I was watching Jacob Applebaum’s presentation at the Chaos conference. It is well worth watching, you can see it here. Jacob is a passionate and talented man. This is a good presentation describing the latest revelations on the NSA’s bag of tricks. There are a few things that I would take issue with on the latest revelation and how it has been presented and written up.
First we need to be careful that we vent any frustration and anger in the right direction. Questioning the morality or legality of TAO misses the point. The hugely talented men and women who work in TAO and similar organisations around the world are doing what has been asked of them – to protect their country’s assets and reveal others – and they have proved world class at doing this although Jacob disagrees with the skill bit. If we have a problem with this then we should take it up with those that set the policy and the legal framework accepting as Jacob rightly points out politicians, policy makers and legislators have little understanding of technology, security and probably many other things.
In relation to my views I am quite clear I want my Government to have as much data as possible. I want them to have the tools, techniques and resources to mine this data to stop a terrible event from occurring – stopping one event is good enough for me. The alternative is we have to sift through the body parts once an event has occurred. Having said that I want the legal frameworks to be in place, I want transparency, I want oversight and I do not want my Government (or any Government) to cross the line and weaken security for all by building in backdoors, weakening crypto or any of the shenanigans that have occurred with the American tech Industry. The moment we confuse the role of the state in national security and the private sector in national security we are all doomed to a life where there are no holds barred – he or she with the deepest pockets and the greatest resources and brains wins the race to the bottom of the pit – there are only losers with this scenario.
Let us be clear there are no friends in national security just different levels of foe.
The next point I would make is that Der Spiegel and the authors such as Jacob gave no time to the vendor community to investigate the claims. This is not responsible disclosure and reporters should be as responsible to vendors as they are being to the NSA. It is fine for Jacob to say fuck them all or words to that effect (his language is quite fruity at times), but the impact of such a disclosure does not just impact on the vendors. Jacob requests that vendors go public with their statement on their involvement in the NSA. At Huawei we did this last October in my last White Paper, we said:
“Particularly, as the Deputy Chairman of the Board of Huawei and the Chairman of the Global Cyber Security Committee of Huawei, I would like to make our company’s position clear. We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies.
We confirm our company’s unswerving commitment to continuing to work with all stakeholders to enhance our capability and effectiveness in designing, developing and deploying secure technology.”
However the key point I would take issue with over the reporting of the catalogue of marvellous toys for the NSA to deploy is that we make no distinction over the different importance of data. Let me explain:
My shopping list of bread, milk and a packet of three for the weekend is different to the access codes to my online bank account which again is different to the national database which holds our blood types which again is different to someone in the witness protection scheme is different again to the name of a spy in covert operation in a foreign country and is different again to the nuclear launch codes (if these things actually exist). The data has different sensitivity, some data is time bound, and some data threatens life if not kept confidential or becomes corrupt.
Technology is the same, not all technology is there to work at top secret level. The NSA catalogue of toys is there to break into any system, it doesn’t just look at the low level unclassified or personal data it looks to break into the Fort Knox equivalent of technology. Buyers of vendors hardware and software must determine what level of protection they want for the types of assets, or information, they are trying to protect. If they believe that what they are protecting has low value they may well specify lower security capability. If it has significant value or needs significant protection then the buyer is likely to specify higher security requirements – not all technology is born equal.
So if the NSA and other similar teams have the money, resource and capability to break into Top Secret systems that are guarded and protected to the highest levels that same team must have a reasonable chance of breaking into technology that has not been specified to the highest security standard or protected to the same level. It will not surprise anyone when I say that having no security is cheap (to buy, but not the consequences of any loss), having top secret security is not so cheap… actually it’s expensive and it isn’t just about hardware and software.
In summary we need a little more realism about what security agencies do and their capability to attack and breach the security of companies and Governments through any vendor’s equipment. No Government will demand that every technology system they operate runs at top secret. No Company will demand that every system they run is at top secret and few citizens will demand their phone, tablet, PC etc. runs at top secret… even if they could buy such stuff. So we should not be surprised that the NSA has a catalogue of tools and techniques to break into vendor’s equipment given this is what they do.
Finally what the revelations continue to bring home to everyone is that as a technology industry we must do better. Currently we have no collective idea what good looks like when it comes to security. There are no internationally agreed security standards; there are no agreed standards on product verification; there are no agreed internal laws or standards of behaviour for Governments to operate in the digital world.
In our view, it is paramount that the entire ecosystem of governments, industry and end-users step up to collectively work on the problems and challenges we will face in the future. In doing so we should consider:
- The challenge of privacy in a digitised world: Given that much of our lives and business are online, with our data being globally distributed and processed in many countries by many technology vendors and governed under many different laws, we need strong and compatible legal frameworks, and globally-agreed rules of engagement and technology that support the protection of personal and business data.
- Thorough risk assessment practices: With the increasing rate and speed at which devices and users connect to the internet, combined with the continuous development of technology, society exposes itself to ever-evolving threats as well. Technology cannot be secured to the point of satisfying everyone’s needs in every scenario. Strategic focus on a risk management approach that references the critical elements as described in our White Paper, and recognition of the fact that global networks rely on the global supply chain, are essential to enhancing cyber security.
- Customer is king: Buyers of technology - be it governments, enterprises or consumers - should use their economic buying power to demand more from their technology vendors and service providers.