Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/25/2014
02:06 PM
50%
50%

NSA Spying Scandal Darkens Cloud Discussions At RSA

From Europe's efforts to create regulations for data localization to worries over the security of the cloud, the leaks of the past eight months have cast a shadow over cloud providers

RSA CONFERENCE -- San Francisco -- Last summer's revelations of the extent to which the U.S. National Security Agency (NSA) collected data on American and foreign targets has caused rifts between global businesses that are hindering efforts to secure the cloud, said Richard Clarke, CEO of Good Harbor and a former U.S. cyberczar, at the Cloud Security Alliance (CSA) Summit on Monday.

RSA Conference 2014
Click here for more articles about the RSA Conference.

The steady leak of documents during the past eight months detailing the operations of the NSA intelligence collection activities has damaged both U.S. policy efforts abroad and the business of a variety of multinational companies, especially cloud providers. Efforts to implement strong security guidelines for the cloud will have to overcome efforts by other nations to implement data residency restrictions to hinder competition, Clarke said.

"Non-U.S. companies are using the NSA revelations as a marketing tool," he said. "There is a great deal of hypocrisy in all of this. People are suddenly amazed that intelligence agencies were collecting intelligence."

Requirements to force cloud providers to keep data in the country of origin and not allow data to transit through the U.S. amount to technological nationalism and, worse, do not make the data any appreciably safer, Clarke said. Data hosting in Europe will be just as easy to get access to as data hosted in the U.S. or another country, Clarke said.

"I'm not revealing away any secrets here if I say that the NSA, and any other world-class intelligence agency, can hack into databases, even if they are not in the United States," he said. "If you think that by passing a law making data localization a requirement for databases in the EU or Argentina or Venezuela or wherever stops the NSA from getting into those databases, think again."

Yet Europe's own technical guru, Udo Heimbrecht, executive director of the European Union Agency for Network and Information Security (ENISA), an EU agency that works to enhance information security, argued that data that travels through the U.S. is at greater risk of interception.

"If you are sending an e-mail from Germany to Estonia, why should it go through the U.S.?" he said. "And that is the idea that we keep our data in Europe."

[Companies need cloud providers to delineate responsibilities for the security of data, provide better security information, and encrypt data everywhere. See 5 Ways Cloud Services Can Soothe Security Fears In 2014.]

Clarke served on President Obama's Review Group on Intelligence and Communications Technologies, the five-member group that issued a 308-page report on the U.S.'s intelligence-gathering efforts. The report underscored that the competing goals of the U.S. intelligence community -- protecting liberty and the right to privacy while at the same time rooting out and combatting terrorism -- could not always be met simultaneously.

Clarke voiced support for the NSA's mission, but underscored that there was a disconnect between policy makers and the intelligence collectors. While legislators gave the NSA powers to accomplish certain goals and missions, the intelligence collectors sought all manner of information that would help them achieve those goals. The technological infrastructure, however, could be used for laudable aims as well as nefarious, he said.

"We may have created, along with the CIA and FBI and other intelligence agencies, and with all these technologies ... the potential -- the potential -- for a police surveillance state," Clarke said. "We are not there yet, but the technology is."

For most companies that put their data into cloud services, there are more practical concerns of data security. Questions of security boil down to questions of trust, said David Miller, chief security officer at Covisint, a cloud identity provider.

"Do I trust the cloud? That's a little bit of a broad statement," Miller said. "I trust some vendors on the cloud; I don't trust other vendors in the cloud. I do know that we are at a point where we are going to have to use it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...