Officials Upset Tech Companies Reluctant To Play Along With Administration's 'Information Sharing' Charade

Overhype

from the fooling-no-one dept

Fri, Mar 13th 2015 12:45pm — Tim Cushing

The government's on-again, off-again love affair with everything cyber is back on again. The CIA has just shifted its focus, abandoning its position as the free world's foremost franchiser of clandestine torture sites and rebranding as the agency of choice for all things cyberwar-related.

For years, legislators have been attempting to grant themselves permission to strong-arm tech companies into handing over all sorts of information to the government under the guise of cybersecurity. CISPA, CISA, etc. The acronyms come and go, but the focus is the same: information sharing.

Of course, the promise of equitable sharing remains pure bullshit. Tech companies know this and have been understandably resistant to the government's advances. There are few, if any positives, to these proposed "agreements." The government gets what it wants -- lots and lots of data -- and the companies get little more than red tape, additional restrictions and fleeing customers.

The government has recently been playing up the narrative that unreasonable tech companies are standing in the way of the nation's super-secure future.

U.S. government officials say privately they are frustrated that Silicon Valley technology firms are not obtaining U.S. security clearances for enough of their top executives, according to interviews with officials and executives in Washington and California. Those clearances would allow the government to talk freely with executives in a timely manner about intelligence they receive, hopefully helping to thwart the spread of a hack, or other security issues.

The lack of cooperation from Silicon Valley, Washington officials complain, injects friction into a process that everyone agrees is central to the fight to protect critical U.S. cyberinfrastructure: Real-time threat information sharing between government and the private sector.

Before dealing with the questionable promise of "real-time threat information sharing," let's deal with the supposedly minor requirement of security clearances. It's not as if this won't impose undue burdens on tech company leaders, especially when they already have a pretty good idea this stipulation will be a major hassle followed by continued opacity from a government that's 90% lip service and 10% outright lying. Tech execs are being asked to make all the effort and hope against hope there will actually be some benefits.

"I believe that this is more about the overclassification of information and the relatively low value that government cyberintel has for tech firms," said one Silicon Valley executive. "Clearances are a pain to get, despite what government people think. Filling out the paper work … is a nightmare, and the investigation takes a ridiculous amount of time."

[...]

"I think tech companies are doing a return-on-investment analysis and don't think the government intel is worth the cost or effort," said the Silicon Valley executive. "This is why government threat signature sharing initiatives are such a nothing-burger: The signatures are of limited value and only a few select companies with clearances can actually use them."

The clearance process can easily take over a year. The application runs 127 pages and asks a mixture of questions ranging from highly-intrusive to facially-ridiculous.

[This question seems to disqualify nearly every law enforcement officer in the United States.]

And that's just the start of the process. The rest of the vetting process takes several months, and there's no guarantee the executives the government wants to obtain clearance will actually be cleared to discuss classified information.

And even if these clearances are obtained, the benefits are unproven and suspected to be minimal. On the other hand, the downsides are enormous. As Marcy Wheeler points out, clearances may open up discussion channels with law enforcement and intelligence agencies, but they also create additional restrictions for those carrying these privileges -- the breach of which can result in severe consequences. In light of the inequitable "sharing" envisioned by many tech companies, the hassle just isn't worth it.

Because it’s not just that the security clearance application that is unwieldy. It’s that clearance comes with a gag order about certain issues, backed by the threat of prison...

Why would anyone sign up for that if the tech companies have more that the government wants than the government has that the tech companies need?

On top of this, there's the bottom line to consider. The information that may or may not flow back to tech companies won't do much to offset the perception that company executives are willingly buddying up with the US intelligence community. In the post-Snowden world, this could mean the loss of customers, future contracts and sensitive foreign markets.

The government has yet to offer anything Silicon Valley wants in exchange for additional burdens, greater secrecy and increased demands for customer data. The government is better at taking than it is at giving, and no amount of cyberterrorism hand-wringing is going to change that reality.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, information sharing, security clearance, silicon valley, tech industry, washington dc

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anon, 13 Mar 2015 @ 12:57pm

Information Sharing?
What would the government have, that's classified, that would be of any use to a company whose mission is to take information or technology and sell it widely? Except maybe illegally gotten industrial espionage from foreign competitors...

For a phone or computer company... If a fancy new screen technology or battery or encryption technique is so new it's classified (a) what are the odds the government would own this information and (b) what are the odds the company could include classified technology in consumer products?
[ link to this | view in chronology ]
Anonymous Coward, 13 Mar 2015 @ 12:59pm

Tell the government of a major security hole before it is fixed, and they will use it to get into the companies system, if they have not got in already.
[ link to this | view in chronology ]
Anonymous Coward, 13 Mar 2015 @ 1:01pm

If the cost of doing business with the US gov is you cannot try to take away the rights garanteed by the US constitution... good. Seriously, there are a lot of them.
[ link to this | view in chronology ]
Rich Kulawiec, 13 Mar 2015 @ 1:03pm

Security clearances are bullshit
I could use this space to discuss the very high correlation between people holding security clearances and people caught conducting espionage, but let me skip that and instead point to an object lesson: David Petraeus.

Here's someone who held all kinds of security clearances, including whatever ultra top double-secret useless nonsense that four-star generals and CIA directors hold.

Here's someone who was vetted for those clearances via every form of investigation known to the USG.

Here's someone who handed over classified documents because he wanted to get laid.

And yet the USG still has a massive bureaucracy (some of which has been outsourced to contractors with security problems of their own) devoted to this farsical charade.

There is zero reason for anybody in the tech world to submit themselves to this stupidity. It's not like the CIA and the NSA are going to share their knowledge: this is going to be a one-way pipeline into the USG and every scrap of knowledge it acquires will be used to make the world less secure, not more, because the USG has made it quite clear that it doesn't give a damn about anybody's security except its own.
[ link to this | view in chronology ]
Anonymous Coward, 13 Mar 2015 @ 1:04pm

Wrong word
Sharing is not the correct word here. Sharing is when you freely give something that you have to someone else. The companies are not sharing information with the government. The government is demanding it and expecting them to give it but pretending that this isn't happening because the executives are not applying for clearance so that information can flow the opposite way. Riiight! Forget the red tape it takes to get the clearance. How about the fact that precious little info that would be of any value that they don't already know anyway would likely flow in the opposite direction coupled with a requirement to provide information flowing in the opposite direction and a whole series of NDAs to ensure that what's really happening doesn't ever get reported in exchange for a shiny clearance status to make you feel important as being the natural reason they don't have many takers. These people are successful because they know how to negotiate deals and know the difference between a good one and a bad one. Who the hell do they think they are trying to fool here?
[ link to this | view in chronology ]
- Roger Strong (profile), 13 Mar 2015 @ 1:48pm
  
  Re: Wrong word
  > Sharing is not the correct word here.
  
  Given the government's spying, torture, and high court / low court habits, I think the word you're looking for is "collaboration."
  [ link to this | view in chronology ]
  - Anonymous Coward, 13 Mar 2015 @ 5:40pm
    
    Re: Re: Wrong word
    I guess my point could be summed up with a simple analogy. Consensual sex where consent is gained through coercion is not consent. In the same way, this is not sharing.
    
    (And yes it is accurate to say that tech companies are refusing to be figuratively raped here.)
    [ link to this | view in chronology ]
Anonymous Coward, 13 Mar 2015 @ 1:26pm

A way to shut someone up
Because it’s not just that the security clearance application that is unwieldy. It’s that clearance comes with a gag order about certain issues, backed by the threat of prison...

This is a huge reason to not get one. With how things are over-classified, a clearance holder will have less ability to speak about what's common knowledge than the public. In many cases a clearance holder is more in the dark than the public. I can download embassy cables from wiki-leaks to my home computer, but I don't think a someone with security clearance is free to do so.

It's a major flaw in our system. I've sometimes thought that it'd be awesome to have an Ed Felten or Bruce Schneier in charge of the NSA. But then I remember that they'd no longer be able to talk to us and I quickly change my mind.
[ link to this | view in chronology ]
- yankinwaoz (profile), 13 Mar 2015 @ 1:36pm
  
  Re: A way to shut someone up
  Exactly right.
  
  Recall the insane situation where NSA employees are not allowed to view the information that Edward Snowden leaked. If any NSA computer touches such information, it has to be destroyed. Yet Joe Public is free to read it all he wants.
  
  This is because the security clearance permission of the NSA employees constrains what they are able to consume.
  [ link to this | view in chronology ]
Anonymous Coward, 13 Mar 2015 @ 1:42pm

getting a clearance
The filling out of the application takes some time especially if you have moved a lot but it could be done in a few days.

The other problem is the cost of doing it. You are talking a few thousand to do the initial and then you have to renew the clearance every 5 yrs for Top Secret and every 10 yrs for Secret. Each time you renew you have to pay a few more thousand dollars.

Depending on what is found in your background you may have to talk with FBI agents or have people that know you talk to agents. For some people the investigation can be done in 4-6 months for others a year or more.

And yes after you have the clearance you are now required to safeguard any information you have and this makes you more tight lipped. Also if you access any classified documents outside of a classified environment on approved computer systems you could lose your clearance and/or go to jail depending on what is involved. (unless of course you are high on the government food chain... Petraeus anyone?)
[ link to this | view in chronology ]
- Nilt (profile), 13 Mar 2015 @ 2:47pm
  
  Re: getting a clearance
  The filling out of the application takes some time especially if you have moved a lot but it could be done in a few days.
  
  The forms are basically a day by day breakdown of you life for a number of years. For an executive, especially, this is a royal pain to get together.
  
  Depending on what is found in your background you may have to talk with FBI agents or have people that know you talk to agents. For some people the investigation can be done in 4-6 months for others a year or more.
  
  More like FBI agents WILL talk to everyone you know and often everyone they know as well. This usually comes as a bit of a shock and can be quite scary for those interviewed, at first. Last time mine was up for renewal, I had to explain to my girlfriend's grandmother why several government agents would be coming by to speak with her. That was a little weird, I assure you.
  
  That's all aside from the issues surrounding over-classification.
  [ link to this | view in chronology ]
  - Anonymous Coward, 13 Mar 2015 @ 4:18pm
    
    Re: Re: getting a clearance
    In my case the agents didn't talk to anyone. Even though I have family in Canada and in the form I listed that I had been living in Chile for 2 years. Course I'm up for renewal soon too so that may change but for my initial there was no problems filling it out or getting it.
    
    Guess my life is too much of an open book, or I haven't done anything interesting enough to warrant suspicion, how boring. :(
    [ link to this | view in chronology ]
  - John Fenderson (profile), 16 Mar 2015 @ 8:28am
    
    Re: Re: getting a clearance
    "The forms are basically a day by day breakdown of you life for a number of years. For an executive, especially, this is a royal pain to get together."
    
    I think it would literally be impossible for me to come up with such a breakdown.
    [ link to this | view in chronology ]
Whoever, 13 Mar 2015 @ 1:46pm

What's the lesson here?
Perhaps if the tech companies *required* all employees to give up their clearances, things would actually be better for the companies involved.
[ link to this | view in chronology ]
Anonymous Coward, 13 Mar 2015 @ 1:56pm

NSA/CIA/FBI/... What's mine is mine, and
what's yours is mine, too.
[ link to this | view in chronology ]
- Roger Strong (profile), 13 Mar 2015 @ 2:51pm
  
  Re: NSA/CIA/FBI/... What's mine is mine, and
  "Mary had a crypto key, she kept it in escrow,
  and everything that Mary said, the Feds were sure to know."
  - Sam Simpson
  [ link to this | view in chronology ]
tommygilley (profile), 13 Mar 2015 @ 7:40pm

Security Clearances
I've never been through the clearance process, but I wonder if the process could leave the executives open to coercion due to extralegal or experimental behavior coming out of it.
[ link to this | view in chronology ]
Anonymous Coward, 13 Mar 2015 @ 8:40pm

I found this story to be very informative. Why would IT companies go through the hassle of seeking government security clearance with the threat of prison and fleeing customers hanging over their heads.

What can the government honestly offer these companies in the way of security protection. Outdated antivirus and intrusion detection signatures? Big whoop.
[ link to this | view in chronology ]
Coyne Tibbets (profile), 14 Mar 2015 @ 1:02am

It's a qualifying question
"This question ('Have you EVER been a member of an organization that advocates or practices commission of acts of force or violence to discourage others from exercising their rights under the U.S. Constitution or any state of the United states with the specific intent to further such action?') seems to disqualify nearly every law enforcement officer in the United States."

This is a qualifying question, not a disqualifying question. If you check "yes", it proves your're a LEO, so you're automatically qualified.
[ link to this | view in chronology ]
- GEMont (profile), 15 Mar 2015 @ 7:40pm
  
  Re: It's a qualifying question
  Beautifully stated.
  
  And methinks, absolutely correct.
  
  ---
  [ link to this | view in chronology ]
Dan G Difino, 14 Mar 2015 @ 10:49am

America's Freedom Is Dying
One of the biggest threats to America is from those hired by the US Government, not those hired by the private sector. Its no secret that the government is winning that challenge if higher scores mean winning when America's Freedom is all but dead. Insurance fraud committed by insurance companies to defrock millions of their health care coverage, policies are wiped away as the government lies to millions of people paving the way as Corporations steal from people daily as it is now the absolute must of business models to make obscene profits. Deals that affect billions of lives being made secretly behind closed doors. Fiasco false flag operations to deceive the populations around the world. Long gone seems to be the days when the American public could rely on its leaders to make the right decisions that enabled Americans to rise up and to be great in the eyes of the world. WTF America?
[ link to this | view in chronology ]
- Anonymous Coward, 14 Mar 2015 @ 11:13am
  
  Re: America's Freedom Is Dying
  As my father an engineer, a bright mind in his day having designed wheels and brake systems for DC9 aircraft neared the end of his life, his health failing and his reasons for living gone, had been fighting with my brother who for years sheltered himself drinking at my parents' house. In not knowing, himself, what would become of his own life, my brother decided to burn my father's house down out of spite and to procure a new shelter over his head, prison's three square. My father, long in anguish over this selfish and deliberate act, finally tilted his head and died. My brother got ten years for that crime.
  
  That is in the same way a metaphor to me for what is happening to America. And I can stop this either. It breaks my heart.
  [ link to this | view in chronology ]
Yes I know I'm commenting anonymously, 15 Mar 2015 @ 12:38am

Sharing?
I object to the term `information sharing'. Sharing implies reciprocity, which is not the government's objective here. (Remember the `sharing' of nuclear info that the British got tricked into in the forties?)

Oh, and on question 29.5 of the application: Does being a citizen of a country has won a civil war count?
[ link to this | view in chronology ]
GEMont (profile), 15 Mar 2015 @ 7:37pm

Sleight of Hand
Reality check.

The Feds are already getting all the data they want from the tech industries - they're stealing it thru various hardware intrusions and software exploits and through their own fifth column employee spies on site.

That's why they're not offering anything in return for the access to the tech companies' data - they're already stealing it all, just like they do to US financial institutions.

They just do this half-assed "lets make a deal" public display thing to keep the victims from realizing they're already being screwed over for every byte of data that passes through their systems daily, and to make the general public think they are being Good Guys for asking.

Its just smoke and mirrors. As usual.

---
[ link to this | view in chronology ]
John Fenderson (profile), 16 Mar 2015 @ 8:25am

Everyone?
a process that everyone agrees is central to the fight to protect critical U.S. cyberinfrastructure

I don't think everyone agrees about this. I certainly disagree. The parts that actually are critical to protect infrastructure are the exact parts that nobody has any interest in doing: stop connecting critical stuff to the internet.
[ link to this | view in chronology ]