High-tech Hide and Seek: How The NSA Is Mucking With Your Business
Was George Orwell merely off by 30 years? In 1949, the dystopian future he envisioned in his book "1984" was thought-provoking sci-fi. Two-way telescreen devices that let the government monitor the lives of private citizens—all in the name of the supposed public good—made for a great read.
And yet today, in an Orwellian twist, it's not unusual to see security professionals cover their laptop cameras with black tape—as some did at a major security conference earlier this year—for they are knowledgeable not only about the extent of the National Security Agency's intelligence-gathering capabilities, but of the tools that cybercriminals have at their fingertips to steal and sell information. The malware available to them can stealthily turn on a camera, snap photographs and record video.
"The irony is not lost on us that there are catalogs of ways that equipment can be exploited to sniff information and even undermine encryption," said Jeremy MacBean, director of business development at IT Weapons, a Brampton, Ontario-based solution provider. "People in our industry weren't surprised that this kind of thing was happening; they were just surprised about how organized it was."
Some believe the intrusion into people's private lives started following the Sept. 11, 2001, terrorist attacks when the U.S. Patriot Act gave law enforcement new powers to gain access to digital information—in some cases clandestine access—in the name of investigating potential terrorist activity. A secret Foreign Intelligence Surveillance Act Court oversees law enforcement efforts to access digital data, but there is little insight into the extent it rubber-stamps the probes or truly acts as a safeguard protecting civil liberties. More recently, the leaks of thousands of secret documents by former government contractor Edward Snowden outline an extensive and complex global surveillance operation that has given intelligence experts access to data intended to be confidential.
Meanwhile, research scientists are working on powerful, new ways to analyze the hodgepodge of collected information—from cellphone metadata to email messages and video chats—to investigate and track down terrorist cells with the aim of preventing another 9/11. Much of that research work happens in a $1.5 billion Utah data center, code-named Bumblehive, where government scientists apply powerful analytics to try to make sense of it all. This is no longer "1984's" Thought Police. This is real-world data crunching.
Global Scare, Business Impact
The extent of the global surveillance activities outlined by the Snowden leaks is scary, MacBean said, explaining that the NSA's cataloging of vulnerabilities to access communications software as well as the use of networking gear to view and record data is far greater than anyone thought. Clandestine access to data is a little unsettling, he said, but no small or midsize business is going to stop government surveillance as part of a government intelligence-gathering operation.
"As the consumer and the service providers, our ability to change outcomes is limited," MacBean said. "All we can do is educate and increase the level of awareness and, if the client is concerned about it, we can try to find alternatives."
Technology firms also are trying to re-establish credibility and trust with their customers following revelations last September that the NSA and its U.K. counterpart, the Government Communications Headquarters, found a way to bypass most security measures used by Internet companies to protect communications, financial and health data. The NSA also reportedly spent $250 million to "covertly influence" product designs of security technology vendors, including the development of secret vulnerabilities or access points into commercial security software.
NEXT: Alarmist Or Realist?
RSA, The Security Division of EMC, came under fire late last year when leaked documents suggested it accepted millions to use a controversial encryption algorithm believed by some to contain back-door access for intelligence-gatherers. The company acknowledged that its core business of encryption gives it close ties to the intelligence community but denied the claim, with RSA Executive Chairman Art Coviello addressing the issue at this year's RSA Conference. In order to grow, according to Coviello, RSA embraced the encryption algorithm, using it in its development tools to meet federal government certification requirements.
"All nations spy on one another," he said. "All intelligence agencies around the world need to adopt a governance model that enables them to do more to defend us and less to offend us."
The Snowden documents also revealed that Microsoft allegedly helped the NSA intercept web chats on its new Outlook.com portal. The software giant allegedly provided a way to circumvent encrypted Outlook.com messages and bypass controls to access Skype video calls. The company issued a denial of the claim and has since bolstered the encryption for data flowing to and from its Outlook.com, Office 365, OneDrive and Windows Azure services. A leaked document also provided evidence of an NSA program aimed at planting holes and coding weaknesses in IT desktop and network equipment without the manufacturers' knowledge.
Alarmist Or Realist?
If alarmist attitudes haven't impacted sales yet, they will, solution providers tell CRN. Businesses have become wary of U.S.-based technology vendors and service providers, leading them to believe data needs to be stored locally and that technology vendors are collaborating with the intelligence community by implementing back doors in their products. Meanwhile, solution providers that sell cloud-based services say the NSA leaks worry businesses that are thinking of migrating data to the cloud. U.S.-based technology providers are being snubbed in favor of local options. In some cases, local data storage is a strict requirement.
The U.S. Patriot Act compounded with the NSA leaks have caused potential clients to look elsewhere, said Don Gray, chief security strategist at Solutionary, a subsidiary of global telecommunications giant NTT. Gray said Solutionary has had Canadian-based businesses decline its security monitoring and device management services out of fear of U.S. government intrusion. Canadian firms are held to the Personal Information Protection and Electronic Documents
Act, which has similar rules outlining government access.
"It makes it difficult for us to provide security services outside of the U.S. because they take the stance that based on what they see and hear, we can't prevent the government from coming in and taking their data," Gray said. "Even if we say as an organization we won't give your data out and we will protect it and do all those things you are required to do as a Canadian company, they say you can't guarantee that because your government may come in and take it."
The Information Technology & Innovation Foundation (ITIF) estimated last year that the U.S. cloud computing industry could see losses of between $22 billion and $35 billion by 2016 associated with the negative fallout. Forrester Research went even further and said losses to U.S. technology firms could total $180 billion, or a 25 percent hit to overall IT service provider revenue.
NEXT: Thinking Globally
The NSA leaks have led to a decline in sales in such emerging markets as Brazil and Russia, said Cisco Systems CFO Frank Calderone. Meanwhile, other U.S. technology companies are reporting difficult conditions with global sales. Brazil said late last year that it is migrating its 700,000 federal employees off Microsoft Outlook in favor of a new secure email system. IBM said in January that it would spend more than $1 billion on new data centers to assuage jittery businesses that worry that their data is not on U.S. soil.
Some service providers with global operations also are building out data centers to help appease data retention requirements. Email security and hosted Exchange firm AppRiver is spending millions opening data centers overseas to meet customer demands, said AppRiver Channel Chief Brian Haynes. When foreign clients see the company headquarters as Gulf Breeze, Fla., they ask a lot more questions about data residency or simply walk the other way, Haynes said.
AppRiver partners with Rackspace for its cloud services in the U.S. and has data center operations in Hong Kong, London and Switzerland. Its messaging archiving partner, Global Relay, is based in Canada.
"We've had prospective clients that are saying they would much rather not have the services housed here in the United States," Haynes said. "That's their choice and we're opening multiple data centers to meet their concerns because we recognize that the data has got to live somewhere."
SilverSky, a managed security service and email hosting and archiving provider based in Milford, Conn., recently hired Del Ross to establish and build out its global channel program with an emphasis on sales in the Asia-Pacific region, said Andrew Jaquith, CTO of SilverSky. To meet the growing demand for localized data prompted, in part, by the NSA leaks, the company has established a new data center in Amsterdam through its partnership with IBM to bolster its European business. The company also has a data center in Singapore.
Of course, 9/11 didn't just affect the U.S. As Jaquith explained, every Western country has since increased the powers given to their NSA equivalent organization. In one of the latest examples, French newspaper Le Monde reported that Orange, the company's largest telecommunications provider, has been handing over sensitive data to France's main intelligence agency, the Direction Générale de la Sécurité Extérieure, including cellphone metadata and other information on its millions of customers.
"There is a broadly held perception that the amount of data analysis and aggregation done in the U.S. is exceptional and done to a much greater extent than other countries, even though there is a certain amount of it going on in every nation," Jaquith said. Service providers should meet tough regulations such as those that outline data handling and data breach notification in California, Jaquith said. The minimum standard will meet requirements in every state in the nation and show potential clients that the company is serious about security.
"As a service provider, when thinking about a strategy for data protection and data retention you want to take the high-water mark approach," Jaquith said. "We will open up data centers wherever they are needed to meet the needs of our customers to meet their data residency requirements. I argue that it is at least a soft form of protectionism as it is anything else, but, nonetheless, that is what the customer wants so that's what we do."
NEXT: A Silver Lining
SilverSky encrypts everything in transit and can encrypt data at rest, depending on the service offered to clients. But encryption isn't a panacea, said Jaquith and other experts. One trade-off is that employees sometimes experience a performance hit for search-intensive processes such as email. Businesses have asked questions about SilverSky's mobile security offering, a managed mobile device management service that the company sells in partnership with AirWatch and oversees on behalf of clients. The company sharply limits the information it collects on users of its AirWatch service, only collecting the user's device identification number and not location data. Location information can be used for more granular policy-based controls, but Jaquith said businesses don't typically use them or find other ways to address policy issues.
"Everyone knows we have to collect metadata for our own purposes to help customers defend themselves," Jaquith said. "We're trying to limit how much we collect to address customer concerns and also to limit our exposure to government requests for data, hacking and other threats."
A Silver Lining
One positive outcome of the NSA leaks is that it is resulting in more educated consumers, said Pete Zarras, founder and president of Cedar Knolls, N.J.-based Cloud Strategies. The company is a Microsoft Gold partner and guides clients through the process of migrating systems to cloud-based services. Zarras said clients are asking more questions and doing a more thorough job of vetting cloud providers and services.
"Anyone with any sense of this knows it's scary when you have an intrusive government that doesn't respect the rule of law and privacy. It certainly is a huge topic that goes from straight up into political and personal views, and that's a difficult subject for a solution provider to have when a potential client brings it up," Zarras said. "We pivot pretty quickly when the topic comes up to talk about responsibilities, prudent data handling and getting the value out of cloud solutions."
Zarras said concerned clients should consider choosing different organizations when outsourcing services and data to cloud providers. For example, use Microsoft for hosted Exchange and instead of using Microsoft for encryption, choose a point encryption vendor. As long as the client encrypts the data and holds the key, Microsoft and other providers won't have a way to access the encrypted data if the government requests it, Zarras said. "At some point or another you can be dumb and ignorant or the other extreme be a paranoid conspiracy theorist; I choose to guide clients to be somewhere in between," Zarras said. "For most people in most situations, just being open and transparent with the internal processes and explaining that we are going to do everything we can to be reasonable and proper and diligent in protecting and securing your data is enough to satisfy most concerns."
Solution providers in the U.S. say they are turning client concerns into a discussion about addressing data security, vulnerability management and configuration issues. There are even vendors that can address data encryption and authentication concerns that clients might have. DataMotion provides a secure email, messaging and file-sharing platform. Vaultive encrypts data before it leaves the organization and the data owners maintain direct control of the encryption keys. Meanwhile, an emerging market of cloud application security vendors provide authentication and encryption. CipherCloud's service scans a network to give organizations a snapshot of the cloud services already being used in each business unit. Once deployed, it also can encrypt data before going to the cloud and provide activity monitoring to prevent abuse.
NEXT: Combatting Internal Threats
Most small businesses are interested in the business value or productivity gains associated with cloud services, said Hugh Sazegar, president and CEO of Houston-based managed IT services provider Techcess Group. In some cases, clients in highly regulated markets or with a lower tolerance of risk may want to consider building out a private cloud for more sensitive systems, rather than relying on public cloud resources, Sazegar said.
"The reality is our customers are small to midsize companies that are much smaller fish to the many larger corporations that are often under increased scrutiny," Sazegar said. "If the government today taps into individuals, they tap more into the phone systems and into their private emails, so we would rather impress upon [businesses] the importance of personal security, addressing security issues, making sure systems are patched and risks are mitigated as much as possible."
Jeff Sumner, president of Swarthmore, Pa.-based TechGuides, works with a team of experts that have been removing Cryptolocker infections from client systems over the past several months. Once the dangerous malware infection is on a laptop or PC it encrypts data and locks victims out of their files. It then spreads to other company systems, including connected automated backup systems. The cybercriminals behind the threat use an extortion tactic, demanding money in the form of Bitcoin for the key to recover the frozen information.
These are the kinds of threats that businesses need to worry about, Sumner said. Anything that disrupts their ability to do business or make money needs to be addressed, he said.
"People opening up attachments, clicking on links and going places where they shouldn't is the real problem that business owners and managers need to be worried about," Sumner said. "At the end of the day your data loss is going to be caused by an employee mistake, not the NSA snooping in on your Internet traffic for suspected terrorists."
Solution providers need to have a conversation about backup and recovery, layering security to detect malware and other threats, and educating their end users about spam, phishing and other scams, he said. Attackers target poorly patched systems, configuration errors and other weaknesses that are typically basic security lapses, Sumner said.
IT Weapons' MacBean also advocates security best practices over steps to guard against government intrusion. Every data breach study concludes with steps that are critical to safeguarding systems, but are often missed for a lack of budgeting, a lack of skilled staff or a lack of a mature information security program, MacBean said. Cybercriminals in China, Russia and Eastern Europe are out to steal intellectual property, customer and employee records and credit card data in a bid to make money. Solution providers need to advocate for the proper protection of servers containing sensitive customer data, ensure that employees have healthy habits around establishing strong passwords, and add two-factor authentication to protect access to critical systems, MacBean said.
"When it comes time to talk with clients about information security, for us it's not which clandestine agencies are going to come after you, it's about where you are most likely to get hacked," MacBean said. "Humans are the ones who are the biggest liability when it comes to security. It's often people making poor choices that cause the biggest lapses and the ones that solution providers have the ability to address."
MacBean may be correct about people making poor choices. But before you decide, consider Orwell's last paragraph in "1984:" "He gazed up at the enormous face. Forty years it had taken him to learn what kind of smile was hidden beneath the dark moustache. O cruel, needless misunderstanding! O stubborn, self-willed exile from the loving breast! Two gin-scented tears trickled down the sides of his nose. But it was all right, everything was all right, the struggle was finished. He had won the victory over himself. He loved Big Brother."