The ICT industry in the U.S. and her Five Eye partner’s are taking a hammering this week over consistent and repeated allegations that they are NOT just an “unwilling” partner to the Spooks and Spies, and far from being “forced” to disclose information they are storing to those agencies, they are commercially contracted to deliver that information, actively working with the Spooks and Spies, installing back doors at a hardware and software level, and deliberately providing work-arounds to encryption methods the U.S. ICT companies have manufactured.
“The secret facts organized in the leaked classification guides supply overwhelming evidence that the NSA and Central Security Service (a 25,000-strong agency founded in 1972 as a permanent liaison between the NSA and US military intelligence) rely on cooperative and in some cases contractual relations with US firms to facilitate their global wiretapping and data stockpiling activities.” – Source
What does this mean in practicality? The entire document can be read here, however here are some highlighted pieces that make for interesting reading:
- The NSA has contracts with specific named U.S. Commercial entities in order to enable SIGINT programmes and operations. Spying in other words.
- The NSA works with specfic U.S. companies to enable their products, including hardware, to be exploitable by SIGINT.
- Their are undercover NSA agents working in U.S. companies to support and further this work.
- The NSA has commercial arrangements with companies that allow both content and metadata to be collected as it traverses U.S. borders.
- Deliberate targeting of “foreign” ciphers.
- The NSA works with specific U.S. companies to make their crytopgraphic systems exploitable by SIGINT.
- That the NSA has access to worldwide internet cable and fiber connections regardless of platform access or foreign agreements.
That’s just a brief summation from a thirteen page document outlining the operations.
Now, what this doesn’t tell us, is who those companies are. The consequences of that could be huge of the U.S. ICT industry. Especially when, according to these leaked documents, ICT companies in the U.S. have knowingly entered into contractual arrangements with the NSA. In other words, they are providing spying as a service and collecting cash for it. This also means that some of the ICT companies have bald-faced lied to their millions of users and commercial customers, they weren’t “forced”, they were paid.
The real issue here is not so much that spies have infiltrated these systems. The real issues is that criminals, other foreign governments, organised high-tech crime, and a host of other bad guys are likely to have access to those same exploits. You can be sure they haven’t remained under the control of the NSA, evidence proves otherwise. What this means is that the U.S. spying agencies have completely compromised security on the Internet and potentially anything that attaches to it.
That is an absolutely massive f!%# up. The only thing that can repair this mess is the disengagement of those ICT companies from those contracts, the development of new cryptography, security tools, and the movement of services outside of the legal jurisdiction of the U.S.
Companies that have sensitive data now need to think very carefully about where sensitive data is stored. Health records, financial information, patents, economic advantage information, and the like. That data must be secured carefully in places that are less likely to suffer the exploits that the NSA has engineered into modern ICT.
One of the newer technologies being developed is that of homomorphic encryption. Effectively allowing companies with sensitive data to encrypt their data at their border, holding the only key, in a rapidly changing algorithm, still allowing the Cloud service to be utilised, even Software as a Service.
So all is not lost.
It may be that for sensitive data being stored in the Cloud, that two factors kick into play in the next few months as considerations for your company. First, heavy encryption where only the end user has the key, and second, not a service delivered from the continental U.S.
For example, Tresorit offers end-to-end encryption, with keys stored locally on users’ devices. The Switzerland-based company, which was founded in 2011 by Hungarian programmers Istvan Lam, Szilveszter Szebeni, and Gyorgy Szilagyi, officially launched its secure cloud storage service after emerging from its beta in April this year.
More are on the way. Switzerland has seen a massive surge in Cloud growth on the back of the U.S. revelations.
The NSA, in their mad rush for total domination of the SIGINT space, have effectively handed the internet equivalent of nuclear weapon codes to every madman on the planet. Not only can data be exploited, attack vectors can be built to destroy critical infrastructure. While it won’t kill the Cloud industry, it will drive it away from the U.S. and into the arms of, most likely, the European Union Nations.
If the names of those ICT companies who have contracted with the NSA are released, you can be sure the damage on their brands will be significant.