NEW YORK — Edward Snowden sure has caused a lot of headaches in the IT security community.
His reported leaks have led the industry going into overdrive mode over the past ten months in order to counter some of the previously unthinkable tactics used by the U.S. National Security Agency and the wider intelligence community.
In spite of blowing the whistle on some of the encryption-cracking efforts, the fiber-cable tapping, and the zero-day flaw exploitation, Snowden was the one who caused damage to the Internet, according to one former senior NSA official.
Former NSA deputy director of training Col. Cedric Leighton said in remarks at the Bloomberg Enterprise Technology Summit in New York City on Thursday that Snowden's leaks had performed a "significant disservice" to the worldwide health of the Internet.
He was talking about the recent moves by Brazil and other countries to reconsider the decentralized nature of the foundation of the Internet.
Quick to respond, Trend Micro chief technology officer Raimund Genes said Europe's efforts to strengthen policy within its 28 member state border was "going over the top."
He added that policy was not always the answer, and that the security industry should also find solutions to benefit customers the most.
Undermining the fabric of the Internet
The panel pitted the U.S. intelligence agency's actions against the rest of the world — the Snowden leaks have touched almost every nation — and led with the discussion on nation states' efforts to create their own versions of the Internet, including keeping citizen data within their own respective borders.
"The Internet was created to be global, and it should stay global," Genes added.
"If Snowden is able to get millions of documents from the NSA, what does that say about the security industry designed to protect customer interests?" — Raimund Genes
"When you have a situation where all of a sudden, everyone goes into 'tribal' mode — a German cloud, a Swiss cloud, or any other separate internet, they are significant nationalistic attempts. What happened with Snowden, it's more of an excuse than a policy, it's more of an excuse to re-nationalize the Internet," Leighton said.
This, he suggested, was the beginning of the end for the Internet as we know it.
But Genes was quick to turn the tables on the former NSA deputy director.
"It made us more aware that nothing is really safe," Genes remarked. "If Snowden is able to get millions of documents from the NSA, what does that say about the security industry designed to protect customer interests?"
Leighton defended the NSA's actions, calling some of the reporting of the disclosures "sensational" and "haphazard," and warned that only part of the story was being told.
The NSA has, arguably, responded in its own haphazard and unpredictable way — often issuing vague comments or the rare denial, but mostly a "no comment."
Exploiting the Internet's weaknesses
While the NSA has always said that it's "doing its job," the question is now how does that mission change, or should it change, in a post-Snowden world? The White House has already adopted a recommendation to limit which zero-day attacks and other cyberweapons it uses.
Another panel member, Palo Alto Networks chief security officer Rick Howard, said following the mild-mannered dispute that nobody in the security industry understands what the boundaries are for intelligence services — pointing to the intelligence agency's stockpile of zero-day exploits.
Howard admitted his company was "having a hard time dealing with it."
Genes asked the former NSA deputy director: "Isn't the job of the government to also protect the Internet?"
Last week, the NSA denied that it knew of the Heartbleed bug in advance of its disclosure. This law in the commonly used OpenSSL affected millions of websites and servers around the world.
The White House issued a statement saying it would report zero-day flaws if it discovered them, so long as it doesn't interfere with national security objectives. As The New York Times put it, the Obama administration will "let [the] NSA exploit some Internet flaws."
While Leighton acknowledged that "the NSA can do its job without exploiting zero-day flaws or using its vulnerability stockpile," he added that it would make its job "far more difficult."
Cybersecurity data sharing: CISPA revisited?
Leighton's trail of thought suggested how the U.S. government works together with private industry partners — particularly those in the security fields — in order to share data and information on cyberthreats, before they become a major issue.
"The government and the private sector need a common sense of agreement. You give security clearances on a need-to-know basis to the right companies, and you tell those companies that we are working together to minimize zero-day vulnerabilities. It would be a concerted effort to go after the bad guys."
He was talking about CISPA, or the Cyber Intelligence Sharing and Protection Act.
Leighton's comments come just a few weeks after the new NSA director Vice Admiral Michael Rogers testified to a Congressional committee about the importance of cyberthreat data sharing.
Under previous incarnations of CISPA, this meant a company like Facebook, Twitter, Google, or any other technology or telecoms company, including cell service providers, would be allowed to hand over vast amounts of data to the U.S. government and its law enforcement agencies — for whatever purpose the feds deem necessary — and face no legal reprisals.
CISPA was highly opposed by privacy advocates and civil liberties groups, which described the bill as a "privacy killer" and "dangerously vague," yet it was supported widely by Silicon Valley and other technology firms.
The bill eventually crumbled on the Senate floor after a failed vote, with Sen. Jay Rockefeller (DWV), chairman of the Senate Commerce Committee, citing "insufficient" privacy protections. The White House previously said the President would veto the bill should it pass to his desk.
Rogers said in mid-March that while cybersecurity legislation was a "step in the right direction," he highlighted that information sharing between private companies — such as Silicon Valley giants — would be, "in the long run… probably the right answer."
Rogers was confirmed as the joint NSA and United States Cyber Command chief on April 1.