U.S. technology companies are losing ground to international competitors as a result of the fallout from National Security Agency leaks, and the extent of the negative impact on the economy is not yet known, said Richard Clarke, president of Good Harbor Security Risk Management and one of the members of President Barack Obama's surveillance review panel.
Speaking to hundreds of attendees at the Cloud Security Alliance Summit, Clarke, who served as special adviser to the president for cybersecurity, and national coordinator for security and counterterrorism for the last three U.S. presidents, said the market share slide in Europe, Latin America and Asia are a consequence of poor U.S. policymaking that resulted in surveillance activities at the NSA, the FBI and CIA that had gone relatively unchecked and increasingly out of control.
"There was a complete disconnect from the policymakers and their desire to collect information and the people who were collecting it," Clarke said. "Policymakers have to spend a great deal of time being very specific about what intel they want and need and what intel they don’t want to be collected."
The daylong Cloud Security Alliance Summit, which is held a day before the official start of RSA Conference 2014, has long been looking to establish trust and visibility into the security processes behind cloud-based service providers and their systems. The impact of the NSA leaks on cloud services could be damaging abroad, Clarke said. Clarke railed against government proposals in Europe and Latin America that propose laws that limit cloud and require data to be geographically housed within certain territories. Certain countries are using the NSA leaks as propaganda because of economic interests and a desire to boost local companies against international competitors, Clarke said.
"I don't think I'm going to get into any trouble if I say that NSA and any other world-class intelligence agency can hack into databases even if they are not in the United States," Clarke said.
Clarke urged summit attendees to read the review panel report, a 303-page document issued in December. He said trust in encryption needs to be reestablished to promote adoption of strong data protection practices. He called on the U.S. government to immediately and appropriately disseminate information about zero-day vulnerabilities so that weaknesses can be fixed quickly, calling the practice essential to defending the nation's critical infrastructure systems.
Solution providers told CRN they have not yet felt any negative impact or any pushback from their clients regarding the software or hardware they sell. The move to cloud-based services and infrastructure has been a gradual shift over time and continues to be happening at a slow but steady pace, despite the NSA leaks said Mark Robinson, president of Findlay, Ohio-based managed IT security and service provider CentraComm.
"I think that there's been so much NSA news coming out that people have grown numb to it at this point," Robinson said. "Data protection and cloud security are important issues to our clients, and at the end of the day, they're going to desire it from all of the companies they do business with and we recognize that."
Businesses want infrastructure and services that are reliable and will have a positive impact to the bottom line, not a negative one, said Pat Grillo, president and CEO of Atrion Communication Resources, a Branchburg, N.J.-based RSA partner. Grillo, whose firm partners with RSA, said he hasn't seen any negative impact despite allegations that RSA and other technology companies aided NSA surveillance activities -- allegations that the vendors deny.
The NSA, FBI and CIA have a group of incredibly talented people dedicated to protecting the country, Clarke said. The agencies are tracking down terrorists and people trafficking weapons of mass destruction. They are working to uncover operations of human trafficking and other human rights violations for the U.S. and its allies, Clarke said.
"We did not find people listening to your phone calls and emails. They're not doing that but they could and that was the central problem," Clarke said.
Clarke said the review panel discovered that while the NSA was good at getting into networks to collect information, its internal security practices were poorly maintained and based on perimeter defense methodology and the idea that once people are vetted, they can be given access to the network.
"It was abysmally poor and criminally negligent on security of its own internal network security," Clarke said of the NSA. "The lesson here was when you say you are putting perimeter defense as a model behind you, that is good rhetoric, but follow up on it with good internal security as well. They didn’t."
Clarke called for the formation of a national privacy and civil liberties oversight board that would be given authority to review all intelligence agency activities. People need to know that there is someone protecting civil liberties and ensuring that privacy rights are being maintained, he said. Clarke also called for the development of international standards on appropriate activity conducted by intelligence agencies. He said a dialogue should be established with other countries about appropriate behavior and when activity crosses the line.
PUBLISHED FEB. 24, 2014