Risk
1/10/2014
06:06 AM
Connect Directly
RSS
E-Mail
50%
50%

NSA Fallout: Why Foreign Firms Won’t Buy American Tech

Mounting evidence points to billions of dollars in lost US business thanks to the NSA's collect-everything mindset.

The United Arab Emirates, which signed a $926 million contract last year with two French firms to buy two intelligence satellites, said this week that the deal would be cancelled unless the firms (Airbus Defense & Space and Thales Alenia) removed US-built components. The UAE's fear was that the equipment would contain back doors that would allow data sent to ground stations to be intercepted.

Facing a major customer defection, will the French firms -- or, for that matter, anyone else trying to land a foreign contract -- continue to work with American component builders? Mounting evidence suggests otherwise.

Brian Honan, an independent security consultant in Dublin, wrote in a recent SANS Institute newsletter, "I have seen similar moves by clients in their 'Request for Tenders' where they specifically highlight data is not to be stored in US data centers or with US-based cloud providers." He said US tech companies have "a lot of reputational damage to repair for a lot of European-based organizations, [following] the revelations about NSA backdoors and spying allegations."

Prepare for more defections. In a survey of 300 UK and Canadian businesses released this week by the Canadian cloud firm Peer 1 Hosting, 25% said they plan to move their hosting operations out of the United States. Interestingly, more than two-thirds said they're willing to trade performance for ensuring their data is stored only in a country of their choosing.

What can be done to fix the damage? That question was at the top of the agenda for 15 of the world's leading technology companies -- including the heads of Apple, Google, and Yahoo -- when they met with President Obama last month. But the Guardian reported that, when the business leaders attempted to broach their NSA surveillance concerns, Obama tried to change the subject to HealthCare.gov.

Technology executives met in December with President Obama.(Source: White House)
Technology executives met in December with President Obama.
(Source: White House)

Ignoring the problem won't make it go away. The Information Technology & Innovation Foundation (ITIF) has estimated that the NSA surveillance revelations will cost US businesses $22 billion through 2016. Forrester Research puts its estimate -- including the effects for technology firms and managed service providers -- at $180 billion. Already, Cisco has reported buying hesitation in some foreign markets.

The solution to this problem must begin with Obama, who needs to rein in the NSA surveillance apparatus. One rationale is purely practical. As any organization that has experienced a breach at the hands of an insider knows -- NSA, I'm talking to you -- if you don't collect and store massive quantities of data, it can't be stolen or leaked. As Slate's Joshua Keating wrote recently: "The same factors that made it easier for the NSA to collect so much data made it easier for Snowden to release so much."

US businesses must also work overtime to prove to foreign clients that their products are surveillance-free. Ironically, they'll now have to take a page from Huawei's playbook. Huawei was slammed by US legislators in 2012 for not being able to prove that its business practices were free from Chinese government interference. In response, "Huawei funded a test lab in the UK so that the UK government could inspect Huawei telecoms equipment that BT wanted to use in the UK backbone network upgrade," SANS Institute director John Pescatore wrote this week in an emailed newsletter. "The Snowden leaks of NSA activities means that US IT exporters will need to make investments similar to Huawei's in order to convince overseas customers that their technology has not been compromised."

Microsoft has already made a step in that direction. Brad Smith, its head of legal and corporate affairs, announced in a blog post last month that the company would use or improve encryption for a number of services and open a network of "transparency centers" to allow customers to review its source code for any evidence of back doors.

When discussing how to rein in the NSA, return on investment should also be a factor. On that front, one aspect of the NSA's voracious appetite for metadata that would be laughable -- if it weren't so sinister -- is its inability to provide even one example of how it's helped prevent a major attack.

Accordingly, policy makers should follow the advice of Matt Blaze, a privacy expert at the University of Pennsylvania. He's argued that the NSA must retire its indiscriminate digital dragnet and rely instead on its Tailored Access Operations (TAO) team of elite hackers. Because TAO is a finite resource, the NSA would be forced to prioritize its targets, rather than eavesdropping on everyone under the sun.

In the meantime, US technology businesses large and small are stuck footing the bill for an attempted hearts-and-minds campaign. Despite those efforts, unless the NSA is brought in line, we can expect a question to linger: Who wants to buy American? Would you?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2014 | 8:41:52 AM
Trust in the Internet is also a national security issue
Yes, all governments spy in the interest of their nation's security -- probably as much or more than the NSA. But calls for reforms in government bulk collection of databy companies like Twitter, Facebook, AOL, Yahoo, Microsoft, Google, Apple and LinkedIn represent a national security interest as well -- to preserve the public's trust in the Internet, which is the backbone of our global economy.

 

 
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
1/13/2014 | 7:40:52 AM
Re: Foreign Firms
That's interesting to hear, I know the levels of trust will vary from country to country but there are some things we know for sure about China and their use of DNS hacks and fire walling to shape/divert/intercept traffic.  I don't for a second think any country is innocent of snooping on internet traffic but I would think that most first world countries would shy away from Chinese networking gear.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/11/2014 | 8:16:42 AM
Re: Rein in, not "reign"
Anon, slip o' the brain. Thanks for the catch, we've made that fix.
securityartist
100%
0%
securityartist,
User Rank: Apprentice
1/10/2014 | 5:58:04 PM
Trust, but verify??
In the 1980s President Ronald Reagan infamously borrowed a famous Russian proverb when he said "Trust, but verify". Somehow, I think that proverb misses the mark with respect to the basic tenets of security - it should be: "Do not trust until you verify".

 

I would not say it is all doom and gloom for American technology companies. Sure, some organizations will opt for open source alternatives; some simply don't have the time or know how to inspect lines of code and will source technology from suppliers with no connection to the US, or in instances where there may be no viable alternative solution, will continue to use American technology. In the latter case, "Better the devil you know" will apply.
RobPreston
100%
0%
RobPreston,
User Rank: Apprentice
1/10/2014 | 2:35:33 PM
Re: Foreign Firms
China, the US, who next? Israel? It's probably the world's biggest developer of security software. It's a country known to do its fair share of spying, even on the US. All industrialized countries spy. Are all of the systems manufactured/developed in those countries suspect in foreign lands? 
ANON1244137161719
100%
0%
ANON1244137161719,
User Rank: Apprentice
1/10/2014 | 12:27:10 PM
Rein in, not "reign"
You "rein in", not "reign" in.  It comes from the reins of a bridle, used to control a horse.
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
1/10/2014 | 11:15:51 AM
Re: Foreign Firms
See that's completely opposite here. In the UK, our Prime Minister is so interested in attracting Chinese investors that he's opened his arms to Huawei and allowed it to build a whole new $200 million research facility and has praised its filtering system for blocking pornography.

However more on topic, I don't see people's confidence in US firms returning until there's a change in legislation. As it stands, you can make all the assurances you want as a tech-firm, but you can still be forced by the courts to hand over all your customers' data and you can't even tell them about it. 
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
1/10/2014 | 10:18:07 AM
Re: Foreign Firms
On the other hand, it doesn't inspire confidence that the NSA keeps getting caught with its hands in the cookie jar.
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
1/10/2014 | 7:41:18 AM
Foreign Firms
This isn't all the surprising, Huawei had a very hard time trying to make inroads to the data center.  There is a general distrust when dealing with manufacturers from certain companies but I think in the case of the NSA it is more an issue of the devil you know versus the devil you don't know.  We know that the NSA was listening in to the conversations of foreign leaders, we know that they have had back doors into some hardware and software but at least we know they are there.  Who we don't know about is what worries me, Stux for example or stories of Chinese hardware with back doors but no one can pinpoint who has access.  Sure the NSA might be watching you but who else is out there doing the exact same thing and we just haven't caught them in the act yet?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.