The escalation of state-backed cybercrime is very real, and increasingly alarming. The situation is a national security risk and is being taken seriously by the federal government. However, the disclosure of the US’s own cyber counter-terror tactics, and the reaction from around the world, has created a dangerous situation for the US economy, with technology firms particularly in the crosshairs.
The dangers to US businesses are compounded by a growing number of revelations about the NSA and its tactics. As the seriousness of the situation grows, so does the potential for ramifications in the tech industry. A recent report in Bloomberg News revealed that the Chinese government is already pressuring its banks to remove all high-end IBM servers. It’s also been reported in The New York Times that China wants to ban the use of Cisco products in its government-owned businesses. The Chinese government isn’t alone in its wariness of US spying -- news that the NSA took advantage of the Heartbleed bug to gather intelligence without disclosing it created worldwide outrage.
Many would argue that the government should be protecting businesses and its citizens, and not exploiting them for surveillance purposes. While the disclosure of US cyber counter-terror tactics should come as no surprise -- the threat of state-backed bad actors stealing intellectual property or worse is a critical one -- the government has put US businesses in harm’s way.
In November Facebook, Google, Apple, Yahoo, Microsoft, and AOL sent a letter to Congress supporting the creation of a privacy advocate to represent the interests of civil liberties when it comes to the NSA’s counter-terror surveillance efforts. Distrust of the US intelligence community at home and abroad is eroding consumer confidence and hampering US technology firms in their pursuit of global business. This could ultimately lead to a tech recession at a time when the sector should be showing historic and unprecedented growth.
The cloud of cyberwar
This scenario is not far-fetched. Dean Garfield, president and CEO of the Information Technology Industry Council, said that tens of billions of dollars are at stake for US cloud providers, and many US tech vendors are already hearing complaints. He appealed to the US House of Representatives Judiciary Committee for greater transparency over surveillance and stronger oversight, including a civil liberties advocate at the US Foreign Intelligence Surveillance Court. "Made in the USA" is no longer a badge of honor, but a basis for questioning the integrity and the independence of US-made technology,” Garfield said. “Many countries are using the NSA's disclosures as a basis for accelerating their policies around forced localization and protectionism.
This protectionism can be thought of as a "Balkanization" of the Internet, and it is incredibly dangerous not just to US technology interests, but to broader business interests. Cloud computing is an advancement that no one wants to walk away from, but if more countries take the protectionist stance that Germany has taken, which includes strict rules that govern where data needs to be physically located, it will become both a technological nightmare and financial disaster to provide services that meet current levels. While it is unlikely that every country in the world will create specific, unique, and stringent rules about how and where data is stored, it becomes a major issue if even a few elect to follow that path.
A US technology vendor trying to do business in Germany will, in many cases, now need to have a data center in country, hire employees there to manage it, and comply with a host of regulations. Doing so is complex and creates unnecessary challenges to companies that, often times, are still in formative stages. More importantly, it’s incredibly cost-prohibitive. This arrangement is helpful to no one -- it hurts businesses, and it slows the pace of innovation, especially in protectionist countries.
Trust, security, and privacy
Government and business both have a role to play in rebuilding trust, increasing security and privacy, and making sure this Balkanization does not happen. The US government, through the National Institute of Standards and Technology (NIST), needs to develop cryptography and cyber security standards that ensure consistency. They should also work with international governments in an open, transparent way with the goal of keeping the Internet both an open platform and a secure one. And, of course, reassurances need to be made that the NSA’s data collection efforts are not wantonly all-encompassing, but are narrow, focused, and designed to be as minimally invasive as possible.
Businesses need to take a three-pronged approach to cyber security, focusing on culture, policy, and technology. First and foremost, cyber security needs to enter the board room in a meaningful way. It needs to be discussed seriously and proactively, and can no longer be relegated to a simple line item on the IT budget. A business taking cyber security seriously will then create the right policies designed to protect assets and systems. Understanding what needs to be protected seems obvious, but many companies do a poor job at protecting the crown jewels. Most of the holes in modern defenses are left open because organizations don’t adequately examine their own risk profiles.
And finally, organizations need to fully vet the technology they employ, to ensure that there are no backdoors or traps that would allow another state-backed group to commit cyber espionage. The US has been caught doing this elsewhere in the world, but it is by no means the only country engaging in activities like this. Cyber security is difficult enough without businesses inadvertently bringing the enemy behind the gates of their own accord.