X
More Topics

Should NSA surveillance influence your business cloud buying decisions?

Our IT security experts debate the impact that NSA surveillance revelations can have on your business.
Robin Harris

Robin Harris

Yes

or

No

Larry Seltzer

Larry Seltzer

Best Argument: No

74%
26%

Audience Favored: Yes (74%)

The moderator has delivered a final verdict.

Opening Statements

NSA can reveal business secrets

Robin Harris: This is a no-brainer. You have a fiduciary responsibility to stockholders. You have important business secrets. Cloud computing and storage benefits cannot justify the risks of breaching responsibilities or losing secrets.
Yes, you should encrypt all data before it leaves the site, for any provider. But the analytical capabilities of the NSA can connect webs of people, places and activities to reveal corporate plans.
State sponsored industrial espionage has a long history. If the NSA can read your data, travel itineraries, meeting notes, bank statements and research data so can other intelligence services. NSA backdoors have made the Internet less secure for everyone.
Bottom line: if the NSA can steal your data so can others. NSA analysts can be corrupted. By demanding that cloud providers secure their services against the NSA you help insure your security against other intelligence and nonstate actors.
And don't forget to lobby your Congressmen to get the NSA under control.

Blocking NSA is easy: Just lock your doors

Larry Seltzer: So now you've got the NSA to worry about too? No question about it, you have to assume they may come after the data in your cloud too. What should you do about it? Nothing special. Just keep doing the things you should be doing anyway.

In just about every case of sneaky and sophisticated NSA hacking we've heard of, the Agency was exploiting the failure of their target to employ some best practice. Consider the latest new about Yahoo! and Google: Even data over private lines between two private facilities should be encrypted.

But this stuff is complicated and can be expensive, even for Google, so if the NSA wants to get you they probably can. And if you fail at the level Google failed, nobody has any good reason to get that mad at you for it.

The Rebuttal

  • Great Debate Moderator

    Welcome

    I've been a debater before but this is my first time as a host. Hope things go well. Mike check.

    david-gewirtz.jpg

    Posted by David Gewirtz

    All set

    Good luck David.

    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    Me too

    Let's roll.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    What's so bad about NSA snooping?

    Let's start off by throwing a bone to the nattering nabobs of negativism. If the NSA could see your corporate data, what could possibly go wrong? Don't hold back. If this is so bad, make us feel it viscerally.

    david-gewirtz.jpg

    Posted by David Gewirtz

    It creates a surveillance network

    There are four top areas of abuse.
    1) Industrial espionage. We would all like to believe that NSA analysts are incorruptible but the long sad history of all human activities tells us otherwise. If Edward Snowden was willing to release secrets knowing he could go to prison for life how many analysts would release data in return for million dollars?
    2) Reduced security. The NSA would like to believe that the backdoors that it has negotiated are impervious to third parties but that is foolish. Any method the NSA can use to get your data is a method that other state actors and sophisticated criminal groups could use as well.
    3) Government interference in corporate affairs. Do you want the US government using your internal data to pursue objectives in the court of public opinion or in judicial courts?
    4) Use of private information - embarrassing but not illegal - to coerce individuals such as corporate officers to do the government's - or competitors - bidding. J. Edgar Hoover did that for years and was untouchable in Washington because he had dossiers on all the power players. With Big Data the surveillance state will be even more powerful and pernicious.
    Prosecutors have already used data collected by the NSA and other intelligence agencies in criminal prosecutions. Short-circuiting the normal procedures of discovery in favor of the surveillance state creates a fund.

    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    It leaves reason of doubt

    Obviously it depends on a hundred unstated factors; my clients might be criminal law firms, they might be bakeries. But theoretically, they could use that data to compormise my clients or my clients' clients or the individuals at my clients' firms. Even if the compromise exposes criminal or terrorist activity for which I have no responsibility, the breach, if it became known, would give all clients reason to doubt my trustworthiness.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Searching for hostile activities works both ways

    Companies (and governments) are turning to cloud solutions as a way to increase agility while saving money. Do you think shareholders would support losing those benefits simply because an American intelligence agency might be scanning transmissions for hostile activities? Justify. If they do care, what is their concern? What would they need to protect?

    david-gewirtz.jpg

    Posted by David Gewirtz

    Protect the Constitution

    "Hostile activities" is the pretext, but data use goes far beyond antiterrorist activities. Bureaucracies have a natural tendency to expand and the intelligence community is no exception.
    The choice is not between using or not using cloud infrastructure. The choice is between building the most secure cloud infrastructure we can or relying on the pathetic legal fig leaf and toothless "oversight" that justifies unprecedented surveillance of American citizens in defiance of the Constitution.
    When the pro-intelligence chairman of the Senate intelligence committee is outraged at the tapping of German leader Angela Merkel's cell phone, it is clear that our elected representatives have no idea what the intelligence community is doing and cannot be trusted with oversight of the $50+ billion per year intelligence community.
    As for what needs protecting, let's start with United States Constitution and the Bill of Rights. "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized" is a response to thousands of years of governmental abuse of power. Anyone who thinks the "the good guys" won't abuse power is a, simply, a fool.
    As Lord Acton put it: "Power tends to corrupt, and absolute power corrupts absolutely."

    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    Expose security failures

    Everyone pays a lot of lip service to security, but I think the last decade or two demonstrate that security is usually trumped by cost and even convenience. The economic and technical advantages of cloud computing are too compelling to ignore. But even aside from that, it's probably a mistake to think that you're any more secure by avoiding cloud computing. Rigid adherence to best practices in the cloud - or not in the cloud - is your best assurance of security against monitoring by the NSA or anyone else. That means encrypting data both at rest and in transit and managing your keys carefully. If you're careful, as you should be, having your data in the cloud doesn't make it any more or less vulnerable to attack. Your real problem will be the compromise of client system with access to the data, no matter where it resides.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    NSA's effect on business

    What about other surveillance by other governments? Canada has CSEC. The U.K. has GCHQ. Mexico has CISEN. China has Third Department. New Zealand has GCSB. Russia has FAPSI. Even Denmark has FE (although to be fair, they're mostly concerned about bird/pig relations). The point is this: if you let NSA surveillance influence your business cloud buying decisions, where do you go? What do you do?

    david-gewirtz.jpg

    Posted by David Gewirtz

    Security is key

    Competition is the mainspring of capitalism. Therefore our cloud service providers should be competing on the basis of the excellence of the security they offer customers. The goal is not 100 percent security –  illusory at best – but reasonable security against all known and knowable threats.
    A key part of this response requires that cloud services providers play a leading role in lobbying Congress and taking action in the courts to keep the Western intelligence community operating in its proper sphere. Another is providing information on where the threats are coming from and providing services to thwart them.

    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    Hide they're everywhere

    Don't forget SPECTRE and KAOS! Let's think worst-case scenario: you're not just paranoid, they all really are after you. The difference between the NSA trying to get at your data and foreign intelligence trying to get at it is that the NSA is relatively more constrained in what they can do (some of you don't believe this, but I do), but they can also work with other government agencies to get at your data through legal means. For the former problem nothing really changes; all you can do is what you should be doing anyway, i.e. rigid adherence to best practices. You might need to consider the possibility of blackmail or bribery, which suggests the need for personnel security. As for the US government coming after you by legal means, ask a lawyer.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    The bottom line?

    Robin says this is a no-brainer. He says "you have a fiduciary responsibility to stockholders." Okay, let's go there. Deconstruct this argument and explain how changing your cloud plans because of the NSA would or would not help the bottom line.

    david-gewirtz.jpg

    Posted by David Gewirtz

    Protecting assets

    Fiduciary responsibility is not about quarterly results. It is about protecting corporate assets and capabilities against foreseeable compromise. Clearly, NSA surveillance is now one of those threats to corporate assets.
    As with any new threat there will be some cautionary examples shortly. But when an analyst on his first day checks out his ex, how much more lucrative would it be to check out a competitor?
    Say you're planning a merger. Key execs are making phone calls and having meetings, trading emails and bringing in bankers and accountants. Do you want NSA analysts - and others - to be able to suss out the details from Prism and make money from it? Of course not.

    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    Can do nothing about it

    You have a fiduciary responsibility to your stockholders to take any reasonable means necessary to protect company assets. There's essentially nothing you should be doing to protect yourself against NSA snooping that you don't already have a fiduciary responsibility to do.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Rank the worries

    Larry, on the other hand, says, "So now you've got the NSA to worry about too?" Go ahead and rank the worries. List at least five things IT managers have to worry about, from least worrisome to most worrisome. Where is the NSA in that list? Justify your ranking.

    david-gewirtz.jpg

    Posted by David Gewirtz

    Wrong question

    Wrong question. The real question is, in the ranking of concerns that IT executives should have about cloud infrastructure, where does the NSA fit in that list?
    As several security analysts have pointed out the NSA's actions – such as requiring backdoors – has made the Internet less secure for everyone, not just cloud service providers.
    You should be worrying about state-supported competitors analyzing your web traffic and your order flow remotely so they will know when to attack you competitively with big allowances or steal your thunder on new product announcements. Our major cloud providers should be competing to offer the most security to their customers.

    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    Cost control

    •    (Least) My own government spying on me
    •    A hundred unspecified things
    •    Patch/asset/network management
    •    Security of internal endpoints - PCs, mobile devices, etc
    •    Security of external network connection points (leased lines, employee remote access)
    •    Privileged network infiltration - outsiders who have gained access with high privilege
    •    (Most) cost control

    I should add that there's necessarily some overlap in the categories above. For instance, data leakage generally is a problem which touches on several of the points I made.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Missing best practices

    A lot of the stories of NSA surveillance we've been reading about from the Snowden dump have really been about best practices vulnerabilities that the NSA has allegedly taken advantage of. You're both top IT professionals. Other than disconnecting from the Internet permanently, give us a series of best practices prescriptions that can protect companies from being low-hanging spy-agency fruit.

    david-gewirtz.jpg

    Posted by David Gewirtz

    Holistic view

    Encrypting everything before it leaves your site is one important tool. But remember the NSA got started doing something called signal intelligence or sigint, which is intelligence derived simply from the frequency, length and addresses of radio communications. Much can be learned from analyzing what is happening at your website and at your associated service providers before you ever get to the cloud.
    The bottom line is that we need an a holistic view of infrastructure security, not just protecting individual files via encryption. The NSA has 50 years experience doing sigint – as do other state actors – so the problem is broader than simply protecting individual files from NSA surveillance.

    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    Security, security, security

    •    Encrypt all data at rest and in transit
    •    Apply security updates to all systems as soon as practical
    •    Apply the principle of least privilege - No user or system should have access to any more data or software than necessary
    •    Enforce physical security of systems as much as possible
    •    Scrutinize your own applications for vulnerability. A good place to start is to look for and stop all SQL injection. It's a major, common problem for which there is a clear solution (For the best guidance on best practices for web security, go to OWASP, and their Top Ten Project in particular. Better still, join OWASP and become part of the solution.)
    •    Require two-factor authentication as much as possible

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Ready or not?

    ​Larry, you say, "No question about it, you have to assume they may come after the data in your cloud too." Really? Why is there no question? Robin do you agree? What should you do about it?

    david-gewirtz.jpg

    Posted by David Gewirtz

    It's profitable

    Look, when you have analysts looking at their girlfriends activities any sensible person has to assume that their company's activities could be even more interesting given a properly motivated – by, say, dollars – analyst.
    If power can be abused, it will be. It's that simple. This isn't about good intentions and protecting the country from terrorism – though there is a place for that – but recognizing that our day-to-day lives of individuals and companies are threatened by unbridled surveillance and analysis.

    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    Easy to locate

    Why wouldn't they? By "they" I mean anyone who might illicitly covet your data, including those engaging in industrial espionage or those who would hijack your resources to perform their own work. If your data is in the cloud, that's where they will have to go to get it

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    What if...

    Congratulations! You've each been nominated for Director of the National Security Agency, Chief of the Central Security Service, and Commander of the United States Cyber Command to replace General Alexander. If you're confirmed for the position, you will be personally responsible for the protection of American citizens from enemy actors. How would you ensure the safety and security of American citizens from enemies foreign and domestic? Lose five points if you mention any political parties.

    david-gewirtz.jpg

    Posted by David Gewirtz

    Refuse to be terrorized

    No one in that position will ever back down from the promise to protect all Americans all the time, because it would affect their annual budget allocation. To a bureaucrat that is death.
    What Americans have to do is to refuse to be terrorized by terror. We have to put 9/11 in perspective. As many people die on the nation's highways every month then died on 9/11. Almost as many people die from gunshot wounds every month in America than died on 9/11.
    The people of London, England endured decades of terror by the Irish Republican Army without giving up their freedoms. At some point the American people have to reach deep inside and find the courage to face an uncertain future without relying on the promises of Big Brother to protect them from every potential adversary. It has never happened before and it won't happen now.
    Back when the Total Information Awareness program was proposed 10 years ago, the collective outrage forced the resignation of advocate Admiral Poindexter. But what we have today is the exact same thing under a new name and undergirded by 10 years progress in storage, systems and big data tools.
    Total Information Awareness was wrong then and Prism is wrong now. Citizens need to assert their right to be secure in their information and free from unwarranted surveillance.

    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    Ensure best practices

    In any of these positions there is little or nothing I can do directly to protect American citizens private data and systems from enemy actors. As head of the NSA the only thing I can do in this regard is to uncover foreign conspiracies against US computing and refer them to the proper authorities. As head of the CSS I can work to ensure best practices in government computing (I'm beginning to sound like a broken record, right?); of course, I'm sure the previous occupants of that position want to do the same, but are constrained from setting the rules necessary to do so. As head of Cyber Command I can demonstrate that the US has powerful, in fact overwhelming cyberwar capabilities in order to deter foreign actors from ever going too far in their own actions.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Abolish NSA?

    So, would you abolish the NSA? If you say yes, list all of the functions the NSA performs and explain who or what would pick up the slack. If you say no, explain why the NSA should continue to exist given the firestorm of debate and anger over Snowden's limited interpretation of its actions.

    david-gewirtz.jpg

    Posted by David Gewirtz

    No but...

    No, I would not abolish the NSA. But I would put it on a tighter leash.
     
    The NSA's ability to vacuum up and analyze massive amounts of data has created a monster that, in the wrong hands (which is inevitable) threatens American democracy. That is unacceptable.
     
    We also need a constitutional amendment that makes it clear once and for all Americans have a right to privacy and that indiscriminate surveillance is unconstitutional. The executive branch must also commit to a policy of greater transparency on domestic intelligence. Secret courts, secret decisions and secret information requests are an open invitation to abuse.
     
    The intelligence failures of 9/11 were not based on too little information but on reckless disregard at the highest levels of the executive branch in the summer of 2001. Unfortunately, there is no technological fix for stupidity and bad judgment.
    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    No, we need it more than ever

    Of course we still need the NSA; we actually need it more than ever. I would argue that oversight of it needs to be stronger, that FISC rulings and procedures need to be more open. Secret law is always a bad thing and FISC rulings are effectively law. And there are some acts the NSA has engaged in which are clearly wrong and need to be stopped (such as the corruption of the standards process).

    In nearly all the Snowden disclosures the NSA is not acting illegally, at least not clearly so. It's what's legal that's shocking. I'm also confident that the FISC tries their best to hold the NSA to the law. So what we need is some new law to set boundries for the NSA and rights for everyone else. The first, easiest answer is to allow US companies to disclose more data on FISC orders and national security letters that they comply with; this is currently being litigated at the FISC. Perhaps foreigners abroad should have some right to data privacy under US law.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Guns or butter

    It's January 20, 2017 and (in parallel universes) President Harris and President Seltzer have just been sworn into office. You're dealing with a struggling economy, in part because America's biggest cloud vendors have been losing customers to European providers. At the same time, the terrorist and cybercrime threatscapes have never been higher. Do you reduce intelligence agency functions to help boost economic growth or do you increase the scope of intelligence agency responsibility to protect companies and citizens? You're now Commander-in-Chief. The buck stops with you. Describe the actions you're going to take on Day One and on Day 100.

    david-gewirtz.jpg

    Posted by David Gewirtz

    Infrastructure first

    In a $15 trillion year economy the $50 billion or so spent on intelligence operations is noise. To fix the economy I would immediately embark on massive infrastructure spending, both physical and our national information infrastructure. That would put money into the pockets of consumers and prepare the US for the next 50 years of growth.
     
    Longer term the US needs to look towards the day when it is no longer the largest economy on earth. To maintain our global standing will require more then economic, military and intelligence might. We have to hold the moral high ground.
     
    Creating an environment where risk-taking is rewarded and where we welcome the best and the brightest from the rest of the world is the only long-term recipe for economic success. America needs to up it's game to remain the land of freedom and opportunity.
     
    Giving into fear is surest road to America's decline.
    robin-harris-60x45.jpg

    Robin Harris

    I am for Yes

    Reorganize

    On Day One I tell all those customers that they're fooling themselves if they think their data is any more secure in a European cloud than in an American one. For operations based in the US they have actually made their data less secure by adding transit points and made it more available to surveillance by foreign intelligence. I spend the rest of Day One at various inaugural balls, pressing flesh with those who gave the most money to my campaign.

    The morning of Day Two I start the process of making NSA rules and processes more open. At the same time I bring in a small team of trusted outsiders to direct the reorganization of internal data security at the NSA to minimize the possibility of any more Edward Snowdens.

    Over a more extended period I would look into how US law could be used to encourage the adoption of best security practices by businesses and individuals, but it's hard to see how President Seltzer could do much in this regard.
    (Europe won’t save you: Why e-mail is probably safer in the US.)

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    The end

    Thanks again for joining us, I hope you enjoyed our debate. I hope you agree that our debaters worked hard and did their best to give both sides of the story. Tune in Wednesday for the closing arguments and Thursday to see my choice for the winner. Don't forget to vote, read the comments and add your own.

    david-gewirtz.jpg

    Posted by David Gewirtz

Closing Statements

More risks than rewards

robin-harris.jpg

Robin Harris

To sum up then the arguments against taking the NSA into account in your cloud activities are simple and few. 

 There's nothing you can do about it anyway so why worry?

 The NSA's activities are necessary to protect Americans against terrorism.

 The economic advantages of cloud services are too great to ignore despite the security risks.

 Against that I argue that the unprecedented surveillance by the NSA is dangerous to the health and security of the Internet; unnecessary to protect Americans against terrorism; and should be addressed by both our elected representatives and major cloud service providers to make the Internet more secure and to increase the transparency of intelligence activities.

 The cloud is an important and revolutionary infrastructure. If the United States is to maintain technology leadership we need to be able to assure the entire world that their data and secrets are safe with American technology providers.

Worry about criminals first, NSA after

larry-seltzer-thumb.jpg

Larry Seltzer

I have attempted, in this debate, to avoid emotional arguments or assertions of moral authority. If you are making security decisions for a business you really need to do the same or you are not serving your company's interests.

The core of my argument here is that there is nothing about what the NSA has done or is accused of doing which gives reason to take measures that you shouldn't be taking anyway. I'll go a step further here: The NSA is almost certainly uninterested in your cloud data, but there is a large population of criminals who might be. You need to protect your data against them, and that means taking pretty much all the measures you could to impede the NSA.  Ergo: Don't worry about the NSA. It accomplishes nothing and confuses the issue. They are just another potential attacker, albeit a highly-sophisticated and heavily-resourced one.

Great debate: More action wins

david-gewirtz-150x105.jpg

David Gewirtz

This was an exceptional debate and I was proud to be able to elicit such excellent responses from both Robin and Larry. I approached judging this debate based on the merits of each question.
For each question, the individual answers Robin and Larry gave were each judged on their own merit, and each debater was awarded up to five points. Also, each question was judged based on which debater gave the better answer and balanced the issues of economics and security. For this part of the metric, the debaters split five points, with one debater always being awarded more points than the other.
As I reviewed the answers, I was struck by the differences in style of these two experts. Robin often answered with a more global and ideological perspective and while Larry often gave the more practical answers.
I found Robin's answers generally more inspiring and representative of the way I'd like to see us function as a nation and a society. I found Larry's answers more directly actionable.
In the end, that's what proved to decide our winner. The debate is entitled, "Should NSA surveillance influence your business cloud buying decisions?" and, at the end, our debaters really needed to provide answers that IT managers and CXOs could take to their management and stockholders.
Larry met that responsibility better, and scored 69 points to Robin's 62. Therefore Larry is the winner of this week's Great Debate.
That said, if they agree to run in 2016, I'd rather vote for Harris for President or Seltzer for President than any of the crop of jokers we're likely to be fielding from either of the parties. I'm all for the Seltzer/Harris or Harris/Seltzer ticket!

Editorial standards