Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/3/2013
11:06 AM
Jim Reavis
Jim Reavis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Weighing Costs Vs. Benefits Of NSA Surveillance

What the tech industry needs the NSA to know about aligning a national security agenda with the realities of a global Internet.

I hope for the readers this isn't a YAPA -- Yet Another Prism Article. In my role leading a global research organization devoted to solving tough information security problems, I have engaged in a lot of conversations with a wide variety of people about the drip-drip of National Security Agency (NSA) surveillance disclosures. From governments, cloud providers, and technologists, to customers and privacy advocates in North America, Europe, and Asia, there are no shortage of opinions. Here are a few I’d like to share:

Surveillance -- just (everybody) do it. While the NSA is one of the biggest and most effective surveillance entities, they aren’t alone. Every country is spying on its enemies, its allies, and its own people. The degrees are different, the sophistication will vary, but the principles (or lack thereof) are the same.

NSA -- your intel outsourcer. There has certainly been outrage in many countries over the actions of the NSA, and some concerns over the propriety of using US cloud providers, forced by the government, to turn over private customer information directly to the NSA. While some of the criticism has been quite vociferous, a lot of it has been surprisingly muted. Why? Well it turns out that many of the NSA requests for customer information from US tech companies are actually made on behalf of an allied country. We are one disclosure away from any number of countries being embarrassed by their collaboration with the NSA, which makes me very curious about the going rate for outsourced security agency services.

Metadata is still data. One of my pet peeves early on in the revelations was the argument that collecting phone records of innocent parties is acceptable because we aren’t actually listening in on the conversation. The phone records themselves are actually more important that the conversations.

Metadata -- data about the data -- is information that must be carefully protected. Think about email: you can encrypt the conversation, but if someone were to look at your email log files and your email headers they know everyone with whom you converse and they can even geolocate you at the point of those conversations. You can paint a startlingly accurate picture of a person just by knowing who they talk to and how often.

We are not ready for a risk-based discussion about preventing terrorist attacks. A conversation I have tried to start with colleagues in DC relates to the practicalities around stopping all terrorist attacks. I will often ask if it is possible to put risk-based boundaries around the anti-terror investment and other societal compromises necessary to conduct this all-out war. For the right to drive an automobile, for example, we, as a society, are willing to tolerate a tremendous amount of death and destruction. I am not winning many converts to this philosophy.

The counter argument is that terrorist acts truly inspire terror. They create fear that debilitates an entire country, even if it is physically a small attack. Worse, perhaps that next attack is going to be bigger than anything we have ever seen. No one in Washington wants to be steering the ship when the next 9/11 happens and have it be shown that they did not do absolutely everything they could have done to prevent it.

Is encryption broken? Most troubling to me out of this saga so far is the news that the NSA may have co-opted the standards development process to assure that weak encryption was widely used, simplifying the data collection activities. This is like the farmer poisoning his pond to kill the coyote that might be lurking in the midst of the livestock; there is a lot of collateral damage to be worried about.

Yet, it appears that this problem can be remediated. In some cases it is a matter of configuration to ensure that weak random number generators are not used. In other cases we may need to go back and vet some encryption systems. It is one thing for the NSA to collect information and ask us to trust them to be honorable stewards. It is quite another to weaken an Internet data and privacy protection technology that any actor outside of the NSA could exploit.

The tech industry must be more transparent. I hesitate to draw strident conclusions knowing that the next leak might be announced tomorrow. I hope that governments will attempt some degree of review. I believe that the tech community has been catalyzed to build new and better security technology that will protect information from all comers.

To that end, our industry needs to be more aggressive in challenging FISA court orders for customer data. A key theme that I plan to evangelize is not new: transparency. The public trust in cloud computing and other public-facing Internet services depends upon our industry's ability to be transparent about security practices in the most holistic way possible.

Is anyone listening? Let's chat about where you agree and disagree in the comments.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon3070614879
50%
50%
anon3070614879,
User Rank: Apprentice
12/4/2013 | 5:53:39 PM
Re: Numbers
I like the analogy of the automobile.  Americans accept that risk.  However, the NSA and its defenders don't spend a lot of time terrorizing us with the high number of car accidents.  They do cry 9/11 regularly.  Americans have to get their fear under control before they make a decision about what kind of surveillance they are willing to put up with.

 

Canada did not experience a 9/11-style terror attack, but for this Canadian, the current surveillance disclosures are terrifying.  I am an enthusiastic online shopper and I bank online.  That secret government agents have the ability to hack my financial information leaves me scrambling to come up with ways I might protect that information.  I can't do that.  Only legislation can protect me.

 

I am happy to see that the UN is at least eager to investigate the global surveillance scandal.  It's through the UN that we made an international law that makes war a crime.  Why can't we make unwarranted spying an international crime, subject to sanctions.  It's not gonna stop a state like the US, which makes war whenever it pleases and will continue spying, but if enough countries get angry enough, we can at least target America's reputation.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 4:41:17 PM
Re: Numbers -- terrorists have not won!
No, the terrorists have not won. And yes, we -- as individuals and as part of the tech industry -- have to be vigilant to make sure that our government doesn't overreach.  Where that line is? I'm not sure. But I'm encouraged by the passionate discourse about the risk/versus rewards of the NSA programs, which I might add, are being conducted here, in a very public forum!
anon2122209927
50%
50%
anon2122209927,
User Rank: Apprentice
12/3/2013 | 3:22:18 PM
Re: Numbers
i couldnt agree more. Last week I attneded my granddaughters Turkey trot at her middle school. When I got there, I had to sign in AND leav my drivers license with them, just to get on the play ground to watch them run. Then, when they did run, they ran around the playground outside the fence to the front of the school, returning to the playground. What was the point of leaving the id? All terrorists have won.... and we are now all slaves to survallence and being spyed on.
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
12/3/2013 | 1:44:03 PM
Re: Numbers
Of course, we already make some risk tradeoffs when it comes to terrorism. We're not shutting our airports and closing our borders. The question is where the line is.

And the "numbers" don't reflect intent. It's one thing for automobiles to cause many thousands of deaths, but those deaths (for the most part) aren't intentional. Terrorism is intentional. And if we allow a certain amount of it as part of a risk-based calculation, expect to get even more of it. 
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
12/3/2013 | 1:18:18 PM
Numbers
Be very frank here, how many deaths to guns and booze every year? 9/11's multiple times over. Cost to our economy running around scared? TRILLIONS. Terrorists already won.

 

We've imploded.

 

Remove emotion, it's all about the numbers.

 

Carry on.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19325
PUBLISHED: 2020-02-17
SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built...
CVE-2020-1693
PUBLISHED: 2020-02-17
A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbi...
CVE-2020-1828
PUBLISHED: 2020-02-17
Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; and Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00 have an input validation vulnerability where the IPSec module does not validate a field in a specific message. ...
CVE-2020-1857
PUBLISHED: 2020-02-17
Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00SPC100; and Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00SPC100 have an information leakage vulnerability. Due to improper processing of some data, a local authent...
CVE-2020-1858
PUBLISHED: 2020-02-17
Huawei products NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00SPC100; Secospace USG6600 versions V500R001C30SPC600, V500R001C60SPC500, and V500R005C00SPC100; and USG9500 versions V500R001C30SPC600, V500R001C60SPC500, and V500R005C00SPC100 have a denial of service vulnerability. Att...