NSA activity flips the security equation

If 2013 was the year that the tech industry recoiled in horror at the scale of the NSA's intelligence-gathering activities, it would be nice to think that 2014 could be the year of pushback, or at least increased resistance.

But alas, as more of the cache of NSA documents liberated by Edward Snowden are revealed to the public, a picture of the all-encompassing surveillance agency from Maryland continues to crystallise, and few appear capable of avoiding its ire, once garnered.

Last week, Der Spiegel detailed the tools in the agency's armoury, and they are equally impressive and downright devilish in the range of surveillance able to be collected, and the means for doing so.

Taken in its entirety, it would appear that the best way to avoid the NSA's attention is to never gain it in the first place. Security through one's own obscurity, the pinnacle of submission and passiveness.

Top marks must go to one of the American corporations tainted by the NSA's activities, Microsoft, which flagged the issue when it described the NSA's action as an advanced persistent threat.

"If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an 'advanced persistent threat', alongside sophisticated malware and cyberattacks," Microsoft's legal and corporate affairs executive vice president, Brad Smith, wrote at the time.

As the muck spreads further with each NSA revelation, the question morphs from "which vendors are compromised by the NSA?" into "which vendors are not compromised by the NSA?" Similarly, the security perspective changes from viewing networks as virgin territory that must remain pure from intruders to one where a network of any major size must be viewed as having at least one state-based player interested in gaining access to it.

For companies that have followed the prescribed commercial methods of decades past, and locked away as much intellectual property as possible behind patents and other legal instruments, the secrecy that once led to success has now gained a sour aftertaste.

In a world where suddenly everyone is a suspect, and every vendor has the spectre of conformity to the orders of the United States Foreign Intelligence Surveillance Court looming over them, how can the humble IT purchaser be sure that its next piece of hardware doesn't arrive with a court-mandated backdoor installed, or an unclosed vulnerability?

Taking a vendor on its word is not the solution, for even if said vendor wanted to tell its customers about a secret NSA contract, the very nature of those contracts prevents its exposure to the outside world without dire consequences to the vendor.

And so it is that we arrive in a place where denials are picked apart to find the wiggle room in such statements, because it is one of the few methods for seeking some form of insight into what is actually happening.

With vendors now under suspicion, the transparency that each company offers into its implementation methods, software, and hardware will increase in value.

Unless a company is willing to show you its source code, provide useful documentation, and allow for its customers to modify or improve the software concerned, how can someone be completely sure that there is not an undiscovered backdoor left intentionally open?

While open-source software clearly has a leg up in this respect, it is not a question of open source against proprietary software, but where the trust lies, and whether a corporation can trust its suppliers more than it is able to trust its own technical team and assets.

The impact of the NSA's actions on American companies can already be seen, as evidenced by Boeing recently losing a $4.5 billion contract to supply Brazil with fighter aircraft thanks to "the NSA problem", and the UAE having balked at the discovery of US components in a pair of French-made intelligence satellites.

It wasn't that long ago that technology from US companies was implicitly trusted, and former White House special adviser on cybersecurity Richard Clarke was sounding warnings that China had hacked every major US company.

A lot has changed since then, and we now know that the Five Eyes nations — the United States, the United Kingdom, Canada, Australia, and New Zealand — have contributed quite a lot to the state-sponsored hacking stakes.

To pontificate and extrapolate on what this coming year holds for security and technology vendors is wasteful. Only a fool would extrapolate based on 1 percent of the entire dataset being available, and yet that is the state of play at the present time, as the bulk of Snowden's documents have yet to see the light of day.

The impact of the information currently known about the NSA's activities has changed the security and privacy game forever — black is now white, and white is now black. What configuration it all ends up in is anyone's guess.