For The Channel, NSA Spying Can No Longer Be Ignored5:08 PM EST Wed. Sep. 11, 2013
Not too long ago, a heavyweight vendor burst on to the scene in North America hoping to win the hearts and minds of solution providers with compelling technology, aggressive pricing and a new channel program. But, fears over alleged security issues with its products -- specifically backdoor vulnerabilities that could give a certain government access to corporate data centers -- presented a sizable roadblock for the company, as the trust the vendor sought to earn with partners and customers appeared to have evaporated.
The government was China. The company in question was Huawei.
Fast forward to today, a similar situation has emerged but on a much wider scale and with arguably greater implications for the IT industry. And yet there appears to be little concern or protest from solution providers.
The government is the U.S. The companies in question are, well, basically everyone.
According the The Guardian's most recent report on the U.S. National Security Agency's domestic surveillance, documents obtained by former NSA contractor Edward Snowden show the NSA has cracked the vast majority of Internet encryption technologies.
But, the most damning part of the reports is the revelation that the NSA has "inserted secret vulnerabilities -- known as backdoors or trapdoors -- into commercial encryption software," according to the The Guardian's report. Specifically, the report claims the NSA spends $250 million a year on a program that collaborates with technology vendors to "covertly influence" their commercial product designs.
Then there's the New York Times' report, which published the NSA documents last week in partnership with The Guardian and ProPublica:
"In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world."
Let that sink in for a moment. The U.S. federal government is actively subverting the technology that you, the channel, use to protect your clients -- and your own businesses. You'd think a group called the National 'Security' Agency would be in the business of plugging software vulnerabilities rather than making more of them.
What's troubling is that none of the documents Snowden leaked to the press say which companies worked -- either willingly or unwillingly -- with the NSA. So, solution providers simply have to take a leap of faith and trust whatever their security vendor partners tell them.
NEXT: Channel Needs To Take A Stand
The good news is, some companies are finally expressing concern over these anti-encryption practices. And, they should. As security expert Bruce Schneier recently wrote, the NSA has undermined the very fabric of the Internet and turned it into a vast surveillance platform. If businesses can't trust that their data -- and the encryption standards that protect that data -- is safe from prying online, then the IT industry is facing a serious impediment for future growth.
It's tough to tell at this early stage what kind of negative impact the NSA revelations will have on the industry. But last month, the Information Technology & Innovation Foundation (ITIF), a Washington, D.C.-based think tank, released a report that predicted the NSA's Prism could cost the cloud computing industry $22 to $35 billion over the next three years.
Those losses are theoretical, of course. But, the IT industry needs to act before they become tangible losses, and that includes solution providers. The channel stands to lose as much here as any other facet of the industry -- and perhaps even more.
But, I've spoken with too many solution providers in recent weeks that have expressed a lack of concern or surprise over the recent NSA revelations. Too many VARs say they aren't surprised by the news and already assumed the government was engaged in these kinds of practices.
That kind of thinking needs to end; solution providers need to start thinking about how these practices can negatively impact their businesses. With each passing day, it's becoming evident that the purported safeguards and oversights for the NSA's surveillance program are flawed, weak, and in some cases completely non-existent. The channel can't expect that someone else is going monitor or curtail these
You may not care if the government reads your email or obtains your phone records without a warrant. But if the NSA is poking holes in security software and furtively obtaining encryption keys, then you should start asking who else can find those holes and encryption keys? We've already seen the kind of damage one government contractor can do with a data breach.
The NSA's online surveillance practices can no longer be dismissed. The channel needs to take a stand on this issue and tell the federal government to stay out of the IT industry before it starts hurting bottom lines.
PUBLISHED SEPT. 11, 2013