Today marks one year since the first major headlines were published about the NSA’s mass surveillance programme.
Published on 6th June 2013, it was revealed by a number of news agencies, including the New York Times and the Guardian, that the NSA monitored user activity on Google, Facebook, Apple and other US internet giants, while 24 hours later it was revealed that the UK was not so innocent, with the UK’s GCHQ were cooperating with the Prism software, and had access to the system since at least June 2010.
The revelations were made by former Government contractor Edward Snowden, then a consultant at Booz Allen Hamilton, and later one of the most wanted men in the world. A year on from his whistle-blowing, and with stories still coming from his leaks, I asked the industry if this substantiated what we already suspected and was this the best or worst thing to ever happen to the security industry?
Tom Cross, Lancope
Did this substantiate what we already suspected?
Sometimes, it’s very important to substantiate things that some people suspect may be true. For example, the fact that phone companies in the United States were turning bulk meta-data over to the Government had been reported in the press in 2006, but the phone companies denied that this story was true, and that denial, coupled with a new law ensuring that surveillance programs would be reviewed by the FISA court, put to rest much of the discussion over the issue.
Although some people suspected that the program was real, without proof, there was no room for further debate. Now that proof is available, that debate is proceeding, and serious questions have been raised about the wisdom of the program as well as the correctness of FISA court rulings that authorized it.
Michael Sutton, Zscaler
Has this been the best or worst thing to ever happen to the security industry?
The revelations from Edward Snowden brought to the surface what the informed had already suspected and what the public was oblivious to. Many wrongly assumed that cyber espionage was black and white. The West represents the ‘good guys’, while the East and specifically China are the enemy, stooping to tactics that Americans would never adopt. Snowden’s revelations showed us that the picture is not so clear. At best The US engages in the same tactics as the Chinese in order to gain the upper hand but steers clear of corporate espionage.
If there’s a loser to be declared in the Snowden revelations, it’s the US Government. The US is no longer able to throw stones in a glass house and will be forced to adapt as technology vendors raise the bar, eliminating some of the previously relied upon spying techniques. Make no mistake, this cat and mouse game will continue indefinitely and Governments around the world have the upper hand.
Did this substantiate what we already suspected?
Nation states have engaged in espionage in the name of security and financial gain for decades, it just didn’t always involve smartphones and Facebook accounts. ‘Spot the Fed’, is a popular game at security c
onferences for a reason. The security community has long known that the US Government engaged in offensive tactics, but eyebrows have been raised even among the most well informed given just how deep some of the programs ran. Whether tapping directly into the backbone of a data centre or intercepting and backdooring hardware shipments, the tactics went beyond the keyboard hacks that were expected.
Dwayne Melancon, Tripwire
This is far more a political issue than a security issue. Security has benefitted some from the increased public awareness of cyber security, but much of the conversation is centered around “right vs. wrong” which is inherently emotional. I believe we need to focus our energy on what is “effective vs. ineffective” when it comes to protecting our data, our users, and our businesses. Being effective is a defensible goal, regardless of whether you agree with the actions of Snowden or world Governments.
Calum MacLeod, Lieberman Software
I’m not sure who’s more confused today about Snowden. Is he a mild mannered hero seeking freedom, truth and the idyllic American way; carrying out a one man crusade against injustice and devilish practices? Or has he now morphed into super-spy?
However as far as the security industry is concerned, it has provided a goldmine. Every vendor is selling Snowden. He should have employed an agent before getting on the plane to ensure that he got paid royalties for the use of his image. His picture is supporting a burgeoning industry of “Next Generation Threat Protection” solutions. Every organisation is being told it probably has a “Snowden” working for them. And yet the threat to our everyday life of identity theft, corporate attacks on intellectual property, and the rest go on unabated. What Snowden has done is provide a distraction that allows many vendors to sell more FUD, and solve less problems.
Mikko Hypponen, F-Secure
Did the Snowden leaks impact how security vendors do business?
Definitely, especially for companies outside the US. We now feel we have a responsibility to provide for customers all over the world who would rather do business with non-US companies. Company wise, in the 23 years I’ve been with F-Secure, our company has never changed as much as it has the past year.
How has the US Government behaved in your opinion? Any improvements in sight?
They have made changes already. But practically all the changes we’ve seen have been to improve the privacy of US citizens, not foreigners. Politicians have to keep their voters satisfied, and we foreigners won’t be able to vote them out of their positions.
What gives you hope?
Edward Snowden gives me hope. Here’s a guy who sacrificed all to save us, and we the citizens of the world should be thankful. Not everything he did was technically right – he broke the trust of his employer and his NDA, but nevertheless he did the right thing. Now we know a lot about surveillance the Five Eyes countries are conducting. Other countries are spying as well, we just don’t have concrete evidence about it yet because they haven’t had their Snowdens. So I hope we get more Snowdens from other superpowers.
John Vestberg, Clavister
I think Snowden’s revelations have had a positive effect on the industry as a whole, even though it’s been bad news from some of the individual vendors named in the leaked material. Overall, it’s massively raised awareness of key issues su
ch as privacy, backdoors and encryption, and it’s also been a reality check for the industry itself, which is a big positive step.
Len Padilla, NTT Communications in Europe
Research that NTT Communications recently carried out paints a vivid picture of how business have reacted – whether it’s moving their data to locations where they know it will be safe or changing their approach to cloud computing to some extent, including cancelling or postponing cloud projects.
Since the scandal broke, the majority of business leaders (95%) have reassessed where their company data is located and whether it is accessible to unauthorized third parties. Keeping sensitive information in a country where the authorities can access or monitor it without consent constitutes a significant business risk and is now a hugely contentious subject for organisations.
More so, (82%) of all those surveyed in our research said that they agree with German Chancellor Angela Merkel’s proposal for separating data networks. In theory this may work but in practice it is near-impossible, and it would hinder businesses that want to trade outside of Europe and enter new markets.
Dick Williams, Webroot
I don’t believe Mr. Snowden’s revelations will fundamentally change our business. I’ve always believed that business is, first and foremost, driven by trust. Companies that focus on that will not be significantly affected by these types of issues over the long term.
Ian Kilpatrick, Wick Hill Group
Is Snowden a hero or a villain?
I wouldn’t use the terms hero or villain to describe Snowden. He is an individual whose actions have highlighted some issues that we were aware of and other issues that we should be concerned about. These include the extent of surveillance, as well as the current and future impact of surveillance and data collection, both at an individual level and at a corporate level. This is a debate that needs to be aired at a calm and considered level, away from some of the hyperbole generated on both the liberal and authoritarian wings.
Charles Sweeney, Bloxx
Has this been the best or worst thing to ever happen to the security industry?
Whether or not Snowden is the best or worst thing to happen to security is something that has been hotly debated. Many vendors have been perfectly open and said that his revelations have done wonders for their business and can attribute significant growth to companies wanting to ensure that their private communications remain just that. However, on the other hand there is the not insignificant issue that trust in the wider security industry – implicated companies as well as national security organisations – has been irrevocably damaged. Trust is the security industry’s currency and it has been seriously devalued. Can that trust be regained? Only time will tell.
Did this substantiate what we already suspected?
National security depends on being able to intercept suspect communications and I think most rationale people accept that. I think what really made people angry was that there didn’t seem to be any differentiation – everyone was a suspect – and the previous misleading statements that had been made about the scale of the NSA’s operations. Americans in particular take their privacy very seriously and for them what Snowden has revealed has been a real violation of a basic human right.
David Borin, Sentor
Has this been the best or worst thing to ever happen to the security industry?
Neither! But to be frank it’s up there in the top five of lessons learned. Snowden really brought IT-security awareness to the man on the street.
Did this substantiate what we already suspected?
In a sense it did, but it’s still hard not to be flabbergasted by the pure scale of what’s going on – surveillance on an unprecedented scale.
Simon Eappariello, iboss Network Security
Snowden has been a double-edged sword for the security industry. On the one hand, he brought security to the forefront of board level discussion due to the increased awareness of data leaks, and with that came a new level of realism of secure communications.
Conversely, when coupled with instances like Heartbleed, public confidence has been damaged and led to a level of paranoia with organisations and consumers alike now distrusting of any type of electronic communications.
John Mancini, AIIM
Has this been the best or worst thing to ever happen to the security industry?
Like in A Tale of Two Cities, it is the best of times and the worst of times. The best of times in that we finally have an appreciation that in a digital age, how an organisation manages its digital assets is just as important as how it manages it financial, people and physical assets. The worst of times in the realisation that Governments with virtually unlimited resources can undercut even the best of efforts to protect these assets.
Is Snowden a hero, or a villain?
A bit of both. He has woken us up to the perils of taking security and privacy for granted and the troublesome implications of unchecked Government power.
Paige Leidig, SVP, CipherCloud
Has this been the best or worst thing to ever happen to the security industry?
In all fairness, I’d have to say the revelations hit at both extremes. The best thing resulting from it – we now are much more aware of surveillance activities by Government agencies. As result, this has been a business boon for many companies that offer good cloud security products. It’s driven significant demand for cloud encryption, which has contributed to our 220 per cent growth over the past year. However, the knowledge has hurt the public’s perception of the NSA and raised trust concerns for the popular cloud providers.
Did this substantiate what we already suspected?
Those of us in security have always in the back of our minds suspected Government surveillance activity. But the extent of the programmes was very surprising.
Barry Scott, Centrify
Has this been the best or worst thing to ever happen to the security industry?
I don’t think it is about saying Snowden is the worst or best thing to happen to security. Instead I think we need to focus on how his revelations will have helped businesses to understand that perhaps they are applying old world technologies to new world problems. What Snowden has done is highlight the need for new technologies and new approaches in order to ensure that confidential and private information remains just that – regardless of whether it is the NSA or a hacker trying to intercept the communication.
Did this substantiate what we already suspected?
I think people knew that the NSA would be monitoring communications, but I guess what blew them out of the water wa
s the scope, size and sophistication of something like PRISM. If we’re honest we know how national security works, we just don’t like to have our fears confirmed.