Intelligence community must get its own house in order

If governments want private-sector cooperation for their lawful investigations, they should first examine their own operations, goals and assumptions.

Earlier this month, Robert Hannigan, the director of GCHQ, a British intelligence agency, wrote an opinion piece in the Financial Times castigating tech companies for being "in denial" about abuses of their platforms by criminals and terrorists and calling on them to develop better arrangements for facilitating lawful government investigations. While there is certainly much room for improved cooperation between government and the private sector, the first step for reform should be for intelligence agencies like GCHQ to take a hard look in the mirror.

Hannigan's arguments contain three fallacies.

First, he fails to grasp that by engaging in mass surveillance, the intelligence community has shattered the trust the public has in both technology companies and government itself, and at the same time seriously damaged the ability of firms to sell their products to foreign customers. Because of this distrust, technology companies are justifiably reluctant to work closely with the government, even when doing so would be in everyone's interest. For example, intelligence agencies like the National Security Agency (NSA) have some of the world's foremost cryptographers and security experts on their payrolls and should be offering technical assistance to tech companies, but doing so in today's environment would likely drive away customers. Until the government reforms its own behavior, it should not expect the private sector to be a willing partner in efforts to expand its reach.

Second, the GCHQ director falsely suggests that the tech industry is morally agnostic when he writes that these companies "aspire to be neutral conduits of data and to sit outside or above politics." On the contrary, most tech companies have always aimed to operate according to a set of ethical principles, while also recognizing that their global presence means they must comply with competing national laws. For example, the microblogging service Twitter explicitly bans a number of actions on its platform, including impersonating others, making threats and infringing on copyrights, while also abiding by country-specific restrictions such as banning anti-Semitic tweets in France.

Third, Hannigan blurs the line between voluntary data collection by the private sector and covert, mass surveillance by the intelligence community. He conflates these two by saying, "[GCHQ needs to] show how we are accountable for the data we use to protect people, just as the private sector is increasingly under pressure to show how it filters and sells its customers' data." Hannigan fails to appreciate the distinction between the private sector and government: Google does not arrest users based on their search queries; Facebook does not imprison dissidents for their status updates. Perhaps most importantly, there is no "opt-out" button for government surveillance.

While all stakeholders in the Internet ecosystem should be working to promote safety and lawfulness online, the intelligence community should recognize that natural improvements in security will inevitably mean that traditional communication networks will "go dark." Rather than demand that tech companies roll back security features to create hacker-friendly products and services, intelligence agencies like the NSA and GCHQ should find practical alternatives, such as analysis of other data sources, to solve and prevent crimes.

Moreover, law enforcement and intelligence agencies in both the United States and the United Kingdom should prioritize rebuilding the trust of the private sector by admitting to and curtailing the spying practices that exceed public expectations and laws, as well as committing themselves to real reform. . For example, in the United States, it is time for the president and Congress to make clear that the policy of the U.S. government is to improve online security, not weaken it, such as by notifying companies of vulnerabilities it has discovered in this process, as well as adopt the recommendations offered by the President's Review Group on Intelligence and Communications Technologies. As the White House has noted in the past, "Trust is essential to maintaining the social and economic benefits that networked technologies bring to the United States and the rest of the world." It is imperative that policymakers around the world work to repair this trust. The root problems associated with mass, covert surveillance by the intelligence community -- which generated the mistrust in the first place -- have to be resolved. Then, and only then, will a meaningful dialogue begin with the tech industry.

Daniel Castrois a senior analyst with the Information Technology and Innovation Foundation (ITIF).Alan McQuinn is a research assistant with ITIF.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security Agencysecuritynsadata privacybecafinancial timesprivacyGCHQ

More about FacebookGCHQGoogleNational Security AgencyNSATechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Daniel Castro and Alan McQuinn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts