Should NSA surveillance influence your business cloud buying decisions?

Moderated by David Gewirtz | November 4, 2013 -- 07:00 GMT (23:00 PST)

Summary: Our IT security experts debate the impact that NSA surveillance revelations can have on your business.

Robin Harris

Robin Harris

Yes

or

No

Larry Seltzer

Larry Seltzer

Best Argument: No

74%
26%

Audience Favored: Yes (74%)

The Rebuttal

  • Great Debate Moderator

    Welcome

    I've been a debater before but this is my first time as a host. Hope things go well. Mike check.

    Posted by David Gewirtz

    All set

    Good luck David.

    Robin Harris

    I am for Yes

    Me too

    Let's roll.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    What's so bad about NSA snooping?

    Let's start off by throwing a bone to the nattering nabobs of negativism. If the NSA could see your corporate data, what could possibly go wrong? Don't hold back. If this is so bad, make us feel it viscerally.

    Posted by David Gewirtz

    It creates a surveillance network

    There are four top areas of abuse.

    1) Industrial espionage. We would all like to believe that NSA analysts are incorruptible but the long sad history of all human activities tells us otherwise. If Edward Snowden was willing to release secrets knowing he could go to prison for life how many analysts would release data in return for million dollars?

    2) Reduced security. The NSA would like to believe that the backdoors that it has negotiated are impervious to third parties but that is foolish. Any method the NSA can use to get your data is a method that other state actors and sophisticated criminal groups could use as well.

    3) Government interference in corporate affairs. Do you want the US government using your internal data to pursue objectives in the court of public opinion or in judicial courts?

    4) Use of private information - embarrassing but not illegal - to coerce individuals such as corporate officers to do the government's - or competitors - bidding. J. Edgar Hoover did that for years and was untouchable in Washington because he had dossiers on all the power players. With Big Data the surveillance state will be even more powerful and pernicious.

    Prosecutors have already used data collected by the NSA and other intelligence agencies in criminal prosecutions. Short-circuiting the normal procedures of discovery in favor of the surveillance state creates a fund.

    Robin Harris

    I am for Yes

    It leaves reason of doubt

    Obviously it depends on a hundred unstated factors; my clients might be criminal law firms, they might be bakeries. But theoretically, they could use that data to compormise my clients or my clients' clients or the individuals at my clients' firms. Even if the compromise exposes criminal or terrorist activity for which I have no responsibility, the breach, if it became known, would give all clients reason to doubt my trustworthiness.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Searching for hostile activities works both ways

    Companies (and governments) are turning to cloud solutions as a way to increase agility while saving money. Do you think shareholders would support losing those benefits simply because an American intelligence agency might be scanning transmissions for hostile activities? Justify. If they do care, what is their concern? What would they need to protect?

    Posted by David Gewirtz

    Protect the Constitution

    "Hostile activities" is the pretext, but data use goes far beyond antiterrorist activities. Bureaucracies have a natural tendency to expand and the intelligence community is no exception.

    The choice is not between using or not using cloud infrastructure. The choice is between building the most secure cloud infrastructure we can or relying on the pathetic legal fig leaf and toothless "oversight" that justifies unprecedented surveillance of American citizens in defiance of the Constitution.

    When the pro-intelligence chairman of the Senate intelligence committee is outraged at the tapping of German leader Angela Merkel's cell phone, it is clear that our elected representatives have no idea what the intelligence community is doing and cannot be trusted with oversight of the $50+ billion per year intelligence community.

    As for what needs protecting, let's start with United States Constitution and the Bill of Rights. "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized" is a response to thousands of years of governmental abuse of power. Anyone who thinks the "the good guys" won't abuse power is a, simply, a fool.

    As Lord Acton put it: "Power tends to corrupt, and absolute power corrupts absolutely."

    Robin Harris

    I am for Yes

    Expose security failures

    Everyone pays a lot of lip service to security, but I think the last decade or two demonstrate that security is usually trumped by cost and even convenience. The economic and technical advantages of cloud computing are too compelling to ignore. But even aside from that, it's probably a mistake to think that you're any more secure by avoiding cloud computing. Rigid adherence to best practices in the cloud - or not in the cloud - is your best assurance of security against monitoring by the NSA or anyone else. That means encrypting data both at rest and in transit and managing your keys carefully. If you're careful, as you should be, having your data in the cloud doesn't make it any more or less vulnerable to attack. Your real problem will be the compromise of client system with access to the data, no matter where it resides.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    NSA's effect on business

    What about other surveillance by other governments? Canada has CSEC. The U.K. has GCHQ. Mexico has CISEN. China has Third Department. New Zealand has GCSB. Russia has FAPSI. Even Denmark has FE (although to be fair, they're mostly concerned about bird/pig relations). The point is this: if you let NSA surveillance influence your business cloud buying decisions, where do you go? What do you do?

    Posted by David Gewirtz

    Security is key

    Competition is the mainspring of capitalism. Therefore our cloud service providers should be competing on the basis of the excellence of the security they offer customers. The goal is not 100 percent security –  illusory at best – but reasonable security against all known and knowable threats.

    A key part of this response requires that cloud services providers play a leading role in lobbying Congress and taking action in the courts to keep the Western intelligence community operating in its proper sphere. Another is providing information on where the threats are coming from and providing services to thwart them.

    Robin Harris

    I am for Yes

    Hide they're everywhere

    Don't forget SPECTRE and KAOS! Let's think worst-case scenario: you're not just paranoid, they all really are after you. The difference between the NSA trying to get at your data and foreign intelligence trying to get at it is that the NSA is relatively more constrained in what they can do (some of you don't believe this, but I do), but they can also work with other government agencies to get at your data through legal means. For the former problem nothing really changes; all you can do is what you should be doing anyway, i.e. rigid adherence to best practices. You might need to consider the possibility of blackmail or bribery, which suggests the need for personnel security. As for the US government coming after you by legal means, ask a lawyer.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    The bottom line?

    Robin says this is a no-brainer. He says "you have a fiduciary responsibility to stockholders." Okay, let's go there. Deconstruct this argument and explain how changing your cloud plans because of the NSA would or would not help the bottom line.


    Posted by David Gewirtz

    Protecting assets

    Fiduciary responsibility is not about quarterly results. It is about protecting corporate assets and capabilities against foreseeable compromise. Clearly, NSA surveillance is now one of those threats to corporate assets.

    As with any new threat there will be some cautionary examples shortly. But when an analyst on his first day checks out his ex, how much more lucrative would it be to check out a competitor?

    Say you're planning a merger. Key execs are making phone calls and having meetings, trading emails and bringing in bankers and accountants. Do you want NSA analysts - and others - to be able to suss out the details from Prism and make money from it? Of course not.

    Robin Harris

    I am for Yes

    Can do nothing about it

    You have a fiduciary responsibility to your stockholders to take any reasonable means necessary to protect company assets. There's essentially nothing you should be doing to protect yourself against NSA snooping that you don't already have a fiduciary responsibility to do.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Rank the worries

    Larry, on the other hand, says, "So now you've got the NSA to worry about too?" Go ahead and rank the worries. List at least five things IT managers have to worry about, from least worrisome to most worrisome. Where is the NSA in that list? Justify your ranking.

    Posted by David Gewirtz

    Wrong question

    Wrong question. The real question is, in the ranking of concerns that IT executives should have about cloud infrastructure, where does the NSA fit in that list?

    As several security analysts have pointed out the NSA's actions – such as requiring backdoors – has made the Internet less secure for everyone, not just cloud service providers.

    You should be worrying about state-supported competitors analyzing your web traffic and your order flow remotely so they will know when to attack you competitively with big allowances or steal your thunder on new product announcements. Our major cloud providers should be competing to offer the most security to their customers.

    Robin Harris

    I am for Yes

    Cost control

    •    (Least) My own government spying on me
    •    A hundred unspecified things
    •    Patch/asset/network management
    •    Security of internal endpoints - PCs, mobile devices, etc
    •    Security of external network connection points (leased lines, employee remote access)
    •    Privileged network infiltration - outsiders who have gained access with high privilege
    •    (Most) cost control

    I should add that there's necessarily some overlap in the categories above. For instance, data leakage generally is a problem which touches on several of the points I made.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Missing best practices

    A lot of the stories of NSA surveillance we've been reading about from the Snowden dump have really been about best practices vulnerabilities that the NSA has allegedly taken advantage of. You're both top IT professionals. Other than disconnecting from the Internet permanently, give us a series of best practices prescriptions that can protect companies from being low-hanging spy-agency fruit.

    Posted by David Gewirtz

    Holistic view

    Encrypting everything before it leaves your site is one important tool. But remember the NSA got started doing something called signal intelligence or sigint, which is intelligence derived simply from the frequency, length and addresses of radio communications. Much can be learned from analyzing what is happening at your website and at your associated service providers before you ever get to the cloud.

    The bottom line is that we need an a holistic view of infrastructure security, not just protecting individual files via encryption. The NSA has 50 years experience doing sigint – as do other state actors – so the problem is broader than simply protecting individual files from NSA surveillance.

    Robin Harris

    I am for Yes

    Security, security, security

    •    Encrypt all data at rest and in transit
    •    Apply security updates to all systems as soon as practical
    •    Apply the principle of least privilege - No user or system should have access to any more data or software than necessary
    •    Enforce physical security of systems as much as possible
    •    Scrutinize your own applications for vulnerability. A good place to start is to look for and stop all SQL injection. It's a major, common problem for which there is a clear solution (For the best guidance on best practices for web security, go to OWASP, and their Top Ten Project in particular. Better still, join OWASP and become part of the solution.)
    •    Require two-factor authentication as much as possible

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Ready or not?

    ​Larry, you say, "No question about it, you have to assume they may come after the data in your cloud too." Really? Why is there no question? Robin do you agree? What should you do about it?


    Posted by David Gewirtz

    It's profitable

    Look, when you have analysts looking at their girlfriends activities any sensible person has to assume that their company's activities could be even more interesting given a properly motivated – by, say, dollars – analyst.

    If power can be abused, it will be. It's that simple. This isn't about good intentions and protecting the country from terrorism – though there is a place for that – but recognizing that our day-to-day lives of individuals and companies are threatened by unbridled surveillance and analysis.

    Robin Harris

    I am for Yes

    Easy to locate

    Why wouldn't they? By "they" I mean anyone who might illicitly covet your data, including those engaging in industrial espionage or those who would hijack your resources to perform their own work. If your data is in the cloud, that's where they will have to go to get it

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    What if...

    Congratulations! You've each been nominated for Director of the National Security Agency, Chief of the Central Security Service, and Commander of the United States Cyber Command to replace General Alexander. If you're confirmed for the position, you will be personally responsible for the protection of American citizens from enemy actors. How would you ensure the safety and security of American citizens from enemies foreign and domestic? Lose five points if you mention any political parties.

    Posted by David Gewirtz

    Refuse to be terrorized

    No one in that position will ever back down from the promise to protect all Americans all the time, because it would affect their annual budget allocation. To a bureaucrat that is death.

    What Americans have to do is to refuse to be terrorized by terror. We have to put 9/11 in perspective. As many people die on the nation's highways every month then died on 9/11. Almost as many people die from gunshot wounds every month in America than died on 9/11.

    The people of London, England endured decades of terror by the Irish Republican Army without giving up their freedoms. At some point the American people have to reach deep inside and find the courage to face an uncertain future without relying on the promises of Big Brother to protect them from every potential adversary. It has never happened before and it won't happen now.

    Back when the Total Information Awareness program was proposed 10 years ago, the collective outrage forced the resignation of advocate Admiral Poindexter. But what we have today is the exact same thing under a new name and undergirded by 10 years progress in storage, systems and big data tools.

    Total Information Awareness was wrong then and Prism is wrong now. Citizens need to assert their right to be secure in their information and free from unwarranted surveillance.

    Robin Harris

    I am for Yes

    Ensure best practices

    In any of these positions there is little or nothing I can do directly to protect American citizens private data and systems from enemy actors. As head of the NSA the only thing I can do in this regard is to uncover foreign conspiracies against US computing and refer them to the proper authorities. As head of the CSS I can work to ensure best practices in government computing (I'm beginning to sound like a broken record, right?); of course, I'm sure the previous occupants of that position want to do the same, but are constrained from setting the rules necessary to do so. As head of Cyber Command I can demonstrate that the US has powerful, in fact overwhelming cyberwar capabilities in order to deter foreign actors from ever going too far in their own actions.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Abolish NSA?

    So, would you abolish the NSA? If you say yes, list all of the functions the NSA performs and explain who or what would pick up the slack. If you say no, explain why the NSA should continue to exist given the firestorm of debate and anger over Snowden's limited interpretation of its actions.

    Posted by David Gewirtz

    No but...

    No, I would not abolish the NSA. But I would put it on a tighter leash.
     
    The NSA's ability to vacuum up and analyze massive amounts of data has created a monster that, in the wrong hands (which is inevitable) threatens American democracy. That is unacceptable.
     
    We also need a constitutional amendment that makes it clear once and for all Americans have a right to privacy and that indiscriminate surveillance is unconstitutional. The executive branch must also commit to a policy of greater transparency on domestic intelligence. Secret courts, secret decisions and secret information requests are an open invitation to abuse.
     
    The intelligence failures of 9/11 were not based on too little information but on reckless disregard at the highest levels of the executive branch in the summer of 2001. Unfortunately, there is no technological fix for stupidity and bad judgment.

    Robin Harris

    I am for Yes

    No, we need it more than ever

    Of course we still need the NSA; we actually need it more than ever. I would argue that oversight of it needs to be stronger, that FISC rulings and procedures need to be more open. Secret law is always a bad thing and FISC rulings are effectively law. And there are some acts the NSA has engaged in which are clearly wrong and need to be stopped (such as the corruption of the standards process).

    In nearly all the Snowden disclosures the NSA is not acting illegally, at least not clearly so. It's what's legal that's shocking. I'm also confident that the FISC tries their best to hold the NSA to the law. So what we need is some new law to set boundries for the NSA and rights for everyone else. The first, easiest answer is to allow US companies to disclose more data on FISC orders and national security letters that they comply with; this is currently being litigated at the FISC. Perhaps foreigners abroad should have some right to data privacy under US law.

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Guns or butter

    It's January 20, 2017 and (in parallel universes) President Harris and President Seltzer have just been sworn into office. You're dealing with a struggling economy, in part because America's biggest cloud vendors have been losing customers to European providers. At the same time, the terrorist and cybercrime threatscapes have never been higher. Do you reduce intelligence agency functions to help boost economic growth or do you increase the scope of intelligence agency responsibility to protect companies and citizens? You're now Commander-in-Chief. The buck stops with you. Describe the actions you're going to take on Day One and on Day 100.

    Posted by David Gewirtz

    Infrastructure first

    In a $15 trillion year economy the $50 billion or so spent on intelligence operations is noise. To fix the economy I would immediately embark on massive infrastructure spending, both physical and our national information infrastructure. That would put money into the pockets of consumers and prepare the US for the next 50 years of growth.
     
    Longer term the US needs to look towards the day when it is no longer the largest economy on earth. To maintain our global standing will require more then economic, military and intelligence might. We have to hold the moral high ground.
     
    Creating an environment where risk-taking is rewarded and where we welcome the best and the brightest from the rest of the world is the only long-term recipe for economic success. America needs to up it's game to remain the land of freedom and opportunity.
     
    Giving into fear is surest road to America's decline.

    Robin Harris

    I am for Yes

    Reorganize

    On Day One I tell all those customers that they're fooling themselves if they think their data is any more secure in a European cloud than in an American one. For operations based in the US they have actually made their data less secure by adding transit points and made it more available to surveillance by foreign intelligence. I spend the rest of Day One at various inaugural balls, pressing flesh with those who gave the most money to my campaign.

    The morning of Day Two I start the process of making NSA rules and processes more open. At the same time I bring in a small team of trusted outsiders to direct the reorganization of internal data security at the NSA to minimize the possibility of any more Edward Snowdens.

    Over a more extended period I would look into how US law could be used to encourage the adoption of best security practices by businesses and individuals, but it's hard to see how President Seltzer could do much in this regard.

    (Europe won’t save you: Why e-mail is probably safer in the US.)

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    The end

    Thanks again for joining us, I hope you enjoyed our debate. I hope you agree that our debaters worked hard and did their best to give both sides of the story. Tune in Wednesday for the closing arguments and Thursday to see my choice for the winner. Don't forget to vote, read the comments and add your own.

    Posted by David Gewirtz

Talkback

25 comments
Log in or register to join the discussion
  • It's certainly having an effect on businesses and the intenet.

    "Should NSA surveillance influence your business cloud buying decisions?"

    It's certainly having an effect on businesses and the internet. Lavabit shut down, so did Groklaw (IMO one of the best legal resources in the tech world).

    It's not really down to if it "should" affect your business anymore; there's the real chance that it *will* affect your business, whether you like it or not.

    If there are more cloud provider shutdowns similar to Lavabit, it will very much affect your cloud buying decisions.

    And if the NSA has problems with moles, or if there are any more Snowden-style incidents, you may have an issue with breaches in your data. It's a risk.
    CobraA1
    Reply 9 Votes I'm Undecided
    • Snowden-style incident

      While I'm quite certain that Snowden doesn't have anything on me in which the Chinese or Russian intelligence services would be interested, it should give people pause that those were the countries he fled to. Snowden may not have given anything to China (and he denies doing so), but I'd be very surprised if President Putin (a veteran spook himself) didn't insist that Snowden be *thoroughly* interrogated by a pair of FSB agents (who had better be happy with the answers) before he was granted asylum in Russia.
      John L. Ries
      Reply 12 Votes I'm Undecided
      • No room for patriots in this nation anymore.

        The only reason Snowden had to flee to Russia is because our fascist government wanted to hunt him down like a dog to silence him. So, it's their own fault if secrets end up in the hands of the Russians. A true patriot doesn't just follow orders when he knows something is morally wrong. Snowden stood up against our tyrannical, oppressive government and shed light on some of their many illegal and immoral activities. This is the same type of thing our founding fathers did when they rose up against immoral tyranny to form a new nation. If our founding fathers acted like that today, they'd be labeled "terrorists," hunted like animals, and thrown in Guantanamo permanently. Snowden is far less evil than anyone currently sitting in Washington. He sacrificed everything he had to do what was right. Heck, I'd vote for Snowden for President, except I know the CIA would assassinate him within days/weeks of taking office.
        BillDem
        Reply 10 Votes I'm Undecided
        • So again...

          ...what should the rules be regarding the handling of "state secrets"? Or should there be any at all?

          Unfortunately, professional revolutionaries are notoriously intolerant of dissent, so I'm highly unlikely to trust any of them (that and I strongly disagree with the programs they normally support as unworkable or just plain wrong-headed). So what we really need are more proactive and well informed citizens who can distinguish between news, entertainment, and propaganda (and one should always start with oneself).

          I figure that if the revolution you seem to want happens, that I won't be a free man very long.
          John L. Ries
          Reply 8 Votes I'm Undecided
    • Snowden apparently did it for free...

      but if a deep pocket company wishes to attain data on their competition they can now buy their way in. As if regular industrial espionage wasn't enough to worry about.
      Andrej Petelin
      Reply 7 Votes I'm Undecided
  • And I'd like to put this out there.

    And I'd like to put this out there. Groklaw did an excellent writeup on why we really need to be concerned about this, right before it was shut down.

    http://www.groklaw.net/article.php?story=20130818120421175
    CobraA1
    Reply 20 Votes I'm Undecided
  • If they wanted your data, they're going to get it

    Should this affect your business? No, not unless you are in the habit of selling explosive materials and other black market items and have an uncanny approach to hosting it in the Cloud.

    Are your business practices not of a legal nature? Maybe you shouldn't use any electronic device and wear a tin-foil hat.

    I think all this fuss about the NSA getting at your Cloud data is slightly justified, that is if you're incorporating bad security practices in the cloud and need to "tighten up". Its a good fright lesson, but to go chicken little about it when you are not doing anything against the state and illegal, ridiculous.

    But I'm not saying keep a blind eye, just don't overreact. They will get your data if they need it that bad, cloud or not.

    Besides we use cloud servers for processing GIS data that is publicly available from the government and used for government purposes.

    So should it bother me, not really.

    If I was hosting Chinese/Russian/Terror network secrets, etc....yes.

    Doing something that the government doesn't need to know about, A) keep it off the internet, B) Watch who you hire, C) Burrow underground.
    spdrcrtob
    Reply 5 Votes I'm for No
    • But the government isn't the problem...

      If they can't even keep a lid on Snowden who apparently wasn't paid to leak all this information what makes you think the more business-minded NSA employees won't or aren't already offering to seek out your sensitive business information to the competition? The raw processing power and data processing capabilities of the NSA makes industrial espionage a whole lot easier.
      Andrej Petelin
      Reply 13 Votes I'm Undecided
  • No amount of public outrage is going to hinder the NSA ...

    ... (until, unless) Congress decides that the NSA has gone too far (which will probably be never). Best practices should always be followed without regard to what the NSA can and cannot do. The word privacy is not in the U. S. Constitution. It has been inferred by the courts from the Fourth Amendment:

    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

    But once your personal information is moved to a public conveyance (the Internet, an ISP, a social network), all bets are off. There is no clear definition of your rights once you willingly share this information with Google, or Facebook, or your local grocer in exchange for coupons.

    The bottom line? Unless you want to personally take yourself off "off the grid" if they want to, the NSA can and will find you and everything about you which you have ever put in any electronic format.
    M Wagner
    Reply 14 Votes I'm for No
    • The question is...

      ...how much work is it going to be? At least if a U.S. Marshal serves me with a warrant demanding data off of my server, I'll know about it.

      And the spooks might be able to intercept strongly encrypted e-mail, but it's a lot more work than doing it to plain text.
      John L. Ries
      Reply 9 Votes I'm Undecided