Cloud
12/3/2013
11:06 AM
Jim Reavis
Jim Reavis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Weighing Costs Vs. Benefits Of NSA Surveillance

What the tech industry needs the NSA to know about aligning a national security agenda with the realities of a global Internet.

I hope for the readers this isn't a YAPA -- Yet Another Prism Article. In my role leading a global research organization devoted to solving tough information security problems, I have engaged in a lot of conversations with a wide variety of people about the drip-drip of National Security Agency (NSA) surveillance disclosures. From governments, cloud providers, and technologists, to customers and privacy advocates in North America, Europe, and Asia, there are no shortage of opinions. Here are a few I’d like to share:

Surveillance -- just (everybody) do it. While the NSA is one of the biggest and most effective surveillance entities, they aren’t alone. Every country is spying on its enemies, its allies, and its own people. The degrees are different, the sophistication will vary, but the principles (or lack thereof) are the same.

NSA -- your intel outsourcer. There has certainly been outrage in many countries over the actions of the NSA, and some concerns over the propriety of using US cloud providers, forced by the government, to turn over private customer information directly to the NSA. While some of the criticism has been quite vociferous, a lot of it has been surprisingly muted. Why? Well it turns out that many of the NSA requests for customer information from US tech companies are actually made on behalf of an allied country. We are one disclosure away from any number of countries being embarrassed by their collaboration with the NSA, which makes me very curious about the going rate for outsourced security agency services.

Metadata is still data. One of my pet peeves early on in the revelations was the argument that collecting phone records of innocent parties is acceptable because we aren’t actually listening in on the conversation. The phone records themselves are actually more important that the conversations.

Metadata -- data about the data -- is information that must be carefully protected. Think about email: you can encrypt the conversation, but if someone were to look at your email log files and your email headers they know everyone with whom you converse and they can even geolocate you at the point of those conversations. You can paint a startlingly accurate picture of a person just by knowing who they talk to and how often.

We are not ready for a risk-based discussion about preventing terrorist attacks. A conversation I have tried to start with colleagues in DC relates to the practicalities around stopping all terrorist attacks. I will often ask if it is possible to put risk-based boundaries around the anti-terror investment and other societal compromises necessary to conduct this all-out war. For the right to drive an automobile, for example, we, as a society, are willing to tolerate a tremendous amount of death and destruction. I am not winning many converts to this philosophy.

The counter argument is that terrorist acts truly inspire terror. They create fear that debilitates an entire country, even if it is physically a small attack. Worse, perhaps that next attack is going to be bigger than anything we have ever seen. No one in Washington wants to be steering the ship when the next 9/11 happens and have it be shown that they did not do absolutely everything they could have done to prevent it.

Is encryption broken? Most troubling to me out of this saga so far is the news that the NSA may have co-opted the standards development process to assure that weak encryption was widely used, simplifying the data collection activities. This is like the farmer poisoning his pond to kill the coyote that might be lurking in the midst of the livestock; there is a lot of collateral damage to be worried about.

Yet, it appears that this problem can be remediated. In some cases it is a matter of configuration to ensure that weak random number generators are not used. In other cases we may need to go back and vet some encryption systems. It is one thing for the NSA to collect information and ask us to trust them to be honorable stewards. It is quite another to weaken an Internet data and privacy protection technology that any actor outside of the NSA could exploit.

The tech industry must be more transparent. I hesitate to draw strident conclusions knowing that the next leak might be announced tomorrow. I hope that governments will attempt some degree of review. I believe that the tech community has been catalyzed to build new and better security technology that will protect information from all comers.

To that end, our industry needs to be more aggressive in challenging FISA court orders for customer data. A key theme that I plan to evangelize is not new: transparency. The public trust in cloud computing and other public-facing Internet services depends upon our industry's ability to be transparent about security practices in the most holistic way possible.

Is anyone listening? Let's chat about where you agree and disagree in the comments.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon3070614879
50%
50%
anon3070614879,
User Rank: Apprentice
12/4/2013 | 5:53:39 PM
Re: Numbers
I like the analogy of the automobile.  Americans accept that risk.  However, the NSA and its defenders don't spend a lot of time terrorizing us with the high number of car accidents.  They do cry 9/11 regularly.  Americans have to get their fear under control before they make a decision about what kind of surveillance they are willing to put up with.

 

Canada did not experience a 9/11-style terror attack, but for this Canadian, the current surveillance disclosures are terrifying.  I am an enthusiastic online shopper and I bank online.  That secret government agents have the ability to hack my financial information leaves me scrambling to come up with ways I might protect that information.  I can't do that.  Only legislation can protect me.

 

I am happy to see that the UN is at least eager to investigate the global surveillance scandal.  It's through the UN that we made an international law that makes war a crime.  Why can't we make unwarranted spying an international crime, subject to sanctions.  It's not gonna stop a state like the US, which makes war whenever it pleases and will continue spying, but if enough countries get angry enough, we can at least target America's reputation.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 4:41:17 PM
Re: Numbers -- terrorists have not won!
No, the terrorists have not won. And yes, we -- as individuals and as part of the tech industry -- have to be vigilant to make sure that our government doesn't overreach.  Where that line is? I'm not sure. But I'm encouraged by the passionate discourse about the risk/versus rewards of the NSA programs, which I might add, are being conducted here, in a very public forum!
anon2122209927
50%
50%
anon2122209927,
User Rank: Apprentice
12/3/2013 | 3:22:18 PM
Re: Numbers
i couldnt agree more. Last week I attneded my granddaughters Turkey trot at her middle school. When I got there, I had to sign in AND leav my drivers license with them, just to get on the play ground to watch them run. Then, when they did run, they ran around the playground outside the fence to the front of the school, returning to the playground. What was the point of leaving the id? All terrorists have won.... and we are now all slaves to survallence and being spyed on.
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
12/3/2013 | 1:44:03 PM
Re: Numbers
Of course, we already make some risk tradeoffs when it comes to terrorism. We're not shutting our airports and closing our borders. The question is where the line is.

And the "numbers" don't reflect intent. It's one thing for automobiles to cause many thousands of deaths, but those deaths (for the most part) aren't intentional. Terrorism is intentional. And if we allow a certain amount of it as part of a risk-based calculation, expect to get even more of it. 
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
12/3/2013 | 1:18:18 PM
Numbers
Be very frank here, how many deaths to guns and booze every year? 9/11's multiple times over. Cost to our economy running around scared? TRILLIONS. Terrorists already won.

 

We've imploded.

 

Remove emotion, it's all about the numbers.

 

Carry on.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.