The United Arab Emirates, which signed a $926 million contract last year with two French firms to buy two intelligence satellites, said this week that the deal would be cancelled unless the firms (Airbus Defense & Space and Thales Alenia) removed US-built components. The UAE's fear was that the equipment would contain back doors that would allow data sent to ground stations to be intercepted.
Facing a major customer defection, will the French firms -- or, for that matter, anyone else trying to land a foreign contract -- continue to work with American component builders? Mounting evidence suggests otherwise.
Brian Honan, an independent security consultant in Dublin, wrote in a recent SANS Institute newsletter, "I have seen similar moves by clients in their 'Request for Tenders' where they specifically highlight data is not to be stored in US data centers or with US-based cloud providers." He said US tech companies have "a lot of reputational damage to repair for a lot of European-based organizations, [following] the revelations about NSA backdoors and spying allegations."
Prepare for more defections. In a survey of 300 UK and Canadian businesses released this week by the Canadian cloud firm Peer 1 Hosting, 25% said they plan to move their hosting operations out of the United States. Interestingly, more than two-thirds said they're willing to trade performance for ensuring their data is stored only in a country of their choosing.
What can be done to fix the damage? That question was at the top of the agenda for 15 of the world's leading technology companies -- including the heads of Apple, Google, and Yahoo -- when they met with President Obama last month. But the Guardian reported that, when the business leaders attempted to broach their NSA surveillance concerns, Obama tried to change the subject to HealthCare.gov.
Ignoring the problem won't make it go away. The Information Technology & Innovation Foundation (ITIF) has estimated that the NSA surveillance revelations will cost US businesses $22 billion through 2016. Forrester Research puts its estimate -- including the effects for technology firms and managed service providers -- at $180 billion. Already, Cisco has reported buying hesitation in some foreign markets.
The solution to this problem must begin with Obama, who needs to rein in the NSA surveillance apparatus. One rationale is purely practical. As any organization that has experienced a breach at the hands of an insider knows -- NSA, I'm talking to you -- if you don't collect and store massive quantities of data, it can't be stolen or leaked. As Slate's Joshua Keating wrote recently: "The same factors that made it easier for the NSA to collect so much data made it easier for Snowden to release so much."
US businesses must also work overtime to prove to foreign clients that their products are surveillance-free. Ironically, they'll now have to take a page from Huawei's playbook. Huawei was slammed by US legislators in 2012 for not being able to prove that its business practices were free from Chinese government interference. In response, "Huawei funded a test lab in the UK so that the UK government could inspect Huawei telecoms equipment that BT wanted to use in the UK backbone network upgrade," SANS Institute director John Pescatore wrote this week in an emailed newsletter. "The Snowden leaks of NSA activities means that US IT exporters will need to make investments similar to Huawei's in order to convince overseas customers that their technology has not been compromised."
Microsoft has already made a step in that direction. Brad Smith, its head of legal and corporate affairs, announced in a blog post last month that the company would use or improve encryption for a number of services and open a network of "transparency centers" to allow customers to review its source code for any evidence of back doors.
When discussing how to rein in the NSA, return on investment should also be a factor. On that front, one aspect of the NSA's voracious appetite for metadata that would be laughable -- if it weren't so sinister -- is its inability to provide even one example of how it's helped prevent a major attack.
Accordingly, policy makers should follow the advice of Matt Blaze, a privacy expert at the University of Pennsylvania. He's argued that the NSA must retire its indiscriminate digital dragnet and rely instead on its Tailored Access Operations (TAO) team of elite hackers. Because TAO is a finite resource, the NSA would be forced to prioritize its targets, rather than eavesdropping on everyone under the sun.
In the meantime, US technology businesses large and small are stuck footing the bill for an attempted hearts-and-minds campaign. Despite those efforts, unless the NSA is brought in line, we can expect a question to linger: Who wants to buy American? Would you?