NSA Spying - Should I Care?


I have, intentionally, stayed distant from the furvor that has gone on since the Snowden situation erupted over the summer.  At a dinner I hosted recently with other CISO's I talked about my views and thought it might be interesting to post.  I think the "outrage" at the US government is misplaced and currently a "red herring" of the industry.  I think we need to put in perspective the threat landscape.  There are, roughly, five different areas of the current threats.  Hacktivism, Corporate Espionage, CyberWarfare, eCrime and State Sponsored Espionage.  The latter two are the biggest of all at this point.

The conversation over State espionage needs to be done with an understanding of the backdrop.  Below are the significant points I feel are relevant.

  • No State motivation to curtail.  Since the beginning of governments there has been the act of State espionage.  It's common practice for nearly all States on the globe and there's very little hope in this world to change it.  As opposed to eCrime, where all States can get behind to resolve, espionage is a PR nightmare but there will be no motivation on any State level to curtail the acts.
  • Cyber Espionage is not illegal.  The introduction of the Internet has changed things.  It's allowed for a historical human activity to turn into a logical one.  This is significant considering that State Espionage, at an international level, is not a crime.  It's important to remember that espionage is a local State law not an international one.  With the cyber landscape being introduced it's allowed for remote penetration of the systems from outside the legal boarders of that State.
  • Attribution is very difficult.  To identify the malicious activity and associate it with a State espionage requires attribution.  This is very difficult as the attacks are layered and obfuscated to protect the source.  As such it provides a significant advantage to the attacker.

To combat these issues corporations need to start taking a completely new view on how to behave.  There are definetly things we need to consider as a result of the awareness of this new world.

  • Introduction of Corporate Sovereignty.  Where true sovereignty is not the real intent but the establishment of the belief for corporations is important.  Since cloud providers operate across many countries the need to consider themselves independent of any one country is key.  This moves from a concept of sovereignty to one of priorities.  Those basic priorities are Customer and Shareholder, not a government.  As a result, the concept of acting on behalf of any one government is foreign and can not be maintained.  All governments are entities to, only as necessary, address the basic legal matters of business execution.  With this the development and implementation of controls, preventative and detective, to empower the customer for their own Privacy becomes the key distinction to enable corporate sovereignty.
  • Establishment of corporate norms.  It's unfortunate to have to discuss this point, yet, the establishment of company norms to be able to engage with other businesses is necessary.  The ability to state the company has and is not an agent of any government, there are no "backdoors" or other capabilities is necessary to establish Trust between companies.
  • Development of State agnostic security methods.  Throughout time we have leveraged various research and technologies from the US Government to advance and mature our organizations security.  With a sovereignty and separation concept in place for many reasons, we need to start establishing objective capabilities within the our industry itself.  With this we can be assured that, for example, encryption algorithms are not subverted or "backdoor'd".  The establishment of a industry lead development and vetting of algorithms, core technologies and more needs to be done to ensure independence and mitigate any one countries influence.
  • Service Geolocation and Connectivity. The location of service data centers has become a key discussion for privacy and other monitoring points of interest.  While there is no "perfect" country location of a service some are better than others.  In addition to this, the realization that the laws of espionage are not international should drive a core Confidentiality in the application and network connectivity.  This is to ensure any malicious monitoring user would have little to no capability of accessing the content.  This also should facilitate confidentiality even when the data center itself is physically compromised.