas. We wanted an interagency process in which the equities could be properly, and thoroughly, considered. The Departments of the Treasury and Homeland Security should have a seat at that deliberative table. The White House has adopted this recommendation, and the policy with respect to withholding zero-days is very circumscribed.2
The CyberWire: How do you feel your panel's recommendations have been received overall? And do you have any thoughts on their implementation.
Clarke: Some were implemented and some were dodged, but on the whole I think we had a pretty good batting average. Check back in a year.
The CyberWire: Public discussion in the wake of your report seems to have concentrated on telephony metadata. Are issues of telephony metadata collection and use really the centerpiece of the panel's report, or does this discussion amount to sidetracking?
Clarke: The centerpiece of our report is not a recommendation, but rather a philosophy. Citizens should never trust government.3 There's a history—in my lifetime—of abuse of government power by CIA, NSA, and FBI. Given technological advances, the Government could know everything about you, all the time. Abuse would be all too easy. Thus there's a higher need for multiple, independent oversight, as well as greater transparency and openness. We need more road bumps to slow the rush toward Big Brother. After 9/11, the Patriot Act passed without much consideration. Another 9/11 would see a similar rush, and it's hard to undo these after the fact.
The CyberWire: Tell us a bit about your views of Edward Snowden. You spoke about him at RSA in fairly harsh terms. Why, in your view, should he be in jail?
Clarke: Well, he broke the law. He claims he discovered objectionable NSA programs. We found the programs, but no record of abuse. No one has been able to demonstrate harm. It's amazing—for all the breathless news stories about NSA, no one can point to harm.
I think that what Edward Snowden revealed was not exclusively or even primarily a set of questionable programs, but things enemy states and criminal cartels use for insight into our sources and methods. Some day an airplane or an embassy will be blown up because terrorists know how we're listening to them, and so now hide their activities.
The CyberWire: Snowden has presented himself as a whistleblower, a dissenter. How seriously do you think we should take that self-presentation?
Clarke: Snowden wasn't a whistleblower or a patriot. He was perhaps well meaning, but delusional, with issues. It's possible he was used by a foreign intelligence service without his knowledge, maybe through a person whom he trusted. We don't know. We do know that Russian intelligence greatly benefited from his information.
Emails seem to indicate that Snowden was living a fantasy. He thought, falsely, that he'd exhausted his legal options. He should have stayed in the country.4
The CyberWire: Leaving Snowden aside, how should agencies handle internal dissent? On one hand, obviously, they don't want it to damage their mission. On the other hand there does seem to be great value in giving it legitimate channels of expression. Service inspector generals play that sort of role.
Clarke: Here's one model for handling internal questions. The Department of State had, when I worked there, a "Dissent Channel"—anyone could formally file a dissent. They were entitled to a written reply from the Secretary of State. The entire transaction could be classified. It was useful—not only a way to let off steam, but also a valuable way to keep leaders informed. To be sure there was always a crackpot quotient, but some of the issues were real ones.5
The CyberWire: Beyond simple dissent, of course, is the insider threat. What policies do you think enterprises should consider that would improve their ability to detect and mitigate insider threats?
Clarke: What's outrageous about the NSA affair is that we'd already had the Private Manning case. A Presidential Executive Order had laid out a good insider threat program. Most of the Intelligence Community, however, hadn't implemented it. They lacked funding. The White House's job was to monitor implementation and get the Office of Management and the Budget to free money if necessary. The White House was essentially asleep at the switch.6
The CyberWire: What are your views on roles and missions within the Intelligence Community? Without getting into possibly sensitive specifics, what are your reactions to proposals that offensive and defensive cyber missions be assigned to different organizations?
Clarke: Assigning offensive and defensive missions to different organizations is a good idea. There has to be some overlap, but the two missions are sufficiently different that you could risk watering down defense by mixing in offense. Splitting the missions might help.7
The CyberWire: Would you care to comment on Active Cyber Defense? And by this we mean not "hacking back," but increased use of network sensors, automated decision aids, and intelligent machine-to-machine information sharing.
Clarke: This would essentially be continuous monitoring, with the ability to act on the results of that monitoring.
People are reluctant to allow certain things to happen quickly, however. The problem lies in the inevitable false positives. And how quickly you need to act depends on the sensitivity of the network.
The CyberWire: Another Presidential panel, this one on big data, has recently reported. It didn't address surveillance by the Intelligence Community, but its charter clearly bears some resemblance to your panel's. Do you see any common ground in the two panels' recommendations?
Clarke: Both panels are concerned with privacy, and about the Government's discovery of information it doesn't need. Big data as a field, a capability, is controversial. Some think it's unproductive. Others think it’s a miracle. I think it's productive, but certainly not miraculous.
Information that would allow someone to become you, to assume your identity, is a problem. A concern for privacy isn't a matter of having something to hide. It's also a matter of having something of value taken from you without compensation or a well-informed and meaningful grant of permission.
The CyberWire: Thank you, Mr. Clarke, and may we close with congratulations on your induction into the National Cyber Security Hall of Fame? It's a well-deserved honor.
1Liberty and Security in a Changing World, Recommendation 29, page 36. See also Appendix E: US Government Role in Current Encryption Standards, pages 273-276.
2Liberty and Security in a Changing World, Recommendation 30, page 37. "We recommend that the National Security Council staff should manage an interagency process to review on a regular basis the activities of the US Government regarding attacks that exploit a previously unknown vulnerability… US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments."
3"History shows that the acquisition of information can create risks of misuse and abuse, perhaps in the form of intrusion into a legitimately private sphere. History also shows that when government is engaged in surveillance, it can undermine public trust, and in that sense render its own citizens insecure. Privacy is a central aspect of liberty, and it must be safeguarded." (Liberty and Security in a Changing World, pages 46-47)
See also the discussion of the Church Committee findings: "'Personal privacy,' the Committee added, is 'essential to liberty and the pursuit of happiness' and is necessary to ensure 'that all our citizens may live in a free and decent society.' Indeed, 'when Government infringes the right of privacy, the injury spreads far beyond the particular citizens targeted to untold numbers of other Americans who may be intimidated.' The Committee added that, in the words of former Attorney General and Supreme Court Justice Robert H. Jackson, without clear legal limitations, 'a federal investigative agency would "have enough on enough people" so that "even if it does not elect to prosecute them" the Government would…still "find no opposition to its policies."' Indeed, Jackson added, 'even those who are supposed to supervise [our intelligence agencies] are likely to fear [them].'" (Liberty and Security in a Changing World, pages 60-61)
Compare the discussion of "Secrecy and Transparency" (Liberty and Security in a Changing World, page 124): "A free people can govern themselves only if they have access to the information that they need to make wise judgments about public policy. A government that unnecessarily shields its policies and decisions from public scrutiny therefore undermines the most central premise of a free and self-governing society. As James Madison observed, 'A popular Government, without popular information, or the means of acquiring it, is but a Prologue to a Farce or a Tragedy; or, perhaps both.'"
4Liberty and Security in a Changing World, Appendix D "Avenues for Whistle-Blowers in the Intelligence Community," page 271.
5"Another dimension to the secrecy vs. transparency issue concerns the role of whistle-blowers. Although an individual government employee or contractor should not take it upon himself to decide on his own to 'leak' classified information because he thinks it would be better for the nation for the information to be disclosed, it is also the case that a free and democratic nation needs safe, reliable, and fair-minded processes to enable such individuals to present their concerns to responsible and independent officials. After all, their concerns might be justified. It does not serve the nation for our government to prevent information that should be disclosed from being disclosed. Although such mechanisms exist, they can certainly be strengthened and made more accessible." (Liberty and Security in a Changing World, pages 126-127)
6Liberty and Security in a Changing World, Recommendations 42 and 43, pages 40-41.
7Liberty and Security in a Changing World, Recommendations 23, 24, and 25, page 34.