06:06 AM

NSA Fallout: Why Foreign Firms Wont Buy American Tech

Mounting evidence points to billions of dollars in lost US business thanks to the NSA's collect-everything mindset.

The United Arab Emirates, which signed a $926 million contract last year with two French firms to buy two intelligence satellites, said this week that the deal would be cancelled unless the firms (Airbus Defense & Space and Thales Alenia) removed US-built components. The UAE's fear was that the equipment would contain back doors that would allow data sent to ground stations to be intercepted.

Facing a major customer defection, will the French firms -- or, for that matter, anyone else trying to land a foreign contract -- continue to work with American component builders? Mounting evidence suggests otherwise.

Brian Honan, an independent security consultant in Dublin, wrote in a recent SANS Institute newsletter, "I have seen similar moves by clients in their 'Request for Tenders' where they specifically highlight data is not to be stored in US data centers or with US-based cloud providers." He said US tech companies have "a lot of reputational damage to repair for a lot of European-based organizations, [following] the revelations about NSA backdoors and spying allegations."

Prepare for more defections. In a survey of 300 UK and Canadian businesses released this week by the Canadian cloud firm Peer 1 Hosting, 25% said they plan to move their hosting operations out of the United States. Interestingly, more than two-thirds said they're willing to trade performance for ensuring their data is stored only in a country of their choosing.

What can be done to fix the damage? That question was at the top of the agenda for 15 of the world's leading technology companies -- including the heads of Apple, Google, and Yahoo -- when they met with President Obama last month. But the Guardian reported that, when the business leaders attempted to broach their NSA surveillance concerns, Obama tried to change the subject to HealthCare.gov.

Technology executives met in December with President Obama.(Source: White House)
Technology executives met in December with President Obama.
(Source: White House)

Ignoring the problem won't make it go away. The Information Technology & Innovation Foundation (ITIF) has estimated that the NSA surveillance revelations will cost US businesses $22 billion through 2016. Forrester Research puts its estimate -- including the effects for technology firms and managed service providers -- at $180 billion. Already, Cisco has reported buying hesitation in some foreign markets.

The solution to this problem must begin with Obama, who needs to rein in the NSA surveillance apparatus. One rationale is purely practical. As any organization that has experienced a breach at the hands of an insider knows -- NSA, I'm talking to you -- if you don't collect and store massive quantities of data, it can't be stolen or leaked. As Slate's Joshua Keating wrote recently: "The same factors that made it easier for the NSA to collect so much data made it easier for Snowden to release so much."

US businesses must also work overtime to prove to foreign clients that their products are surveillance-free. Ironically, they'll now have to take a page from Huawei's playbook. Huawei was slammed by US legislators in 2012 for not being able to prove that its business practices were free from Chinese government interference. In response, "Huawei funded a test lab in the UK so that the UK government could inspect Huawei telecoms equipment that BT wanted to use in the UK backbone network upgrade," SANS Institute director John Pescatore wrote this week in an emailed newsletter. "The Snowden leaks of NSA activities means that US IT exporters will need to make investments similar to Huawei's in order to convince overseas customers that their technology has not been compromised."

Microsoft has already made a step in that direction. Brad Smith, its head of legal and corporate affairs, announced in a blog post last month that the company would use or improve encryption for a number of services and open a network of "transparency centers" to allow customers to review its source code for any evidence of back doors.

When discussing how to rein in the NSA, return on investment should also be a factor. On that front, one aspect of the NSA's voracious appetite for metadata that would be laughable -- if it weren't so sinister -- is its inability to provide even one example of how it's helped prevent a major attack.

Accordingly, policy makers should follow the advice of Matt Blaze, a privacy expert at the University of Pennsylvania. He's argued that the NSA must retire its indiscriminate digital dragnet and rely instead on its Tailored Access Operations (TAO) team of elite hackers. Because TAO is a finite resource, the NSA would be forced to prioritize its targets, rather than eavesdropping on everyone under the sun.

In the meantime, US technology businesses large and small are stuck footing the bill for an attempted hearts-and-minds campaign. Despite those efforts, unless the NSA is brought in line, we can expect a question to linger: Who wants to buy American? Would you?

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/13/2014 | 8:41:52 AM
Trust in the Internet is also a national security issue
Yes, all governments spy in the interest of their nation's security -- probably as much or more than the NSA. But calls for reforms in government bulk collection of databy companies like Twitter, Facebook, AOL, Yahoo, Microsoft, Google, Apple and LinkedIn represent a national security interest as well -- to preserve the public's trust in the Internet, which is the backbone of our global economy.


User Rank: Apprentice
1/13/2014 | 7:40:52 AM
Re: Foreign Firms
That's interesting to hear, I know the levels of trust will vary from country to country but there are some things we know for sure about China and their use of DNS hacks and fire walling to shape/divert/intercept traffic.  I don't for a second think any country is innocent of snooping on internet traffic but I would think that most first world countries would shy away from Chinese networking gear.
User Rank: Apprentice
1/11/2014 | 8:16:42 AM
Re: Rein in, not "reign"
Anon, slip o' the brain. Thanks for the catch, we've made that fix.
User Rank: Apprentice
1/10/2014 | 5:58:04 PM
Trust, but verify??
In the 1980s President Ronald Reagan infamously borrowed a famous Russian proverb when he said "Trust, but verify". Somehow, I think that proverb misses the mark with respect to the basic tenets of security - it should be: "Do not trust until you verify".


I would not say it is all doom and gloom for American technology companies. Sure, some organizations will opt for open source alternatives; some simply don't have the time or know how to inspect lines of code and will source technology from suppliers with no connection to the US, or in instances where there may be no viable alternative solution, will continue to use American technology. In the latter case, "Better the devil you know" will apply.
User Rank: Apprentice
1/10/2014 | 2:35:33 PM
Re: Foreign Firms
China, the US, who next? Israel? It's probably the world's biggest developer of security software. It's a country known to do its fair share of spying, even on the US. All industrialized countries spy. Are all of the systems manufactured/developed in those countries suspect in foreign lands? 
User Rank: Apprentice
1/10/2014 | 12:27:10 PM
Rein in, not "reign"
You "rein in", not "reign" in.  It comes from the reins of a bridle, used to control a horse.
User Rank: Ninja
1/10/2014 | 11:15:51 AM
Re: Foreign Firms
See that's completely opposite here. In the UK, our Prime Minister is so interested in attracting Chinese investors that he's opened his arms to Huawei and allowed it to build a whole new $200 million research facility and has praised its filtering system for blocking pornography.

However more on topic, I don't see people's confidence in US firms returning until there's a change in legislation. As it stands, you can make all the assurances you want as a tech-firm, but you can still be forced by the courts to hand over all your customers' data and you can't even tell them about it. 
David F. Carr
David F. Carr,
User Rank: Strategist
1/10/2014 | 10:18:07 AM
Re: Foreign Firms
On the other hand, it doesn't inspire confidence that the NSA keeps getting caught with its hands in the cookie jar.
User Rank: Apprentice
1/10/2014 | 7:41:18 AM
Foreign Firms
This isn't all the surprising, Huawei had a very hard time trying to make inroads to the data center.  There is a general distrust when dealing with manufacturers from certain companies but I think in the case of the NSA it is more an issue of the devil you know versus the devil you don't know.  We know that the NSA was listening in to the conversations of foreign leaders, we know that they have had back doors into some hardware and software but at least we know they are there.  Who we don't know about is what worries me, Stux for example or stories of Chinese hardware with back doors but no one can pinpoint who has access.  Sure the NSA might be watching you but who else is out there doing the exact same thing and we just haven't caught them in the act yet?
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.