12:00 PM
Julian Waits
Julian Waits
Connect Directly

In Fog Of Cyberwar, US Tech Is Caught In Crossfire

Distrust of the US intelligence community is eroding consumer confidence and hampering US technology firms on the global stage at a time when the sector should be showing unprecedented growth.

The escalation of state-backed cybercrime is very real, and increasingly alarming. The situation is a national security risk and is being taken seriously by the federal government. However, the disclosure of the US’s own cyber counter-terror tactics, and the reaction from around the world, has created a dangerous situation for the US economy, with technology firms particularly in the crosshairs.

The dangers to US businesses are compounded by a growing number of revelations about the NSA and its tactics. As the seriousness of the situation grows, so does the potential for ramifications in the tech industry. A recent report in Bloomberg News revealed that the Chinese government is already pressuring its banks to remove all high-end IBM servers. It’s also been reported in The New York Times that China wants to ban the use of Cisco products in its government-owned businesses. The Chinese government isn’t alone in its wariness of US spying -- news that the NSA took advantage of the Heartbleed bug to gather intelligence without disclosing it created worldwide outrage.

Many would argue that the government should be protecting businesses and its citizens, and not exploiting them for surveillance purposes. While the disclosure of US cyber counter-terror tactics should come as no surprise -- the threat of state-backed bad actors stealing intellectual property or worse is a critical one -- the government has put US businesses in harm’s way.

In November Facebook, Google, Apple, Yahoo, Microsoft, and AOL sent a letter to Congress supporting the creation of a privacy advocate to represent the interests of civil liberties when it comes to the NSA’s counter-terror surveillance efforts. Distrust of the US intelligence community at home and abroad is eroding consumer confidence and hampering US technology firms in their pursuit of global business. This could ultimately lead to a tech recession at a time when the sector should be showing historic and unprecedented growth.

The cloud of cyberwar
This scenario is not far-fetched. Dean Garfield, president and CEO of the Information Technology Industry Council, said that tens of billions of dollars are at stake for US cloud providers, and many US tech vendors are already hearing complaints. He appealed to the US House of Representatives Judiciary Committee for greater transparency over surveillance and stronger oversight, including a civil liberties advocate at the US Foreign Intelligence Surveillance Court. "Made in the USA" is no longer a badge of honor, but a basis for questioning the integrity and the independence of US-made technology,” Garfield said. “Many countries are using the NSA's disclosures as a basis for accelerating their policies around forced localization and protectionism.

This protectionism can be thought of as a "Balkanization" of the Internet, and it is incredibly dangerous not just to US technology interests, but to broader business interests. Cloud computing is an advancement that no one wants to walk away from, but if more countries take the protectionist stance that Germany has taken, which includes strict rules that govern where data needs to be physically located, it will become both a technological nightmare and financial disaster to provide services that meet current levels. While it is unlikely that every country in the world will create specific, unique, and stringent rules about how and where data is stored, it becomes a major issue if even a few elect to follow that path.

A US technology vendor trying to do business in Germany will, in many cases, now need to have a data center in country, hire employees there to manage it, and comply with a host of regulations. Doing so is complex and creates unnecessary challenges to companies that, often times, are still in formative stages. More importantly, it’s incredibly cost-prohibitive. This arrangement is helpful to no one -- it hurts businesses, and it slows the pace of innovation, especially in protectionist countries.

Trust, security, and privacy
Government and business both have a role to play in rebuilding trust, increasing security and privacy, and making sure this Balkanization does not happen. The US government, through the National Institute of Standards and Technology (NIST), needs to develop cryptography and cyber security standards that ensure consistency. They should also work with international governments in an open, transparent way with the goal of keeping the Internet both an open platform and a secure one. And, of course, reassurances need to be made that the NSA’s data collection efforts are not wantonly all-encompassing, but are narrow, focused, and designed to be as minimally invasive as possible.

Businesses need to take a three-pronged approach to cyber security, focusing on culture, policy, and technology. First and foremost, cyber security needs to enter the board room in a meaningful way. It needs to be discussed seriously and proactively, and can no longer be relegated to a simple line item on the IT budget. A business taking cyber security seriously will then create the right policies designed to protect assets and systems. Understanding what needs to be protected seems obvious, but many companies do a poor job at protecting the crown jewels. Most of the holes in modern defenses are left open because organizations don’t adequately examine their own risk profiles.

And finally, organizations need to fully vet the technology they employ, to ensure that there are no backdoors or traps that would allow another state-backed group to commit cyber espionage. The US has been caught doing this elsewhere in the world, but it is by no means the only country engaging in activities like this. Cyber security is difficult enough without businesses inadvertently bringing the enemy behind the gates of their own accord.

Julian Waits serves as President and Chief Executive Officer for ThreatTrack Security, guiding the company's growth as it traverses the enterprise security market with threat analysis, awareness, and defense solutions that combat advanced persistent threats (APTs), targeted ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 10:14:51 AM
Re: This is a U.S. technology problem that needs to be addressed!
That's a great point, Julian. That the protectionism  puts the smaller companies at a greater disadvantage abroad than the multinationals. In terms of fair play, it's a great argument. I hope our public officials are listening. Well, probably the NSA already is, but in a different context. 
ThreatTrack Security
ThreatTrack Security,
User Rank: Author
7/11/2014 | 9:54:46 AM
This is a U.S. technology problem that needs to be addressed!
Glad you all got something out of my post! To @Marilyn's point, this is definitely less of a cloud vs. on-premise problem than it is a U.S. tech problem, and the trouble is that some very small but innovative technology providers may have difficulty gaining traction in foreign markets simply because their products are American made. The costs I mentioned that would have to be overcome in some instances would deter all but the blue-chip firms from even trying to extend their reach. Hopefully, our government is listening and paying attention and will do its best to uphold our nation's "brand" as a believer in fair play.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/10/2014 | 1:00:33 PM
Re: the cloud is compromised
@BiffSpackle. Agree. There's plenty of malware directed at data physically located in on-premises datacenters. But the protectionism that Julian speaks of is a serious issue for US CSPs doing business globally.
User Rank: Apprentice
7/9/2014 | 5:18:38 PM
Re: the cloud is compromised
Given the proliferation of malware inside some organizations, it may be safer to run in the cloud!


Jes' sayin'...
User Rank: Apprentice
7/9/2014 | 5:13:48 PM
Re: the cloud is compromised
This information really damaged the credibility of the cloud. Between cybercriminals and rogue cloud implementations from employees (that then lack any internal controls and are subject to hacking/loss/other breaches) and what we know about NSA, Chinese, and potentiall other nations' spying activities, you'd be hard-pressed to entrust your data in this way.
Thomas Claburn
Thomas Claburn,
User Rank: Moderator
7/9/2014 | 4:53:02 PM
the cloud is compromised
I don't see how anyone with information that needs protection can now entrust it to the cloud. 
More Blogs from Commentary
Internet of Things: 4 Security Tips From The Military
The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. It’s time to take a page from their battle plan.
Passwords Be Gone! Removing 4 Barriers To Strong Authentication
As biometric factors become more prevalent on mobile devices, FIDO Alliance standards will gain traction as an industry-wide authentication solution.
RAM Scraper Malware: Why PCI DSS Can't Fix Retail
There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data
Dark Reading Radio: The Winners & Losers of Botnet Takedowns
Our guests are Cheri McGuire, VP of global government affairs and cyber security policy for Symantec, and Craig D. Spiezle, executive director and founder of the Online Trust Alliance.
Infographic: With BYOD, Mobile Is The New Desktop
Security teams have no choice but to embrace the rapid proliferation of BYO devices, apps, and cloud services. To ignore it is to put your head in the sand.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Published: 2014-07-26
The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly perform Unicode transformations, which allows remote attackers to bypass intended text restrictions via crafted characters, as demonstrated by bypassing an XSS protection mechanism.

Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.