New Paper on Digital Intelligence

David Omand -- GCHQ director from 1996-1997, and the UK's security and intelligence coordinator from 2000-2005 -- has just published a new paper: "Understanding Digital Intelligence and the Norms That Might Govern It."

Executive Summary: This paper describes the nature of digital intelligence and provides context for the material published as a result of the actions of National Security Agency (NSA) contractor Edward Snowden. Digital intelligence is presented as enabled by the opportunities of global communications and private sector innovation and as growing in response to changing demands from government and law enforcement, in part mediated through legal, parliamentary and executive regulation. A common set of organizational and ethical norms based on human rights considerations are suggested to govern such modern intelligence activity (both domestic and external) using a three-layer model of security activity on the Internet: securing the use of the Internet for everyday economic and social life; the activity of law enforcement -- both nationally and through international agreements -- attempting to manage criminal threats exploiting the Internet; and the work of secret intelligence and security agencies using the Internet to gain information on their targets, including in support of law enforcement.

I don't agree with a lot of it, but it's worth reading.

My favorite Omand quote is this, defending the close partnership between the NSA and GCHQ in 2013: "We have the brains. They have the money. It's a collaboration that's worked very well."

Posted on March 20, 2015 at 1:51 PM • 19 Comments

Comments

breakupMarch 20, 2015 2:32 PM

After filtering the usual bullshit in the form of "might..." "could..." "in exceptional circumstances..." and "undisclosed for security reasons..." I am left with one sentence: We'll carry on doing what we do, because we can.

ReginaldMarch 20, 2015 3:00 PM

Is it just me, or is he really suggesting as one of his groundbreaking measures (in bullet points, no less) that the GCHQ needs to recognise the importance of the Internet? "OK guys, things are going to change. We have taken all necessary steps and built the most solid of legal frameworks to recognise the importance of the Internet. No need to worry any more."

cryptopussMarch 20, 2015 3:05 PM

If I have to read another half baked needle-and-haystack analogy in justification (or denial) of mass surveillance I think I might take up monastic life.

anonymousMarch 20, 2015 3:15 PM

Who cares? Fascists gonna goose-step.

Bruce, please write an article about the CISA bill and the renewal of the Patriot Act and what we can do about it, if anything. What do you think about the potential of working on technological innovation versus fighting for political and legal reform?

IMHO, while it's necessary to fight the war on all fronts and retreat from no battle unnecessarily, it's largely a waste of our time to focus on politics and law. What if the NSA has quantum computing or backdoors in all the common crypto standards, do the judges or politicians get any say then? No! There's almost nothing that would stop them from exploiting almost all endpoint security, encrypted data and coms, one way or another. Like you said yourself, if we know 7 ways they can hack us and can patch 5 of them, there's probably 3 more we don't even know about. It's up to us to figure out a technological solution that would make it verifiably impossible for the NSA to snoop on us. I don't think "pretty good" or "good enough" security cuts it, given the resources of biblical proportion at the disposal of these rogue spy agencies. It's time to declare technological war on these Orwellian fascists and create a grassroots movement to innovate the best of the best in secure endpoint, data encryption, and coms encryption technologies. Whatever we have, the NSA/GCHQ/et al probably have something better, and it's time we focus on that. It's the core of the problem.

NobodySpecialMarch 20, 2015 3:18 PM

When one of your largest and most successful network equipment makers, one of the few that is able to compete globally, is forced to ship it's own products to fake address to avoid its own government intercepting and compromising them - I think you can safely say that you are no longer acting in the public interest.

65535March 20, 2015 3:28 PM

‘My favorite Omand quote is this, defending the close partnership between the NSA and GCHQ in 2013: "We have the brains. They have the money. It's a collaboration that's worked very well."’ – Bruce S.

I looked at the 30 page puff piece by the GCHQ shill and my eyes glazed over with disgust.

“All concerned must behave with integrity. Integrity is needed throughout the whole system, from the reasons behind requirements, and the actions taken in the collection, through to the analysis, assessment and use of the resulting intelligence.”- David Omand

[and]

“There must be right authority. There must be a sufficiently senior authorization of intrusive operations and accountability up a recognized chain of command to permit effective oversight. Right authority too has to be lawful and respectful of internationally accepted human rights.” –David Omand

P17 of the below pdf.
https://www.cigionline.org/publications/understanding-digital-intelligence-and-norms-might-govern-it

I don’t see “integrity” at any level. Our personal medical and financial records are being routed around the globe to circumvent the law and releasing sensitive personal information to an unknown number of people. That is not integrity!

I don’t see “…lawful and respectful of internationally accepted human rights” at all. Drag net surveillance with little to no over site and recording almost every personal conversation and Geo-location for five years is not “accepted human rights!

“David Omand: He began his career with the Government Communications Headquarters, more commonly known as GCHQ. After working for the Ministry of Defence for a number of years, Oman was appointed Director of GCHQ from 1996 to 1997…” - Wikipedia

https://en.wikipedia.org/wiki/David_Omand

My conclusion is that David Omand is a PR shill for the GCHQ and has made a lush salary doing so. I don’t trust his proclamations.

As Clive has pointed out, the UK doesn’t have a constitution as USA citizens know it - which is probably why USA communications are read by UK agencies not bound by US law.

The privileged UK citizens make the rules. So, I will take what David Omand says with a large grain of salt.

[Please excuse the grammar and other errors]

AlanSMarch 20, 2015 4:54 PM

@anonymous

Steve Vladeck over on Just Security has recently written on Section 215 of the Patriot Act: Whither the Section 215 Reauthorization Debate?

Not very encouraging:

As Congressman Schiff suggested, among other things, the absence of significant advance debate dramatically increases the likelihood that there will simply be a last-minute push to reauthorize section 215 in its current form (since there wouldn’t be time for meaningful debate over reforms/alterations to the existing language and statutory authorities).

EFF has a bit on CISA: Senate Intelligence Committee Advances Terrible "̶C̶y̶b̶e̶r̶s̶e̶c̶u̶r̶i̶t̶y̶"̶ ̶B̶i̶l̶l̶ Surveillance Bill in Secret Session.

So much for reform.

Spaceman SpiffMarch 20, 2015 5:14 PM

"We have the brains, they have the money" - too bad none of them have a clue about ethics!

Nagasaki_Shrooms_AvailableMarch 20, 2015 8:57 PM

nothing here is surprising in the least.
let's move on to constructive solutions.
come on, people.

FigureitoutMarch 20, 2015 9:17 PM

anonymous
--Yep, exactly. People thinking a political solution is possible do not understand the political system, and how much of a failure it is. The politicians are failures, the employees are failures, and the citizens are failures. It's all failure. No true leadership exists there, so it's all big failure compounding failure as time goes on it gets worse.

Technical solutions are for people who want actual security, not some blowhard bullsh*t from a politician. This means OPSEC, this means making these issues "not awkward" w/ your friends, unless they enjoy getting hacked. I'm sure once their credit card gets hacked they get some interest (which won't take long). This means a lot more, but people need to undergo the "shockwave" that personally took me years to finally get to where I am mentally.

If you're already screwed, then mutually assured destruction is your goal as we basically burn all our resources on worthless people delivering nothing but copied hacks.

Ezekiel Lovercraft DaedulusMarch 21, 2015 2:01 PM

No offense, but I find it a very high level paper, after reading half of it (only because it is recommended), I finally had to shut it down.

I initially stopped reading after hearing him explain on the first page of an "Angle Saxon" focus 'because of Snowden' and the US. The US is not "Anglo-Saxon". Britain might be said to be, culturally, I am not sure how diverse it is over there.

This sort of terminology, usually used more distinctly, such as "the West", or similar terms often disturbingly invades these sorts of reports. As if there are no "free" nations outside of "the West".

Asia, Africa, and the Middle East also have members of that club. If you are not tracking "which nations are free" and "which nations are not", then what, exactly, are you working for? I think this manner of attitude reveals that they are not even thinking in terms of "free" nations, ensuring that freedom remains and strengthens. That is a very difficult task they are entrusted with, and his statements do not reflect he is even beginning to dabble in it.

Also, note, he is relying on the Snowden documents, without which his paper would be non-existant.

Finally, there is nothing about "what works". So, it is building on hypothesis' which have failed. Which is useless and destructive. (At best, I saw the Huawei router case. Probably was backdoored by China. Had nothing to do with an elaborate surveillance system.)

None of this probably matters to him, how much time left does he have? Ten years? Twenty? And then "someone else's problem". There is no shared stock option for nations, no vested interest in the future.

Clive RobinsonMarch 21, 2015 3:29 PM

What can I say about David Omand... my parents used to tell me if you have nothing good to say about some one then perhaps it is best not to say anything...

So a few salient pieces of information instead,

The simple fact is he in effect belongs in the Thatcher, where the UK Gov handed over kings ransoms to the favoured ICs and the workers in GCHQ were oppressed and had many of their basic hard won workers rights taken away on a mear whim.

He has show distinct political bias and for the IC this has supposadly been a "NoNo" since Harold Wilson PM brought in legislation to stop certain kinds of "unimpartial behaviour" by the UK security forces.

Unfortunatly this "political cozying up" has become more and more obvious, especially since the Iraq "Dodgy Dossier" that was a pure invention by a certain people in or around the cabinate office at the time. They formed an unhealty cleque the consequences of which the world is still suffering through the likes of IS. Unfortunately these people were in many cases rewarded for their lamentable behaviour one of whom went on to become the head of the SiS/MI6....

This paper is thoroughly unproffesional and shows a form of prose that you could at best describe as "Inventive imagining" starting from confirmation bias, through politicaly biased, on to out right croniesm and beyond.

From the start it has easily verifiable errors, the first of which is the starting of SigInt, it was in the trenches of WWI a hundred years ago not WWII as he gives (something he realy should be aware of...).

Further he maintains the "collection" fiction of the NSA and thus gives a very very inacurate report on the numbers for surveillance.

He also forgets to mention that even under this very very twisted meaning of collection, the resulting data stores are in effect a "time machine" which enables analysts to go back in time as many times as they wish not just now but into the distant future to put as many people as they wish effectivly under surveillance. So those figures even under the methodology used will only get considerably worse with time...

I could go on but I think you have got the picture... so as they say in teaching books "I'll leave that as an excercise for the reader".

vas pupMarch 23, 2015 4:10 PM

@65535:"As Clive has pointed out, the UK doesn’t have a constitution as USA citizens know it". I just want to add that this year we are going to celebrate 800 years of Magna Carta (Britain) which affected Founding Fathers and many other constitutions substantially, e.g. habeas corpus, and I agree that for several centuries there were deviation of its provisions. My point is that even when you do have written Constitution as in most of the countries there is huge difference between written constitution and implementation of its provisions in the daily life, i.e. real constitution - just observation.

DBMarch 23, 2015 11:33 PM


@anonymous

Technically there's no need to declare war on anyone. Worldwide governments have already declared war on their general populations... So no need to "declare" it back, we just need to do something other than bleating and mooing.

@65535:

"lawful and respectful of internationally accepted human rights"

You're just not properly parsing the word games here. You just get two dictators from any two different countries to pass whatever "laws" they want, and you can make literally anything both "perfectly legal" and "internationally accepted"! THIS is literally what Omand is saying should be done, and from his actions it's obviously the way in which he really means it too.

@vas pup

Thanks for the reminder. We should not be making our Constitutions and Magna Cartas into toilet paper by our actions... or inactions.

vas pupMarch 24, 2015 9:46 AM

Those are some extracts catch my attention:

"the world of secret intelligence need not be ethics-free any more than the world of warfare and nations can agree voluntarily to abide by standards widely accepted as representing responsible state behaviour."
Looks like something like international convention on intel activity as currently exists on warfare should be developed and signed.

"Everyday Internet use is also the level at which data protection legislation, both national and international (for example, the new draft European Union Data Protection Regulation and Directive), kicks in to protect citizens’ personal data from unlawful use. Such data protection is based on identifying and protecting personal data by insisting on the consent of the subject. Under the latest proposals, the subject would be given the “right
to be forgotten” and thus the legal power to compel the deletion of personal data."
Good point, Europeans! Control and consent are intertwine.

"The process for requests under Mutual Legal Assistance Treaties may not be the most appropriate mechanism for international cooperation required in the cyber age."
Yeah, new technology required new legal paradigm.

"But most of the time, law enforcement is seeking evidence after the crime has been
committed that can be deployed as part of an open judicial process and whose legitimate derivation and meaning can be proved beyond reasonable doubt. Intelligence work is often described as probabilistic, as a jigsaw puzzle and as incomplete, fragmentary and sometimes wrong.66 Digital intelligence can often generate leads for follow-up by conventional law enforcement methods designed to gather specific evidence, such as visual surveillance or the search of a premises."
That is clear: intel data (as a rule) should not be used as evidence for prosecution, but as a lead for specific evidence collection (aka 'parallel construction').

"The effectiveness of secret intelligence rests on sources and methods that must remain hidden, otherwise the targets know how to avoid detection. Oversight of intelligence
activity cannot, therefore, be fully transparent and has to be by proxy: by senior judges and a limited number of parliamentarians who can, on society’s behalf, be trusted
to enter the “ring of secrecy” and give confidence that legal and ethical standards are being maintained."
Three could keep the secret when two are dead (Ben Franklin).

"Intelligence agencies also have the task of providing strategic warning of new threats not yet on policy makers’ radar, and leeway has to be allowed in authorizing intelligence collection operations accordingly."
And policy makers should have brain power to digest such intel on new threats.

"Investigative activity should be regulated by black letter law — there should not be secret law unavailable to the citizen."
Wow! Wishful thinking. Are President Directives within the scope of such statement when affected directly human rights (including live and liberty)?

Wesley ParishMarch 26, 2015 3:01 AM

My favorite Omand quote is this, defending the close partnership between the NSA and GCHQ in 2013: "We have the brains. They have the money. It's a collaboration that's worked very well."

This bugged me for a time, until I tracked it down:

I've got the brains
You've got the looks
Let's make lots of money
You've got the brawn
I've got the brains
Let's make lots of money

Pet Shop Boys, who else!?!?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.