I hope for the readers this isn't a YAPA -- Yet Another Prism Article. In my role leading a global research organization devoted to solving tough information security problems, I have engaged in a lot of conversations with a wide variety of people about the drip-drip of National Security Agency (NSA) surveillance disclosures. From governments, cloud providers, and technologists, to customers and privacy advocates in North America, Europe, and Asia, there are no shortage of opinions. Here are a few I’d like to share:
Surveillance -- just (everybody) do it. While the NSA is one of the biggest and most effective surveillance entities, they aren’t alone. Every country is spying on its enemies, its allies, and its own people. The degrees are different, the sophistication will vary, but the principles (or lack thereof) are the same.
NSA -- your intel outsourcer. There has certainly been outrage in many countries over the actions of the NSA, and some concerns over the propriety of using US cloud providers, forced by the government, to turn over private customer information directly to the NSA. While some of the criticism has been quite vociferous, a lot of it has been surprisingly muted. Why? Well it turns out that many of the NSA requests for customer information from US tech companies are actually made on behalf of an allied country. We are one disclosure away from any number of countries being embarrassed by their collaboration with the NSA, which makes me very curious about the going rate for outsourced security agency services.
Metadata is still data. One of my pet peeves early on in the revelations was the argument that collecting phone records of innocent parties is acceptable because we aren’t actually listening in on the conversation. The phone records themselves are actually more important that the conversations.
Metadata -- data about the data -- is information that must be carefully protected. Think about email: you can encrypt the conversation, but if someone were to look at your email log files and your email headers they know everyone with whom you converse and they can even geolocate you at the point of those conversations. You can paint a startlingly accurate picture of a person just by knowing who they talk to and how often.
We are not ready for a risk-based discussion about preventing terrorist attacks. A conversation I have tried to start with colleagues in DC relates to the practicalities around stopping all terrorist attacks. I will often ask if it is possible to put risk-based boundaries around the anti-terror investment and other societal compromises necessary to conduct this all-out war. For the right to drive an automobile, for example, we, as a society, are willing to tolerate a tremendous amount of death and destruction. I am not winning many converts to this philosophy.
The counter argument is that terrorist acts truly inspire terror. They create fear that debilitates an entire country, even if it is physically a small attack. Worse, perhaps that next attack is going to be bigger than anything we have ever seen. No one in Washington wants to be steering the ship when the next 9/11 happens and have it be shown that they did not do absolutely everything they could have done to prevent it.
Is encryption broken? Most troubling to me out of this saga so far is the news that the NSA may have co-opted the standards development process to assure that weak encryption was widely used, simplifying the data collection activities. This is like the farmer poisoning his pond to kill the coyote that might be lurking in the midst of the livestock; there is a lot of collateral damage to be worried about.
Yet, it appears that this problem can be remediated. In some cases it is a matter of configuration to ensure that weak random number generators are not used. In other cases we may need to go back and vet some encryption systems. It is one thing for the NSA to collect information and ask us to trust them to be honorable stewards. It is quite another to weaken an Internet data and privacy protection technology that any actor outside of the NSA could exploit.
The tech industry must be more transparent. I hesitate to draw strident conclusions knowing that the next leak might be announced tomorrow. I hope that governments will attempt some degree of review. I believe that the tech community has been catalyzed to build new and better security technology that will protect information from all comers.
To that end, our industry needs to be more aggressive in challenging FISA court orders for customer data. A key theme that I plan to evangelize is not new: transparency. The public trust in cloud computing and other public-facing Internet services depends upon our industry's ability to be transparent about security practices in the most holistic way possible.
Is anyone listening? Let's chat about where you agree and disagree in the comments.