RSA chief blasts European privacy laws, telling TechWeekEurope they favour criminals
As Europe puts together more stringent privacy laws, chairman of security giant RSA, Art Coviello, believes the current legislation is already too strict. He thinks it’s the cyber crooks who are benefitting, not citizens and their civil liberties.
Coviello is one of many big voices in the US, including the federal government and Facebook, who are against many of the proposals on the table in Brussels. The European Commission plans to increase the amount member states can fine companies shown to have been guilty of poor practice, and it wants to hand more power back to the user when it comes to their data. Corporate lobbyists and privacy advocates are now doing battle in Europe, the former desperate to water down the regulation, the latter pleading for it to remain untouched.
Meanwhile, the EU is attempting to write up cyber security laws, as is the US. It is Coviello’s belief that security legislation should specify where privacy should be overruled by the need to protect nations, their businesses and their citizens.
Privacy laws help the crooks?
TechWeekEurope caught up with Coviello at the close of RSA 2013 in San Francisco, and he was in an ebullient, feisty mood, with critical words for global governments and industry companies, specifically those in the “offensive security” space. He even revealed how RSA might be expanding its operations in the coming months and years, outside of its Big Data-led strategy.
You’re heading to the UK in April to talk about security issues. Do you think countries need specific legislation on Internet security, as the US Congress has been urged to push through and as the EU is drawing up?
All countries have laws – you need national legislation to address the idiosyncrasies of the existing laws. We don’t have privacy laws as stringent as in the EU, so we don’t need to fix privacy laws the way you guys do and I do mean you need to fix them.
In the US we have trust issues, we have legal liability issues. When it comes to information sharing, we need to fix those laws to facilitate information sharing.
We also have a situation where companies either don’t understand the threat or for whatever reason don’t want to respond to the threat, like those in critical infrastructure. So it’s the government’s right and, quite frankly, obligation to take action here.
Government even needs to fix itself. We have a big requirement for Federal Information Security Management Act (FISMA) reform. Right now it focuses almost entirely on checklist compliance stuff, as opposed to actually doing stuff, so one of the elements of the bills around the reform is continuous monitoring.
I mentioned the EU privacy laws because I’ve literally had CIOs of companies in Europe say to me, “Art, I have personally identifiable information that needs to be protected, and if I don’t protect it and it gets stolen, I’m subject to severe fines and penalties. But if I implement the tools necessary to protect that information, I run the risk of tripping over – and perhaps will trip over one of my worker’s privacy laws, so I’m screwed, I can’t win”.
the second thing is, we have to think about the unintended consequences of these privacy laws. Do they make it easier for criminals and others to run roughshod over people’s privacy? Because we are so fearful of government, which ought to be benign, or industry, which ought to be benign, we allow the criminals to take unfair advantage of these privacy laws and violate our privacy.
Doesn’t it make more sense to allow what should be benign entities do the right things to protect people’s privacy from criminals and regulate them in a visible fashion?
You can see what the EU is trying to do though – they’re trying to protect civil liberties and perhaps sacrificing a bit of security, aren’t they?
But they’re not protecting civil liberties damn it, if they allow criminals and others to trample those very same civil liberties.
I don’t want police searching my home without a warrant. But I don’t want a criminal coming into my home and stealing stuff. I don’t want a police state, but I don’t want a criminal being able to shoot me because I’m worried about my individual liberties.
It’s not that we shouldn’t be fundamentally sceptical of our governments, but our governments are responsible to us. They should do what we tell them to do.
Freedom of choice?
Should it not largely be around giving citizens a choice, letting them opt-in rather than being told what to do?
What I’m suggesting is that we ought to be able to have a meaningful dialogue with people on both sides. I need to be better educated on the concerns of privacy. But you know what? the privacy people should see what I see, because it would scare the heck out of them.
You say our privacy laws are broken, can you provide an example of how they would give advantage to the crooks?
Most of the time it’s where they contradict one another. That’s what bothers me.
And that’s where we need the cyber security laws to clear up those contradictions?
Yes. And then we have to have nation states cooperating.
One of the biggest threats, according to the US, is China. Do you worry about China?
I take a lot of that stuff at face value. Because I’m in the defence business, because these attacks are so hard to trace, I tend to worry about everything.
I worry more about the form of the attack and how to defend against it. As for who the attacker is, I leave that up to our governments.
Offended by offensive security?
But with ‘offensive security’, the job of attribution is moving over to the private sector. Look at CrowdStrike and what they’re doing. I spoke to RSA CISO Eddie Schwartz yesterday and he said there were internal discussions about the potential of offensive security. Is it something that interests you?
I am for doing everything within legal means to defend my customers. But when I hear the rhetoric from those guys [CrowdStrike et al], I think they have had an overdose of testosterone or something.
We can’t have a vigilante society and it’s great they make headlines, and I don’t know what they’ll make of their business. But there are rules of law that we have to obey around doing counter strikes on others.
You’ve talked about the DDoS attacks on US banks, which caused outages on their front-facing websites. Is DDoS protection something RSA would be interested in investing in?
Yes, we’re looking at the space, but anything we look at needs to be in the context of our existing strategy and right now it’s a little bit far afield.
When we started thinking about it, someone actually quipped that it’s like selling flood insurance in New Orleans… and with these encrypted DDoS attacks, things are getting harder and harder.
I don’t necessarily have agreement with my own colleagues at RSA, but I think we’ve got tremendous Big Data capabilities and to me, in the product business, it behooves us to have the best intelligence products we can have.
But I have to look at it on a case-by-case basis. That will be the direction in which we’ll go.
I’m in favour of as much open intelligence sharing as possible, but within limits, at least until we get things figured out.
Are you a security expert? Try our quiz!