Cloud
7/9/2014
12:00 PM
Julian Waits
Julian Waits
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

In Fog Of Cyberwar, US Tech Is Caught In Crossfire

Distrust of the US intelligence community is eroding consumer confidence and hampering US technology firms on the global stage at a time when the sector should be showing unprecedented growth.

The escalation of state-backed cybercrime is very real, and increasingly alarming. The situation is a national security risk and is being taken seriously by the federal government. However, the disclosure of the US’s own cyber counter-terror tactics, and the reaction from around the world, has created a dangerous situation for the US economy, with technology firms particularly in the crosshairs.

The dangers to US businesses are compounded by a growing number of revelations about the NSA and its tactics. As the seriousness of the situation grows, so does the potential for ramifications in the tech industry. A recent report in Bloomberg News revealed that the Chinese government is already pressuring its banks to remove all high-end IBM servers. It’s also been reported in The New York Times that China wants to ban the use of Cisco products in its government-owned businesses. The Chinese government isn’t alone in its wariness of US spying -- news that the NSA took advantage of the Heartbleed bug to gather intelligence without disclosing it created worldwide outrage.

Many would argue that the government should be protecting businesses and its citizens, and not exploiting them for surveillance purposes. While the disclosure of US cyber counter-terror tactics should come as no surprise -- the threat of state-backed bad actors stealing intellectual property or worse is a critical one -- the government has put US businesses in harm’s way.

In November Facebook, Google, Apple, Yahoo, Microsoft, and AOL sent a letter to Congress supporting the creation of a privacy advocate to represent the interests of civil liberties when it comes to the NSA’s counter-terror surveillance efforts. Distrust of the US intelligence community at home and abroad is eroding consumer confidence and hampering US technology firms in their pursuit of global business. This could ultimately lead to a tech recession at a time when the sector should be showing historic and unprecedented growth.

The cloud of cyberwar
This scenario is not far-fetched. Dean Garfield, president and CEO of the Information Technology Industry Council, said that tens of billions of dollars are at stake for US cloud providers, and many US tech vendors are already hearing complaints. He appealed to the US House of Representatives Judiciary Committee for greater transparency over surveillance and stronger oversight, including a civil liberties advocate at the US Foreign Intelligence Surveillance Court. "Made in the USA" is no longer a badge of honor, but a basis for questioning the integrity and the independence of US-made technology,” Garfield said. “Many countries are using the NSA's disclosures as a basis for accelerating their policies around forced localization and protectionism.

This protectionism can be thought of as a "Balkanization" of the Internet, and it is incredibly dangerous not just to US technology interests, but to broader business interests. Cloud computing is an advancement that no one wants to walk away from, but if more countries take the protectionist stance that Germany has taken, which includes strict rules that govern where data needs to be physically located, it will become both a technological nightmare and financial disaster to provide services that meet current levels. While it is unlikely that every country in the world will create specific, unique, and stringent rules about how and where data is stored, it becomes a major issue if even a few elect to follow that path.

A US technology vendor trying to do business in Germany will, in many cases, now need to have a data center in country, hire employees there to manage it, and comply with a host of regulations. Doing so is complex and creates unnecessary challenges to companies that, often times, are still in formative stages. More importantly, it’s incredibly cost-prohibitive. This arrangement is helpful to no one -- it hurts businesses, and it slows the pace of innovation, especially in protectionist countries.

Trust, security, and privacy
Government and business both have a role to play in rebuilding trust, increasing security and privacy, and making sure this Balkanization does not happen. The US government, through the National Institute of Standards and Technology (NIST), needs to develop cryptography and cyber security standards that ensure consistency. They should also work with international governments in an open, transparent way with the goal of keeping the Internet both an open platform and a secure one. And, of course, reassurances need to be made that the NSA’s data collection efforts are not wantonly all-encompassing, but are narrow, focused, and designed to be as minimally invasive as possible.

Businesses need to take a three-pronged approach to cyber security, focusing on culture, policy, and technology. First and foremost, cyber security needs to enter the board room in a meaningful way. It needs to be discussed seriously and proactively, and can no longer be relegated to a simple line item on the IT budget. A business taking cyber security seriously will then create the right policies designed to protect assets and systems. Understanding what needs to be protected seems obvious, but many companies do a poor job at protecting the crown jewels. Most of the holes in modern defenses are left open because organizations don’t adequately examine their own risk profiles.

And finally, organizations need to fully vet the technology they employ, to ensure that there are no backdoors or traps that would allow another state-backed group to commit cyber espionage. The US has been caught doing this elsewhere in the world, but it is by no means the only country engaging in activities like this. Cyber security is difficult enough without businesses inadvertently bringing the enemy behind the gates of their own accord.

Julian Waits serves as President and Chief Executive Officer for ThreatTrack Security, guiding the company's growth as it traverses the enterprise security market with threat analysis, awareness, and defense solutions that combat advanced persistent threats (APTs), targeted ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Apprentice
8/1/2014 | 9:16:40 PM
Re: Who to Trust?

@ ThreatTrack - Well said and from my point of view it is basically trust no one and if I have to put my trust in someone it is more than likely a US based company.  An not to sound cynical but I know there entities that I definitely don't trust, and frankly never will.  Dark reading for the dark side.

ThreatTrack Security
50%
50%
ThreatTrack Security,
User Rank: Author
8/1/2014 | 10:30:50 AM
Who to Trust?
While the recent revelations of the actions of the NSA are causing many to question the role of the government in ensuring high levels of IT security, it's the combination of the U.S. government and private enterprise that will be considered trustworthy – assuming the relationship changes and certain measures are created. That will happen when and only when government and enterprises freely share information and work to develop cryptography and cyber security standards as well as policies designed to protect assets and systems. Remember, there is no greater source of innovation, capital and brainpower than what we have in the U.S.  – and that, combined with policy changes at the federal level, will guarantee that the government/private business partnership will be considered trustworthy.

 
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Apprentice
7/30/2014 | 8:33:46 AM
Re: This is a U.S. technology problem that needs to be addressed!
So if the US is not "Trusted" for security.  Help me to understand who is considered trustworthy?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 10:14:51 AM
Re: This is a U.S. technology problem that needs to be addressed!
That's a great point, Julian. That the protectionism  puts the smaller companies at a greater disadvantage abroad than the multinationals. In terms of fair play, it's a great argument. I hope our public officials are listening. Well, probably the NSA already is, but in a different context. 
ThreatTrack Security
50%
50%
ThreatTrack Security,
User Rank: Author
7/11/2014 | 9:54:46 AM
This is a U.S. technology problem that needs to be addressed!
Glad you all got something out of my post! To @Marilyn's point, this is definitely less of a cloud vs. on-premise problem than it is a U.S. tech problem, and the trouble is that some very small but innovative technology providers may have difficulty gaining traction in foreign markets simply because their products are American made. The costs I mentioned that would have to be overcome in some instances would deter all but the blue-chip firms from even trying to extend their reach. Hopefully, our government is listening and paying attention and will do its best to uphold our nation's "brand" as a believer in fair play.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/10/2014 | 1:00:33 PM
Re: the cloud is compromised
@BiffSpackle. Agree. There's plenty of malware directed at data physically located in on-premises datacenters. But the protectionism that Julian speaks of is a serious issue for US CSPs doing business globally.
BiffSpackle
50%
50%
BiffSpackle,
User Rank: Apprentice
7/9/2014 | 5:18:38 PM
Re: the cloud is compromised
Given the proliferation of malware inside some organizations, it may be safer to run in the cloud!

 

Jes' sayin'...
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
7/9/2014 | 5:13:48 PM
Re: the cloud is compromised
This information really damaged the credibility of the cloud. Between cybercriminals and rogue cloud implementations from employees (that then lack any internal controls and are subject to hacking/loss/other breaches) and what we know about NSA, Chinese, and potentiall other nations' spying activities, you'd be hard-pressed to entrust your data in this way.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
7/9/2014 | 4:53:02 PM
the cloud is compromised
I don't see how anyone with information that needs protection can now entrust it to the cloud. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio