What will life on the internet look like, now that the cat is out of the bag? Danny Bradbury reports from the edge of a worrying new frontier
Along with Julian Assange, Edward Snowden will go down as one of the most respected and reviled computer experts in history. The former Booz-Allen Hamilton employee, now hiding in Russia, blew the intelligence community apart in May 2013, leaking documents from a cache that he stole from the US National Security Agency. As many as 1.7 million documents were accessed, say reports. The revelations have been described as “cataclysmic” by NSA execs.
Cataclysmic for the NSA, perhaps, but what about everyone else? Some, such as Mark Brown, director of information security at EY (formerly Ernst & Young), see positives. “It has increased awareness not just amongst the IT crowd, but amongst management. I’d say it has benefitted the industry, not simply in commercial terms”, he maintains.
CIOs can now build a profile within their firms because more people are taking notice, he adds. “If you think about it, a cyber-attack is now an issue of interest to all of us."
Others are less sympathetic. The Electronic Frontier Foundation sees dark clouds ahead for US businesses, and others. “We've seen lots of reports from US businesses that are concerned about the government spying and what it might do to business abroad”, says digital rights analyst Rebecca Jeschke.
Bigger Issues
There are bigger issues at stake, says Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, an organization that promotes leadership in international affairs.
He likens the breach of trust not to a five-year event, but to a 500-year one. What if the Vatican and other authorities could have known about everything that was distributed after the Gutenberg printing press was invented, he asks. “Would we have had the Renaissance or the Enlightenment if we couldn't trust the underlying communications mechanism?”
Among the Snowden revelations were documents showing the systematic monitoring of individuals' accounts via large cloud-based companies – such as Microsoft, Google, Facebook and Yahoo – under the PRISM program. Other programs included Quantum Insert, which placed servers at key chokepoints on the internet with the help of telecommunications companies, to perform man-in-the-middle attacks on key targets when they tried to access well-known online services. The list of attacks is extensive.
Governments have always been an attack vector, argues Steve Durbin, global vice president of the Information Security Forum. “The issue is that if you do not know what is being shared with a third party, how can you include it in your business risk profile?”, he ponders. “There is little difference between this and any other third party in your supply chain – except you do not know and cannot control what data is shared.”
Self-protection
Durbin advises a three-step program to secure information. Adopting best practice guidelines, such as the ISF Standard of Good Practice and the NIST Cybersecurity Framework, is a start. Second, align security with stakeholder value by benchmarking organizational cybersecurity against other companies or sectors.
These are all good points, but for the security industry, perhaps one of the most worrying revelations isn't the active surveillance itself, but rather the widespread compromise of cybersecurity mechanisms that are supposed to prevent it. With suitably secure cryptographic technology, mass data collection needn't be a problem, because the content itself is rendered unreadable. But if the standards used to encrypt the content are themselves compromised, then all bets are off.
One of the initiatives unveiled by the Guardian through its interactions with Edward Snowden was Project Bullrun; a decryption program operated by the NSA that attacked cryptographic protection through various means, including working with manufacturers to insert backdoors in encryption chips. This has affected BSafe, an RSA security toolkit, which the company admitted supports an encryption algorithm believed to contain a hidden backdoor, but denies taking payment to insert the flaw.
NSA assets include a Key Provisioning Service, which provides keys to decode messages. A separate Key Recovery Service acquires keys not yet in the NSA's possession.
Another attack involves covertly influencing standards development. All this has led to a flurry of activity in standards bodies, who are worried that they may have been compromised. In November 2013, the US National Institute of Standards and Technology (NIST) announced that it would review all of its cryptographic standards.
However, not everyone is worried about NSA involvement. The Crypto Forum Research Group, which provides cryptographic guidance to Internet Engineering Task Force (IETF) working groups, decided to keep senior NSA cryptographer Kevin Igoe as one of its two co-chairs.
This key acquisition initiative has taken a new twist, following the lawsuit between secure email communications provider Lavabit, and the US government. That organization, said to have been used by Snowden himself, closed down its email service last August, after the US government pressured the founder to release digital keys that would enable it to decrypt communications. The company is now appealing a contempt of court ruling, after resisting a government subpoena compelling the provider to hand over the keys.
The US Response
None of this has done much to bolster the US position on the world stage, argues Healey, who recently returned from the Munich Security Conference, where he had frequent conversations with European parliamentarians including heads of state and ministers of foreign affairs. “The message that we got is that the Europeans are at least as angry at this as they were about the Iraqi invasion, and that they are getting absolutely no understanding from the United States”, he says. “Secretary Kerry and Secretary Hagel were both there, and neither of them brought this up in the public remarks.”
On the face of it, you can see how some European countries might be frustrated. European journalists revealed that the US eavesdropped on former German Chancellor Gerhard Schroeder over his criticism of the Iraq invasion. It has also spied on Chancellor Angela Merkel since 2002, reports have suggested.
However, there are signs that Germany has also been implicated in the whole process. In an interview with German newspaper Der Spiegel shortly after the leak, Snowden said that the US was “in bed together with the Germans”, along with most other Western countries, to exchange information with each other without asking the service provider how it was obtained. Most recently, respected 32-year-old German hacking group Chaos Computer Club accused Merkel of helping intelligence agencies in the US and UK to spy on German citizens.
International cyber-espionage appears to be a selective operation, in which both friends and foes are targeted. For example, Israel – with which the NSA is said to have written Stuxnet, and has long been one of the US’s closest allies – has for years been targeted by NSA surveillance, according to leaked files, say newspapers on both sides of the Atlantic. In fact, it has operations in over 60 countries that also target individuals in supranational bodies, such as the UN and EU, reports have indicated.
Five Eyes
The surveillance world has its own supranational body, Five Eyes, which dominates the Western international intelligence gathering effort. This cooperative consists of the US, the UK, Canada, Australia, and New Zealand, and emerged from international cooperation during the Second World War.
Signals intelligence is a key part of the Five Eyes operation, and heads of signals intelligence assets meet annually to review collective performance and plan activity.
Canada has been a willing participant in electronic eavesdropping. Leaked documents have shown the country's phone signals intelligence operation, Communications Security Establishment Canada (CSEC), spying on travelers through its airports by tracking their wireless devices via public WiFi networks.
Other allegations include that CSEC may have invited the NSA to spy on world leaders during the 2010 G20 summit in Toronto, and in October, it was found to have spied on the Brazilian energy sector. Newspapers there have reported on secretive metadata gathering programs by CSEC stretching as far back as 2004.
Ben Sapiro, manager of the non-profit OpenCERT organization north of the border, says that post-Snowden, he has seen some increase in awareness among consumers and IT professionals alike – but not necessarily a change in behavior. People are not moving to secure communications systems, for example, because the inertia is simply too great.
Breaking Up is Hard to Do
“There's a critical mass/last mile problem”, Sapiro observes. “If you and I are on a secure system and we want to interface with a third party, how do we do that?” Secure technologies need bridges.
These bridges are starting to emerge. For example, Whisper's Android-based apps allow the default system dialer and text messaging to work just as they normally would, but upgrades to secure versions, encrypted with local keys, when other users have them. Similarly, the teams behind Lavabit and SilentCircle have started Darkmail, an initiative to create a locally encrypted, end-to-end replacement for email, which would bridge to standard SMTP where necessary.
That's a way to secure the internet where possible, without balkanizing it. And balkanization may be the real danger in the post-Snowden era, warns Jason Healey.
“Given time, I have enough faith in the standards bodies that we can get ourselves back to a good spot. What I am worried about is that we are not going to have enough time”, he says. Russia, India, and others have been fence-sitting to see what happens next, Healey suggests, adding that they won't stay there forever.
“I worry they'll just decide that the whole thing is just shot, and since the US is treating this as a national security space, they should too. And that we don't just balkanize the internet, but that we treat standards as a national security battle.”
While that plays out, the message for businesses is clear: keep calm, and encrypt everything that you can't afford to lose.