Snowden's legacy and the NSA of everything
As historians will surely note, events of 2013 have divided the internet age into two eras. Until this year, the internet was primarily seen as a global information and communications utility. Then came the flood of Edward Snowden's revelations, and we were confronted with the stark reality that the internet is also the global surveillance machine — for both government and private sectors.
We'd known that the US National Security Agency (NSA) was conducting signals intelligence on a vast scale, because that's been its job for the last six decades, along with its partner agencies in the rest of the so-called 'Five Eyes' nations: the UK, Australia, Canada, and New Zealand.
We'd also known, or at least assumed, that as the existential threat of a global nuclear war declined following the end of the Cold War, and as the 9/11 attacks made clear the threat of terrorism, the gaze of the Five Eyes had shifted — focusing less on the Soviet and Chinese militaries, and more on potential threats that could come from almost any direction.
But what came as a surprise was the scope and scale of the NSA's data collection, routinely gathering information on vast numbers of users across so many of the major internet services — and even, thanks to more covert activities, scooping up these services' internal data traffic.
"The types of revelations coming out from the Snowden files certainly will be defining points when it comes to understanding the way information flows on the internet," said Alastair MacGibbon, now a director of the Centre for Internet Safety at the University of Canberra, but in a previous life the first head of the Australian Federal Police's High Tech Crime Centre.
"In a weird way, Snowden might have done more good for privacy and security than most people in government around the world, particularly Western governments, are going to be thinking at the moment, by getting people to ask those questions at a grass-roots level," MacGibbon told ZDNet.
"Perhaps a couple of incidents like this will highlight some of the privacy and security and safety stuff that many of us have talked about for so long, but had, frankly, pretty poor cut-through with. We certainly haven't seen much changed user behaviour... There's probably a lot more net benefit to economies in Western countries by improving security than there is net loss in terms of some intelligence gathering."
Sophos director Rob Forsyth agrees. "I think in a perverse way, the NSA revelations, and how that has very much adversely affected Australia's relationship with Indonesia, those things as a corollary, have actually been good for security, because now people realise the importance of it."
Forsyth also notes that this is a mixed blessing: "The people who really did have something to hide will start using high-level encryption and be driven further underground and be harder to catch. Good people will deploy better encryption too, making it harder for law enforcement to conduct easy surveillance, but that will also protect them from the criminals."
"This is a watershed. 2013 will be remembered for the coming of age, if you like, of WikiLeaks through Chelsea Manning and Edward Snowden, and the way in which the whole thing has now panned out."
Except that it hasn't actually panned out yet.
Regional tensions
As 2013 draws to a close, the Australian government has yet to resolve the tensions caused by the revelation that our spooks were monitoring the mobile phones of senior Indonesian government members, and even that of the first lady.
Indonesian president Susilo Bambang Yudhoyono has lost much face. According to James Turner, security analyst with IBRS, that's brought to the surface a resentment that Indonesia shares with many nations, namely that the Five Eyes alliance represents the interests of a handful of primarily white, English-speaking nations that still see themselves as the world's natural leaders.
"There's clearly a very high degree of shared information amongst the Five Eyes, and there's all these people that are not the cool kids in the club wanting to get in on that, and I think part of the stink that's been happening at an international level is just that baseline level of resentment," Turner told ZDNet.
Whether this resentment and the fear of being surveilled will translate into IT vendors losing international sales, particularly to the BRIC nations — Brazil, Russia, India, and China — that were seen as the next growth areas, will come down to transparency.
"I hope that the companies who are selling services, no matter where they're from, are able to demonstrate to their future clients — and their existing clients — that they can put in place measures to reduce the likelihood of this type of activity occurring across their networks," MacGibbon said.
"For me, it's about being asked those tough questions by any customer. I don't think a corporate client in London or Sydney cares any less about their privacy, or the privacy of their customers, or the integrity of their information, than someone sitting in Brazil or India cares. I think all of us care about this stuff, and all of us need to be asking those questions of the suppliers. If they can't give good answers, go and find other suppliers."
"The NSA has proven that it can't control its own data internally on its own network, because someone just walked out with classified documentation. So what have other people been walking out with over the years?"
— James Turner, security analyst with IBRS
Suppliers also need to be careful about their marketing and sales talk, and be specific about what they mean in terms of the security features that are in place. No more hand-waving about "strong user access controls", "industry-standard encryption", or "comprehensive protection".
Turner noted that some vendors from outside the Five Eyes nations have already stressed this need for transparency. Mikko Hypponen from Finland's F-Secure has made it clear that while it will cooperate with governments' law enforcement efforts, that doesn't extend to allowing them to place their software on customers' computers undetected.
Similarly, during his recent Australian visit, Kaspersky Lab chief Eugene Kaspersky explained how its software for the US market is compiled from source code by non-Russian US citizens in Washington — a process that has allowed his Russian company to sell to the US military.
"I was actually struck by the profundity of what Kaspersky said. 'If you want to do business with these people, here's what you need to do: Open the source code, be completely transparent'," Turner said.
One of Turner's main concerns is that the Snowden revelations have revealed some of the NSA's weaknesses.
"At an individual level, most of us don't really care if the NSA's got our personal details. We kind of assume that they do. What we're interested in is the checks and controls that they've got internally," he said.
"The NSA has proven that it can't control its own data internally on its own network, because someone just walked out with classified documentation. So what have other people been walking out with over the years?"
Given the many complex links between the military and the private sector, Turner wonders how much proprietary information from Australian companies has been going backwards and forwards, and whether any of that has subsequently been obtained by other nations that have breached the NSA or their private-sector partners.
"It wouldn't even have been the case of Australian organisations being targeted explicitly for intellectual property. They could have just as easily been collateral damage," he said. "It's particularly the private [companies] that have got out-of-the-public-eye financial records and so on; they're the ones that are interested in this, because they don't know who else is seeing it."
Again, the issue is transparency. "The police are accountable to the public. They're enforcing known laws in a known environment. We see them driving their cars. We know their budgets. Whereas intelligence is a big black box."
Forsyth thinks part of the confusion is that the environment has changed. It's no longer about watching for the imminent launch of a nuclear weapon or tracking stolen plutonium. It's now possible to surveil anyone and everyone, and the potential risk someone poses could be anywhere on a wide spectrum — from fine, upstanding citizens to someone who's breaching copyright, "which is not like buying guns online, or drugs or child abuse material", to cybercriminals who are little more than script kiddies, to the large, well-organised criminal groups.
"So you've got these four disparate groups standing around this quadrangle, and in the middle, unfortunately, you've got very bemused police trying to work out 'Who are the bad guys now?'," Forsyth said. And everyone involved is still trying to work out the acceptable limits.
Death of the perimeter
One key lesson in all of this is that perimeter defence in information security — the idea that you're protected if you have firewalls and anti-malware protection — is well and truly dead.
"This [the Snowden revelations] probably helps prove that. Originally, we were talking about things like if your data resides with trusted third parties or goes through other networks, how do you know what's happening. In the past, we would talk about user access and control, and encryption from point to point and all those other things, and now, we need to step that up even further," MacGibbon said.
"It's certainly not something that's going to be easy for people to comprehend, certainly with the cloud, the way it's been going. A lot of corporates don't even realise they're using the cloud when they're using a whole range of services. The amount of information that's outside the perimeter of the organisation, going through servers and through companies that might have relationships with intelligence agencies certainly is quite telling."
Forsyth thinks the death of the perimeter was inevitable: "You can't have a perimeter when you want the benefit of not having a perimeter. You can't be in a walled garden and expect to be able to roam free across the prairies. I think the perimeter being dead is very, very true, but we wanted it dead so we could all get out with big data and take advantage of those things."
Big data, he said, is really about the Internet of Things, when everything from air conditioners to cars are network devices.
"These machines will come fully formed to the BRIC nations, day one. They won't go through the evolutions they've been through in traditional first-world nations," Forsyth said. And once we start streaming the data from all these devices, we've got "really interesting surveillance".
"That's going to get much worse, much more complicated. When your [smart] car sits in the garage, negotiating different premiums on the next drive it takes for you before you get in it, it will be reporting your driving habits to different insurance companies — how fast you drive — and negotiating that for you before your alarm clock is waking you up."
Every enterprise becomes, in effect, a miniature NSA, collecting and sharing information for commercial benefit. Even medical records would be of interest — and in the global information marketplace, not every country will have the same respect for privacy.
"I think, unfortunately, between now and 2020, things are probably going to get worse, not better," Forsyth said. "You've got a cavalier generation coming through who haven't got much fear about privacy. My dad taught me to never say anything on a telephone that you don't expect to hear again in court."
All that said, Turner doesn't think there's a lot that organisations need to do technically to respond to the Snowden revelations, apart from reviewing the information assets they're entrusting to US cloud vendors and considering the impact on the organisation of the confidentiality of those assets were to be compromised without their knowledge.
"The really important lesson to take away is the vulnerability that an organisation can have to one person," Turner said.
"The lesson that they should be taking from this one is taking care of their people. It's not enough to vet a person, it's not enough to interview them well, it's not enough to know their background. You've actually got to take an ongoing interest in who they are and what they're dealing with on a ongoing basis. If someone had been interested in Snowden all through this period of time, the flags would have been raised."