Information Security, Ethical Hacking, website Security, Database Security, IT Audit and Compliance, Security news, Programming, Linux and Security.
Monday, 6 January 2014
PRISM: Fallout from NSA internet spying scandal will linger throughout 2014
For years governments have been wrestling with the question of how to deal with the internet.
As noted by numerous politicians - including vice president of the European Commission Neelie Kroes - the internet's free, international, border-crossing nature boasts huge business benefits.
But, as with all powerful things, it also has the potential to cause great harm by opening up businesses to cyber threats, including the risk of theft of corporate and customer data.
These concerns reached new heights in 2013 as news of the PRISM data-gathering campaign surfaced. It proved businesses not only face a challenge to protect customer data from crooks, but also from their own governments.
The PRISM scandal first broke in June 2013, when ex-CIA analyst Edward Snowden leaked documents showing that government bodies, including the US National Security Agency (NSA) and UK Government Communications Headquarters (GCHQ), were siphoning vast amounts of web user data from metadata treasure troves such as Google, Yahoo, Microsoft, Apple and Facebook. As yet, the full details remain unknown. The NSA said in a public report that agents investigated 0.00004 percent of the world's web traffic during their missions, but this is still a big chunk of user data.
This 'reveal' remains of little comfort to businesses, because even now at the start of 2014 the key firms cannot legally reveal what data the NSA took from them.
The US Foreign Intelligence Surveillance Act (FISA) gives the NSA free rein to force businesses to share information stored on their networks, but this also means the companies that receive FISA requests are banned from disclosing any information about them.
Even worse, as noted by Yahoo chief executive Marissa Mayer during an interview at the TechCrunch Dispute conference, the companies that break the gag orders not only put their ability to operate in the US on the line, they risk landing their executives in jail.
This makes it hard to fully evaluate the scale of the problem, what sort of data is being targeted by the NSA and to what level. Furthermore, it means the companies involved have their reputations tarnished as well. At a time when cloud computing services are helping businesses save costs and work more productively, this setback could make firms wary of providers.
This was noted by Kroes soon after the scandal broke, when she pointed out that the US government's attitude to privacy could have disastrous consequences. "If businesses or governments think they might be spied on, they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out," she said.
The year ahead
Kroes's comments are more relevant than ever in 2014. This is because in August 2013, Kroes's warning was proved right when reports broke that the Chinese government planned to investigate IBM, Oracle and EMC, following concerns that the NSA could be using those vendors' technologies for cyber espionage. Even now, months on, many companies are still working hard to be more transparent about what requests they received from the NSA, and are also taking defensive measures designed to make it more difficult for the agency to get the data.
This has included a number of court cases against the NSA from Microsoft, Google and Yahoo. Google also rushed to encrypt information stored in, and passing through, its data centres in a bid to protect its customers from snooping government agencies.
While the companies' proactive attempts to help fix the problem are a positive, it is unlikely that they will be particularly effective any time soon. More revelations have shown that some of the most widespread encryption methods used to secure the web, including HTTPS and SSL, have been cracked by government agencies, showing that they are not above taking companies' data by force.
For this reason, as noted by numerous security professionals, such as Silent Circle chief executive Mike Janke, if this issue is going to be solved, open conversations about privacy and data protection have to start again.
"We have to educate the world about what's going on, about how much of people's privacy is gone - which is most of it - and actually have a calm conversation with governments to try and get it back," he said.
Since then Facebook founder Mark Zuckerberg has mirrored Janke's sentiment by arguing for governments around the world to be more transparent about what data they collect.
"What I can tell from the data that I see at Facebook is that I think the more transparency and communication the government could do about how they're requesting the data from us, the better everyone would feel about it," Zuckerberg said.
"From reading in the media, you couldn't get a sense whether the number of requests that the government makes is closer to 1,000 or closer to 100 million. I think the more transparency the government has, the better folks would feel."
However, there is some hope that European businesses will gain some power back in this situation. EU justice commissioner Viviane Reding has called for key changes to the European Data Protection Regulation currently being debated that would minimise and monitor what data can be taken from an EU-based server to a US one.
"The Regulation includes clear rules on the obligations and liabilities of cloud providers who are processors of data. As PRISM has shown, they present an avenue for those who want to access data," said Reding.
While these measures would not make businesses impenetrable to government snooping, they would at least mean companies can actually show what data is being siphoned by groups such as the NSA.
Hopefully Reding's call for change will be heard and implemented in 2014, and the PRISM revelations will finally serve as a wake-up call for better privacy laws, not as a death knell for international trust as they currently stand.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment