Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/3/2013
11:06 AM
Jim Reavis
Jim Reavis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Weighing Costs Vs. Benefits Of NSA Surveillance

What the tech industry needs the NSA to know about aligning a national security agenda with the realities of a global Internet.

I hope for the readers this isn't a YAPA -- Yet Another Prism Article. In my role leading a global research organization devoted to solving tough information security problems, I have engaged in a lot of conversations with a wide variety of people about the drip-drip of National Security Agency (NSA) surveillance disclosures. From governments, cloud providers, and technologists, to customers and privacy advocates in North America, Europe, and Asia, there are no shortage of opinions. Here are a few I’d like to share:

Surveillance -- just (everybody) do it. While the NSA is one of the biggest and most effective surveillance entities, they aren’t alone. Every country is spying on its enemies, its allies, and its own people. The degrees are different, the sophistication will vary, but the principles (or lack thereof) are the same.

NSA -- your intel outsourcer. There has certainly been outrage in many countries over the actions of the NSA, and some concerns over the propriety of using US cloud providers, forced by the government, to turn over private customer information directly to the NSA. While some of the criticism has been quite vociferous, a lot of it has been surprisingly muted. Why? Well it turns out that many of the NSA requests for customer information from US tech companies are actually made on behalf of an allied country. We are one disclosure away from any number of countries being embarrassed by their collaboration with the NSA, which makes me very curious about the going rate for outsourced security agency services.

Metadata is still data. One of my pet peeves early on in the revelations was the argument that collecting phone records of innocent parties is acceptable because we aren’t actually listening in on the conversation. The phone records themselves are actually more important that the conversations.

Metadata -- data about the data -- is information that must be carefully protected. Think about email: you can encrypt the conversation, but if someone were to look at your email log files and your email headers they know everyone with whom you converse and they can even geolocate you at the point of those conversations. You can paint a startlingly accurate picture of a person just by knowing who they talk to and how often.

We are not ready for a risk-based discussion about preventing terrorist attacks. A conversation I have tried to start with colleagues in DC relates to the practicalities around stopping all terrorist attacks. I will often ask if it is possible to put risk-based boundaries around the anti-terror investment and other societal compromises necessary to conduct this all-out war. For the right to drive an automobile, for example, we, as a society, are willing to tolerate a tremendous amount of death and destruction. I am not winning many converts to this philosophy.

The counter argument is that terrorist acts truly inspire terror. They create fear that debilitates an entire country, even if it is physically a small attack. Worse, perhaps that next attack is going to be bigger than anything we have ever seen. No one in Washington wants to be steering the ship when the next 9/11 happens and have it be shown that they did not do absolutely everything they could have done to prevent it.

Is encryption broken? Most troubling to me out of this saga so far is the news that the NSA may have co-opted the standards development process to assure that weak encryption was widely used, simplifying the data collection activities. This is like the farmer poisoning his pond to kill the coyote that might be lurking in the midst of the livestock; there is a lot of collateral damage to be worried about.

Yet, it appears that this problem can be remediated. In some cases it is a matter of configuration to ensure that weak random number generators are not used. In other cases we may need to go back and vet some encryption systems. It is one thing for the NSA to collect information and ask us to trust them to be honorable stewards. It is quite another to weaken an Internet data and privacy protection technology that any actor outside of the NSA could exploit.

The tech industry must be more transparent. I hesitate to draw strident conclusions knowing that the next leak might be announced tomorrow. I hope that governments will attempt some degree of review. I believe that the tech community has been catalyzed to build new and better security technology that will protect information from all comers.

To that end, our industry needs to be more aggressive in challenging FISA court orders for customer data. A key theme that I plan to evangelize is not new: transparency. The public trust in cloud computing and other public-facing Internet services depends upon our industry's ability to be transparent about security practices in the most holistic way possible.

Is anyone listening? Let's chat about where you agree and disagree in the comments.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon3070614879
50%
50%
anon3070614879,
User Rank: Apprentice
12/4/2013 | 5:53:39 PM
Re: Numbers
I like the analogy of the automobile.  Americans accept that risk.  However, the NSA and its defenders don't spend a lot of time terrorizing us with the high number of car accidents.  They do cry 9/11 regularly.  Americans have to get their fear under control before they make a decision about what kind of surveillance they are willing to put up with.

 

Canada did not experience a 9/11-style terror attack, but for this Canadian, the current surveillance disclosures are terrifying.  I am an enthusiastic online shopper and I bank online.  That secret government agents have the ability to hack my financial information leaves me scrambling to come up with ways I might protect that information.  I can't do that.  Only legislation can protect me.

 

I am happy to see that the UN is at least eager to investigate the global surveillance scandal.  It's through the UN that we made an international law that makes war a crime.  Why can't we make unwarranted spying an international crime, subject to sanctions.  It's not gonna stop a state like the US, which makes war whenever it pleases and will continue spying, but if enough countries get angry enough, we can at least target America's reputation.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 4:41:17 PM
Re: Numbers -- terrorists have not won!
No, the terrorists have not won. And yes, we -- as individuals and as part of the tech industry -- have to be vigilant to make sure that our government doesn't overreach.  Where that line is? I'm not sure. But I'm encouraged by the passionate discourse about the risk/versus rewards of the NSA programs, which I might add, are being conducted here, in a very public forum!
anon2122209927
50%
50%
anon2122209927,
User Rank: Apprentice
12/3/2013 | 3:22:18 PM
Re: Numbers
i couldnt agree more. Last week I attneded my granddaughters Turkey trot at her middle school. When I got there, I had to sign in AND leav my drivers license with them, just to get on the play ground to watch them run. Then, when they did run, they ran around the playground outside the fence to the front of the school, returning to the playground. What was the point of leaving the id? All terrorists have won.... and we are now all slaves to survallence and being spyed on.
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
12/3/2013 | 1:44:03 PM
Re: Numbers
Of course, we already make some risk tradeoffs when it comes to terrorism. We're not shutting our airports and closing our borders. The question is where the line is.

And the "numbers" don't reflect intent. It's one thing for automobiles to cause many thousands of deaths, but those deaths (for the most part) aren't intentional. Terrorism is intentional. And if we allow a certain amount of it as part of a risk-based calculation, expect to get even more of it. 
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
12/3/2013 | 1:18:18 PM
Numbers
Be very frank here, how many deaths to guns and booze every year? 9/11's multiple times over. Cost to our economy running around scared? TRILLIONS. Terrorists already won.

 

We've imploded.

 

Remove emotion, it's all about the numbers.

 

Carry on.
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.