Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:06 AM

NSA Fallout: Why Foreign Firms Wont Buy American Tech

Mounting evidence points to billions of dollars in lost US business thanks to the NSA's collect-everything mindset.

The United Arab Emirates, which signed a $926 million contract last year with two French firms to buy two intelligence satellites, said this week that the deal would be cancelled unless the firms (Airbus Defense & Space and Thales Alenia) removed US-built components. The UAE's fear was that the equipment would contain back doors that would allow data sent to ground stations to be intercepted.

Facing a major customer defection, will the French firms -- or, for that matter, anyone else trying to land a foreign contract -- continue to work with American component builders? Mounting evidence suggests otherwise.

Brian Honan, an independent security consultant in Dublin, wrote in a recent SANS Institute newsletter, "I have seen similar moves by clients in their 'Request for Tenders' where they specifically highlight data is not to be stored in US data centers or with US-based cloud providers." He said US tech companies have "a lot of reputational damage to repair for a lot of European-based organizations, [following] the revelations about NSA backdoors and spying allegations."

Prepare for more defections. In a survey of 300 UK and Canadian businesses released this week by the Canadian cloud firm Peer 1 Hosting, 25% said they plan to move their hosting operations out of the United States. Interestingly, more than two-thirds said they're willing to trade performance for ensuring their data is stored only in a country of their choosing.

What can be done to fix the damage? That question was at the top of the agenda for 15 of the world's leading technology companies -- including the heads of Apple, Google, and Yahoo -- when they met with President Obama last month. But the Guardian reported that, when the business leaders attempted to broach their NSA surveillance concerns, Obama tried to change the subject to HealthCare.gov.

Technology executives met in December with President Obama.(Source: White House)
Technology executives met in December with President Obama.
(Source: White House)

Ignoring the problem won't make it go away. The Information Technology & Innovation Foundation (ITIF) has estimated that the NSA surveillance revelations will cost US businesses $22 billion through 2016. Forrester Research puts its estimate -- including the effects for technology firms and managed service providers -- at $180 billion. Already, Cisco has reported buying hesitation in some foreign markets.

The solution to this problem must begin with Obama, who needs to rein in the NSA surveillance apparatus. One rationale is purely practical. As any organization that has experienced a breach at the hands of an insider knows -- NSA, I'm talking to you -- if you don't collect and store massive quantities of data, it can't be stolen or leaked. As Slate's Joshua Keating wrote recently: "The same factors that made it easier for the NSA to collect so much data made it easier for Snowden to release so much."

US businesses must also work overtime to prove to foreign clients that their products are surveillance-free. Ironically, they'll now have to take a page from Huawei's playbook. Huawei was slammed by US legislators in 2012 for not being able to prove that its business practices were free from Chinese government interference. In response, "Huawei funded a test lab in the UK so that the UK government could inspect Huawei telecoms equipment that BT wanted to use in the UK backbone network upgrade," SANS Institute director John Pescatore wrote this week in an emailed newsletter. "The Snowden leaks of NSA activities means that US IT exporters will need to make investments similar to Huawei's in order to convince overseas customers that their technology has not been compromised."

Microsoft has already made a step in that direction. Brad Smith, its head of legal and corporate affairs, announced in a blog post last month that the company would use or improve encryption for a number of services and open a network of "transparency centers" to allow customers to review its source code for any evidence of back doors.

When discussing how to rein in the NSA, return on investment should also be a factor. On that front, one aspect of the NSA's voracious appetite for metadata that would be laughable -- if it weren't so sinister -- is its inability to provide even one example of how it's helped prevent a major attack.

Accordingly, policy makers should follow the advice of Matt Blaze, a privacy expert at the University of Pennsylvania. He's argued that the NSA must retire its indiscriminate digital dragnet and rely instead on its Tailored Access Operations (TAO) team of elite hackers. Because TAO is a finite resource, the NSA would be forced to prioritize its targets, rather than eavesdropping on everyone under the sun.

In the meantime, US technology businesses large and small are stuck footing the bill for an attempted hearts-and-minds campaign. Despite those efforts, unless the NSA is brought in line, we can expect a question to linger: Who wants to buy American? Would you?

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
1/10/2014 | 7:41:18 AM
Foreign Firms
This isn't all the surprising, Huawei had a very hard time trying to make inroads to the data center.  There is a general distrust when dealing with manufacturers from certain companies but I think in the case of the NSA it is more an issue of the devil you know versus the devil you don't know.  We know that the NSA was listening in to the conversations of foreign leaders, we know that they have had back doors into some hardware and software but at least we know they are there.  Who we don't know about is what worries me, Stux for example or stories of Chinese hardware with back doors but no one can pinpoint who has access.  Sure the NSA might be watching you but who else is out there doing the exact same thing and we just haven't caught them in the act yet?
David F. Carr
David F. Carr,
User Rank: Strategist
1/10/2014 | 10:18:07 AM
Re: Foreign Firms
On the other hand, it doesn't inspire confidence that the NSA keeps getting caught with its hands in the cookie jar.
User Rank: Ninja
1/10/2014 | 11:15:51 AM
Re: Foreign Firms
See that's completely opposite here. In the UK, our Prime Minister is so interested in attracting Chinese investors that he's opened his arms to Huawei and allowed it to build a whole new $200 million research facility and has praised its filtering system for blocking pornography.

However more on topic, I don't see people's confidence in US firms returning until there's a change in legislation. As it stands, you can make all the assurances you want as a tech-firm, but you can still be forced by the courts to hand over all your customers' data and you can't even tell them about it. 
User Rank: Apprentice
1/13/2014 | 7:40:52 AM
Re: Foreign Firms
That's interesting to hear, I know the levels of trust will vary from country to country but there are some things we know for sure about China and their use of DNS hacks and fire walling to shape/divert/intercept traffic.  I don't for a second think any country is innocent of snooping on internet traffic but I would think that most first world countries would shy away from Chinese networking gear.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/13/2014 | 8:41:52 AM
Trust in the Internet is also a national security issue
Yes, all governments spy in the interest of their nation's security -- probably as much or more than the NSA. But calls for reforms in government bulk collection of databy companies like Twitter, Facebook, AOL, Yahoo, Microsoft, Google, Apple and LinkedIn represent a national security interest as well -- to preserve the public's trust in the Internet, which is the backbone of our global economy.


User Rank: Apprentice
1/10/2014 | 2:35:33 PM
Re: Foreign Firms
China, the US, who next? Israel? It's probably the world's biggest developer of security software. It's a country known to do its fair share of spying, even on the US. All industrialized countries spy. Are all of the systems manufactured/developed in those countries suspect in foreign lands? 
User Rank: Apprentice
1/10/2014 | 12:27:10 PM
Rein in, not "reign"
You "rein in", not "reign" in.  It comes from the reins of a bridle, used to control a horse.
User Rank: Apprentice
1/11/2014 | 8:16:42 AM
Re: Rein in, not "reign"
Anon, slip o' the brain. Thanks for the catch, we've made that fix.
User Rank: Apprentice
1/10/2014 | 5:58:04 PM
Trust, but verify??
In the 1980s President Ronald Reagan infamously borrowed a famous Russian proverb when he said "Trust, but verify". Somehow, I think that proverb misses the mark with respect to the basic tenets of security - it should be: "Do not trust until you verify".


I would not say it is all doom and gloom for American technology companies. Sure, some organizations will opt for open source alternatives; some simply don't have the time or know how to inspect lines of code and will source technology from suppliers with no connection to the US, or in instances where there may be no viable alternative solution, will continue to use American technology. In the latter case, "Better the devil you know" will apply.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
An issue was discovered in JPress v3.3.0 and below. There are XSS vulnerabilities in the template module and tag management module. If you log in to the background by means of weak password, the storage XSS vulnerability can occur.
PUBLISHED: 2021-06-18
An issue was discovered in Cleo LexiCom Within the AS2 message, the sender can specify a filename. This filename can include path-traversal characters, allowing the file to be written to an arbitrary location on disk.
PUBLISHED: 2021-06-18
An issue was discovered in Cleo LexiCom The requirement for the sender of an AS2 message to identify themselves (via encryption and signing of the message) can be bypassed by changing the Content-Type of the message to text/plain.
PUBLISHED: 2021-06-18
The login page in the MCUsystem does not filter with special characters, which allows remote attackers can inject JavaScript without privilege and thus perform reflected XSS attacks.
PUBLISHED: 2021-06-18
Jenkins Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.