Enterprise computing in the post-Snowden era
It seems implausible that nothing will change in the NSA as a result of Edward Snowden's leaks of their practices. But those practices didn't affect just the government. In light of all that has happened you have to reexamine how your own business operates.
John Dickson, a Principal at Denim Group, a security consulting and services company, has proposed six reasons why the Snowden leaks are your problem as well as the NSA's. I'm more struck by some than others, and I have some to add.
Companies will be more wary to cooperate with governments — Oh yeah, big-time. If the government came to you and asked for you to do something to undermine customers you might well have said now anyway, but now your confidence in the government keeping it a secret can't be what it was before. And as Dickson says, it's not just the US government; anyone who thinks the average European government is more trustworthy is fooling themselves.
Tighter cooperation between security, privacy and corporate counsel will occur — This makes sense superficially, but I'm less certain than Dickson that it will bring about significant actual change.
Companies will review and update their public privacy statements — I agree with Dickson that many in the public believe mistakenly that companies are cooperating voluntarily, even enthusiastically, with the government to compromise their own products. But it's not clear to me that a change in the privacy statement will make a difference to anyone in the public; it's just about satisfying corporate counsel's sense of the company's exposure.
CEOs will question why companies keep certain sensitive customer data at all — This is a good prediction and a good question for executives to ask, but the reason has more to do with data breaches generally and not with the NSA.
Legislation to cooperate with the US Federal Government on Information Sharing is likely dead — It's as dead as J Edgar Hoover. The government will have to make do with what mechanisms they have now.
International clients will ask American IT companies tougher questions — Yes, of course this is true, but what answers can they really expect? And why would they believe that non-US products and services are more trustworthy? In the end, I think the market impact of this will be small, limited to symbolic anecdotes, mostly in the purchases of other governments.
But why stop at international clients? I'm sure US customers will be asking US IT companies more about the security of their products and services, although they too can't reasonably expect informative answers.
Another potential outcome Dickson doesn't address is the vulnerability of your own employees. If Edward Snowden can get through the NSA's contractor process, what kind of traitorous scoundrels work in your own IT department? You need to think about who you trust with the company jewels and perhaps to narrow that circle of trust to a few people who you can scrutinize more thoroughly.
Another prediction worth making is that this is all good for the business of security consulting and penetration testing. If you assume that the government has bugged us all, you probably have to look for the bugs more often and more assertively. Of course, you have to assume that your consultants and pen-testers aren't really working for you-know-who...