I didn't post anything on this blog for a long time. After much reflection, I think it's time for me to comment about the great Infosec event of 2013: the NSA/Snowden scandal.
I didn't post nor comment on this case yet. Not for lack of interest, but many people more skilled and informed than me commented on these revelations. Moreover I found it better to wait for the dust to settle. But it won't settle anytime soon it seems.
So, several months after the maelstrom began, I have some remarks I hope useful:
1 - The NSA, like many intelligence agencies, in the US or elsewhere, is spying massively. Isn't it their job?
The main problem, here, is that they're doing whatever they can to escape democratic control, to the point the US Congress had to be briefed by external experts like Bruce Schneier.
As Bruce wrote in his excellent essays (read them all!): the solution is political, not technical.
2 - The NSA has weakened security products and technologies to implement backdoors enabling them to spy on their targets.
I'll be moderate on this one: THIS IS A CRIME AGAINST HUMANITY. No less.
Weakening internet security will have, and maybe already had, terrific consequences. Who's a terrorist on this case?
A backdoor is open for everyone who will spend the needed time to access it, for good or ill.
3 - Speaking of terrorism, according to what I know, no terrorist attacks were prevented by the NSA's mass surveillance. The collected data helped investigations after some successful attacks, such as the Boston Marathon bombing. But the cost of the data collection & storage is clearly prohibitive. Bulk-Collection is not efficient
During FIC 2014, French military/intelligence representatives declared: "if you have nothing to hide, you don't need to fear our agencies' surveillance".
This is unacceptable for several reasons:
- The NSA was proven to escape Congress and democratic controls, our French equivalent, the DGSE is strongly suspected to do the same. How this kind of agencies can give any guaranty the information they collect will be used lawfully?
- Internal unauthorized access is always a risk: some NSA personnel used collected information for personal goals (spying on their wives/husbands).
- As every information security professional knows well: such a data store cannot be absolutely protected against external unauthorized access either.
- The USA and France are democracies, so controls and reforms will be enforced now that we know, right? Alas, a democracy is always at risk. The French IIIrd Republic surveillance data were much useful to the Nazi political polices and to the Vichy dictatorship, between 1940 and 1944. No one would have expected such a situation before 1940.
4 - Whistleblowers
Edward Snowden and Bradley (now Chelsea) Manning are considered heroes by some, traitors by others. I don't know. I only know the NSA behaved illegally.
In both cases, they were rather low-level operators, a sub-contractor and a private soldier. If I were in charge of information security & security policy in either of their former organizations, I would have resigned immediately after knowing about their leaks.
In the business world, there are legal mechanisms and contractual requirements obliging companies to enable whistleblowing and handle it properly. I don't know if such a system would work for intelligence agencies.
But one thing is certain: to prevent leaks, don't have secrets, or as few as possible; and respect the law.
5 - The rest of the world is upset by what the NSA did and probably still does.
Governments, even allied of the USA, were spied on. But I guess they do the same in return.
Less friendly countries such as China and the Soviet... er... Russia, well... Didn't they know already? These two countries are the only ones whose intelligence agencies' budgets are comparable to the USA's.
The golden rule in state to state spying is: do it, but don't get caught. I know it's sounding cynical, but less than a French officer at FIC 2014, who declared he thinks Snowden is a traitor to his country, but regrets there's no Chinese Snowden yet ;)
But now that there are proofs of what the NSA did, other states will feel entitled to break the internet into useless isolated pieces. That would be another crime against humanity, and the NSA would have a part of responsibility in that.
6 - As an information security professional, I think the NSA scandal had at least one positive effect: bringing Infosec issues under mass media scrutiny; good point for public awareness.
The news don't lack of high profile security breaches, but a spy story is clearly a better seller.
Now, states secrets and spying are not the main interest of security professionals. We have much to do to protect our employers/clients/users against common criminals and thieves.
More revelations will come from this NSA case, but I hope it will not disturb the Infosec field in 2014 as much as it did in 2013.
One thing must be absolutely avoided: leave the Infosec and the fight against cybercrime become a domain exclusively reserved to the military & intelligence agencies. It's not their job, cyber war/spying is. Coordination between military and civilian is good, not subordination. I guess the Gendarmes & fellows I met at the Botconf 2013 will agree :)
Now, back to work. I've some ISO 9000/27000 stuff to do ;)
DISCLAIMER: Though I inserted many links to his articles in this post, I'm not related in any way to Mr Bruce Schneier. As a still newbie information security practitioner, I have of course a great admiration for him and for his work. Same for Mr Brian Krebs, though you can feel free to make a donation to his excellent blog ;)