Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/3/2013
11:06 AM
Jim Reavis
Jim Reavis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Weighing Costs Vs. Benefits Of NSA Surveillance

What the tech industry needs the NSA to know about aligning a national security agenda with the realities of a global Internet.

I hope for the readers this isn't a YAPA -- Yet Another Prism Article. In my role leading a global research organization devoted to solving tough information security problems, I have engaged in a lot of conversations with a wide variety of people about the drip-drip of National Security Agency (NSA) surveillance disclosures. From governments, cloud providers, and technologists, to customers and privacy advocates in North America, Europe, and Asia, there are no shortage of opinions. Here are a few I’d like to share:

Surveillance -- just (everybody) do it. While the NSA is one of the biggest and most effective surveillance entities, they aren’t alone. Every country is spying on its enemies, its allies, and its own people. The degrees are different, the sophistication will vary, but the principles (or lack thereof) are the same.

NSA -- your intel outsourcer. There has certainly been outrage in many countries over the actions of the NSA, and some concerns over the propriety of using US cloud providers, forced by the government, to turn over private customer information directly to the NSA. While some of the criticism has been quite vociferous, a lot of it has been surprisingly muted. Why? Well it turns out that many of the NSA requests for customer information from US tech companies are actually made on behalf of an allied country. We are one disclosure away from any number of countries being embarrassed by their collaboration with the NSA, which makes me very curious about the going rate for outsourced security agency services.

Metadata is still data. One of my pet peeves early on in the revelations was the argument that collecting phone records of innocent parties is acceptable because we aren’t actually listening in on the conversation. The phone records themselves are actually more important that the conversations.

Metadata -- data about the data -- is information that must be carefully protected. Think about email: you can encrypt the conversation, but if someone were to look at your email log files and your email headers they know everyone with whom you converse and they can even geolocate you at the point of those conversations. You can paint a startlingly accurate picture of a person just by knowing who they talk to and how often.

We are not ready for a risk-based discussion about preventing terrorist attacks. A conversation I have tried to start with colleagues in DC relates to the practicalities around stopping all terrorist attacks. I will often ask if it is possible to put risk-based boundaries around the anti-terror investment and other societal compromises necessary to conduct this all-out war. For the right to drive an automobile, for example, we, as a society, are willing to tolerate a tremendous amount of death and destruction. I am not winning many converts to this philosophy.

The counter argument is that terrorist acts truly inspire terror. They create fear that debilitates an entire country, even if it is physically a small attack. Worse, perhaps that next attack is going to be bigger than anything we have ever seen. No one in Washington wants to be steering the ship when the next 9/11 happens and have it be shown that they did not do absolutely everything they could have done to prevent it.

Is encryption broken? Most troubling to me out of this saga so far is the news that the NSA may have co-opted the standards development process to assure that weak encryption was widely used, simplifying the data collection activities. This is like the farmer poisoning his pond to kill the coyote that might be lurking in the midst of the livestock; there is a lot of collateral damage to be worried about.

Yet, it appears that this problem can be remediated. In some cases it is a matter of configuration to ensure that weak random number generators are not used. In other cases we may need to go back and vet some encryption systems. It is one thing for the NSA to collect information and ask us to trust them to be honorable stewards. It is quite another to weaken an Internet data and privacy protection technology that any actor outside of the NSA could exploit.

The tech industry must be more transparent. I hesitate to draw strident conclusions knowing that the next leak might be announced tomorrow. I hope that governments will attempt some degree of review. I believe that the tech community has been catalyzed to build new and better security technology that will protect information from all comers.

To that end, our industry needs to be more aggressive in challenging FISA court orders for customer data. A key theme that I plan to evangelize is not new: transparency. The public trust in cloud computing and other public-facing Internet services depends upon our industry's ability to be transparent about security practices in the most holistic way possible.

Is anyone listening? Let's chat about where you agree and disagree in the comments.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
12/3/2013 | 1:18:18 PM
Numbers
Be very frank here, how many deaths to guns and booze every year? 9/11's multiple times over. Cost to our economy running around scared? TRILLIONS. Terrorists already won.

 

We've imploded.

 

Remove emotion, it's all about the numbers.

 

Carry on.
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
12/3/2013 | 1:44:03 PM
Re: Numbers
Of course, we already make some risk tradeoffs when it comes to terrorism. We're not shutting our airports and closing our borders. The question is where the line is.

And the "numbers" don't reflect intent. It's one thing for automobiles to cause many thousands of deaths, but those deaths (for the most part) aren't intentional. Terrorism is intentional. And if we allow a certain amount of it as part of a risk-based calculation, expect to get even more of it. 
anon2122209927
50%
50%
anon2122209927,
User Rank: Apprentice
12/3/2013 | 3:22:18 PM
Re: Numbers
i couldnt agree more. Last week I attneded my granddaughters Turkey trot at her middle school. When I got there, I had to sign in AND leav my drivers license with them, just to get on the play ground to watch them run. Then, when they did run, they ran around the playground outside the fence to the front of the school, returning to the playground. What was the point of leaving the id? All terrorists have won.... and we are now all slaves to survallence and being spyed on.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/3/2013 | 4:41:17 PM
Re: Numbers -- terrorists have not won!
No, the terrorists have not won. And yes, we -- as individuals and as part of the tech industry -- have to be vigilant to make sure that our government doesn't overreach.  Where that line is? I'm not sure. But I'm encouraged by the passionate discourse about the risk/versus rewards of the NSA programs, which I might add, are being conducted here, in a very public forum!
anon3070614879
50%
50%
anon3070614879,
User Rank: Apprentice
12/4/2013 | 5:53:39 PM
Re: Numbers
I like the analogy of the automobile.  Americans accept that risk.  However, the NSA and its defenders don't spend a lot of time terrorizing us with the high number of car accidents.  They do cry 9/11 regularly.  Americans have to get their fear under control before they make a decision about what kind of surveillance they are willing to put up with.

 

Canada did not experience a 9/11-style terror attack, but for this Canadian, the current surveillance disclosures are terrifying.  I am an enthusiastic online shopper and I bank online.  That secret government agents have the ability to hack my financial information leaves me scrambling to come up with ways I might protect that information.  I can't do that.  Only legislation can protect me.

 

I am happy to see that the UN is at least eager to investigate the global surveillance scandal.  It's through the UN that we made an international law that makes war a crime.  Why can't we make unwarranted spying an international crime, subject to sanctions.  It's not gonna stop a state like the US, which makes war whenever it pleases and will continue spying, but if enough countries get angry enough, we can at least target America's reputation.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5087
PUBLISHED: 2019-11-21
An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. An integer overflow can occur while calculating the row's allocation size, that could be exploited to corrupt memory and eventually execute arbitrary code....
CVE-2019-5509
PUBLISHED: 2019-11-21
ONTAP Select Deploy administration utility versions 2.11.2 through 2.12.2 are susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote attacker to enable and use a privileged user account.
CVE-2019-6693
PUBLISHED: 2019-11-21
Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the admini...
CVE-2019-17272
PUBLISHED: 2019-11-21
All versions of ONTAP Select Deploy administration utility are susceptible to a vulnerability which when successfully exploited could allow an administrative user to escalate their privileges.
CVE-2019-17650
PUBLISHED: 2019-11-21
An Improper Neutralization of Special Elements used in a Command vulnerability in one of FortiClient for Mac OS root processes, may allow a local user of the system on which FortiClient is running to execute unauthorized code as root by bypassing a security check.