Security professionals are 'surprised the public is surprised' over PRISM revelations
Growing divide between USA and rest of the world apparent in PRISM stance
THE fallout from the PRISM scandal is far from over, with the latest development seeing whistle-blower Edward Snowden leaving Hong Kong for Moscow and now receiving aid from WikiLeaks.
Since news broke in early June that the United States’ National Security Agency (NSA) had been using a clandestine national security electronic surveillance programme since 2007, much has been reported and written about the can of worms, public knowledge of the programme’s existence has also opened up.
The revelations come at a rather delicate time for security firms and researchers, who have been lobbying for increased cooperation and information-sharing to aid in the on-gong war against cybercrime.
Most recently, at the inaugural RSA conference hosted in Singapore, a call was issued by Art Coviello, executive vice president of EMC Corporation and executive chairman of RSA, during his opening keynote for governments to unite and facilitate information-sharing.
“Governments should extend their information-sharing among networks of countries. This will facilitate the tracking and capture of our adversaries,” he said.
“Also, develop rules of conduct around intellectual property and create enforcement mechanisms to ensure all nations adhere. Finally, and most important, eliminate the prospect of destructive attacks and cyber warfare.
“This will be a far more difficult genie to keep in the bottle and it’s showing signs of escaping,” he added.
The call for increased collaboration prior to PRISM taking the lion’s share of headlines worldwide was already a tough ask given the public outing of Operation Olympic Games – the United States’ own covert campaign of sabotage by means of cyber disruption, directed at Iranian nuclear facilities – in late 2010.
Surprised? Not really
Security professionals Digital News Asia (DNA) spoke to in the days following the onslaught of new information and denials by Internet companies named as participants in the leaks, said that the public outcry was the most surprising aspect of the revelations.
“I’m surprised that the public is surprised,” said Rob Forsyth (pic), Sophos' Asia Pacific managing director, in a phone interview with DNA.
According to him, governments the world over are realising the big power in big data with the rise of cloud computing and social networks. It is only natural that the information generated and being shared in this new information age would be irresistible to governments and security agencies.
“Governments can’t keep their hands off the data and big businesses such as Google, Facebook and Amazon get requests all the time from agencies for information.
“Especially in the United States, these companies can be leaned on very hard as the Patriot Act offers a lot of opportunities to requisition information and the American courts tend to acquiesce,” he said.
That being said, Forsyth pointed out that there remains the overarching objective of both the world’s governments and the security industry to make the Internet safer for their citizens.
“The Internet has become a major tool for businesses to increase productivity and been a major boon to other segments of society. But amidst these developments, we are increasingly allowing criminals to be a major force, to act with impunity in the absence of applicable laws and its enforcement,” he added.
Responding to DNA’s request for comment on the issues raised by the PRISM scandal, Mikko Hypponen (pic), F-Secure’s chief research officer, noted that one challenge faced in such discussions about curbing cybercrime is the varied understandings of what is involved.
“When we speak about cybersecurity, people think about totally different types of attackers. Some think about criminals interested in stealing credit card numbers and such. Some think about activists or movements like Anonymous.
“And some think about militaries and espionage agencies that are launching their own attacks. The response to such attacks is quite different,” he said.
Sophos’ Forsyth said that governments would always make laws in their own self-interest, and make these laws in a way that will get access to data they want.
“While it’s naïve for the public to expect anything different from their governments, to get unvetted access to this data doesn’t make sense either,” he added.
A security professional who declined to be named for this article said that the outing of PRISM has immediate trust implications on efforts to increase collaboration for information-sharing between private and government entities.
“That is without question, but we have to separate [this from] the efforts of the cyber-security industry that has no interest in personally identifiable information of phone records and Internet sessions of individual users; our interest is in the sharing of active threats and threat actors that are bent on infiltrating networks in order to perpetrate cybercriminal activity and cyber espionage,” he said.
He added that this kind of threat intelligence is essential in order to give security professionals the situational awareness they desperately need to defend their infrastructures from potential breach.
He also noted that there are ways to gather the necessary information for law enforcement purposes without violating privacy legislation.
“We know of successful ways to share information that is actionable such as the sharing of TTPs (Tactics, Techniques, and Procedures), blacklisted IP (Internet Protocol) addresses and known Command & Control infrastructures; this kind of threat intelligence is vital to provide machine level intelligence that can help security professionals thwart potential inbound attacks,” he said.
However, he admitted that standards for information-sharing are going to be key here to ensure that only vital pieces of threat intelligence are being shared – that is, only the significant and actionable pieces of information that are required to help security professionals identify and block the threats that could target them.
“Standards for information-sharing must also come with a mechanism for oversight in order to govern the organisations involved in the sharing and dissemination of this information so that any potential abuse or over-sharing can be quickly identified and corrected,” the security professional added.
F-Secure’s Hypponen said that we should expect governments to globally cooperate to fight criminals.
“But we shouldn't expect cooperation regarding attacks that the governments do themselves,” he added.
But perhaps the most worrying aspect of the entire saga is the position of US security agencies have taken, in their rebuttals to the intense scrutiny by their own politicians and the global media.
“The security agencies in the United States have been very public in their accusations that the whistle-blower is a traitor. I’ve even heard from a few that they hope he receives 10 to 20 years in jail for what he has done,” said Forsyth.
He added while American voters would be offended by the very existence of a programme like PRISM, positioning what Snowden did by bringing the matter to their attention as ‘wrong’ and the actions of a villain did not gel well.
In an interview with ABC News’ George Stephanopoulos, NSA director general Keith Alexander said that Snowden has caused “irreversible and significant damage” to the United States with his actions that he said was not “with noble intent.”
“We train our people how to do this right. We get oversight by [the] Justice (Department), we get oversight by the courts, we get oversight by the administration and by Congress, all three parts of government,” he added.
Forsyth noted that there is very little conciliatory talk by the agencies, which didn’t think that what they were doing was wrong.
“I think the truth is a lot narrower than we think, with the good guy versus bad guy dichotomy being too broad. Snowden probably did breach the terms of his employee contract by drawing public attention to PRISM, but I don’t think he is an entirely bad guy. He blew the whistle for what he believed to be good reasons in his mind,” he added.
Hypponen also disagreed with the antagonistic stance taken by US security agencies, noting that there’s a rift forming between the United States and the rest of the world.
“The USA is misusing its unique access to the data traffic of the rest of the world. It doesn’t seem to be having any problem with blanket surveillance of innocent users, as long as the surveillance is done to foreigners. The problem is, of course, that we foreigners make up 96% of the people on this planet,” he added.
Next Page: What’s next?