The Hackers Heckling. The Black Hat convention is under way today in Las Vegas, and there, before a group of information-security-minded individuals, stood General Keith Alexander, Director of the NSA, getting heckled by conference attendees. Their complaints were targeted at the NSA’s surveillance activities and Director Alexander’s dubious testimony to Congress about those activities.
Initially it’s jarring to see audience members rudely interrupt a dignified speaker. Or equally, it’s gratifying to see a public servant held accountable for their conduct. Your reaction to the heckling will no doubt align with your interpretation of the accusations laid out against the NSA.
From the perspective of a security professional who is not in the thick of the factual details about NSA surveillance (most of us aren’t, after all) I can lay out at least how I see the nature of the public controversy. There’s what the NSA is capable of doing, there’s what they actually do, and there’s what they say they do. Seldom do I see distinctions between these three subjects in public debate. People who demonstrate the NSA can do things (snoop around in gathered domestic communications data) imply that they actually do those things. People who demonstrate that they say false things (such as Alexander’s testimony to Congress in which he claimed that they don’t intercept domestic communications information) means that they perjured themselves because they do gather some information through subpoenas.
So I have a major gripe with how inarticulate the public, the pundit class, and public servants are on the subject. But, having lived in an autocratic, communist country in the past, I can tell you a key cause for this terrible public debate: Secretive governments create dysfunctional populations. They render their populations incapable of debating public policy. And in this case the NSA is overly secretive. As a result of their secretiveness, we are left incapable of speaking articulately about the subjects that they hide from scrutiny. We not only don’t have facts, but we have contradictory explanatory models and no clear way to transparently determine which interpretation is true. Someone else owns the facts here and that messes with our minds. It goes against our instincts.
With regard to the NSA’s use of our domestic communications information, we don’t know what to debate or how to debate it because we don’t have access to the details (naturally). But what complicates the situation further is that we have good reason to believe that the NSA is over-reaching in its powers to watch and analyze us. So we don’t know what we know, and we don’t know what we don’t know, and our interpretations of the facts are based on our sympathies rather than an objective viewing of the actual facts. For a society that holds dear the importance of public accountability and transparency, this confuses and irritates us.
But worse than our not knowing information about the NSA’s surveillance activities, we don’t even know how to ask for that information, or if we are supposed to have it. People like Bradley Manning and Edward Snowden are either heroes or traitors depending on our views of public accountability and secrecy. Some people want our government to have secrets, even too many, if it means we don’t get attacked by terrorists. Some believe that threats are no more credible with or without that surveillance, and that the surveillance is in itself already an intolerable harm.
But our public debate is mired in our immaturity in talking about information security. So let me break down the principles that I would want government agencies to operate under to allow me to sleep at night:
- Information security and information openness are both about being sure that information is in its intended state.
- All information should be known by the appropriate people, and no more than the appropriate people.
- Information should default as “public.” If there is potential harm to someone when information is public, it should be safeguarded to be sure that the previous rule is followed.
- If people have information about you, you should know that, and they should demonstrate to you that it is correct, or expunged, as you request it.
- If there is an actual public safety concern with you knowing someone has your information, then the people who have your information must actively demonstrate to an authoritative party (Congress, for example) that they do not abuse that information.
- If the authoritative party realizes that there is abuse, they should publically state that and demand corrective actions and preventive measures to reduce the chance of the abuse recurring.
If the NSA operated under these principles, then they could easily keep secrets and reduce (never eliminate, of course) the public distrust about their use of that information.
So it occurs to me watching General Keith Alexander at the podium getting heckled by rude, true-blue patriots that he would not be in this soup had the NSA a mechanism for being honest to begin with.
Our information technologies and the commoditization of our personal information have grown rapidly. In fact, they’ve grown so rapidly that our culture and our systems of politics and authority have not yet created the mechanisms that marry accountability to the access and control of that information. Let’s hope that General Alexander takes that lesson home with him today.