On September 5, 2013 the New York Times published an article titled “Secret Documents Reveal N.S.A. Campaign Against Encryption.” The article contained an excerpt from a 2013 NSA budget request document for the $250M a year “SIGINT Enabling Project.” The NSA documentation described the program, which carried the operational nickname, “Bullrun,” this way:
The SIGINT Enabling Project actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs. These design changes make the systems in question exploitable through SIGINT collection (e.g., Endpoint, MidPoint, etc.) with foreknowledge of the modification.
The documents left little to the imagination. In fact, the overall picture was clear. The NSA has been spending hundreds of millions of dollars a year to “insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices.”
The opportunities offered by the web and the new age of cloud-hosted applications, though, continue to prove irresistible to businesses. According to a recent study by North Bridge Partners, 75% of businesses are now using at least one cloud based software. Our own study revealed that despite the exposure of domestic NSA surveillance and data collection, only 18% of IT pros said they definitively would not recommend cloud hosting of software.
Establishing data security is a complicated business challenge that every company connecting to the internet must contend with. The recent revelations about NSA activity serve only to make the issue even more complex. In his recent videoconference at the SXSW festival, NSA whistleblower, Edward Snowden, commented on the issue of data security in the age of surveillance—and what can be done to ensure privacy.
We wanted to take the conversation a step further. We connected with 8 leading web, cloud application, and data security experts to get their opinions on 6 critical questions related to corporate data security.
During the SXSW videoconference Edward Snowden said: “It is the development community that can really craft the solutions and make sure we are safe.” Do you agree? If so, what role does encryption technology play?
I absolutely agree. Encryption doesn’t have to be that difficult, but it will introduce friction where it wasn’t before. Email encryption is likely to continue to be problematic for a long time because it’s not a closed ecosystem, but things like file encryption (that applies even post-download, and includes in transit and at rest protection) and messaging encryption are very possible to do properly, given a decent balance between user experience and security in the design process.
Yes, security is a responsibility of developers. But it’s also something that has to come from the top management of every business organization. The vast majority of developers are under huge pressure to deliver functionality. Security unfortunately is often a secondary priority. At Epiphany, we develop for the NetSuite Platform with native NetSuite code, which means NetSuite functionality governs security features in the platform. To establish good security, companies need to be focused vigilantly on it with up-to-date infrastructure, personnel, procedures and so on. It’s a cultural thing.
It’s often said that security is as good as its weakest link. What are the weakest links you perceive in regards to data security?
What I’ve traditionally recommended to clients who are trying to track down their weakest security link is to look at viruses and malware arriving via email. But with the advent of all the spam and AV solutions that reliably check email at the workstation level, we’re finding the weakest security link is often now web-browsing. We’ve seen browsers picking up malware that’s getting on user workstations and being used as a beachhead to get at other data resources on the network. The question we ask clients is: How are you protecting your web-browsing? Web-filtering software tools and tightening web-browsing policies are becoming critical approaches for securing the weakest security links for most companies.
I think that the ultimate weakest link is the fact that our economy and environment is so volatile as a country and world. As long as there are people that do not have everything they need or want and live in conditions of scarcity there will be those people that want to get those means, even if that is not legal a route. So there will always be attempts to breach security if that means possibly getting resources that would be unattainable to that group of people through other courses of action. If there was less volatility and inequality as far as economic policy and economic conditions worldwide, we would not see as many attempts at breaching security. This is not a vote in favor of one type of economic theory or another, it is just to point out the fact that as conditions are not up to par for certain groups of people, then they will have more incentive to find ways to make money or gain necessary resources even if those means are illegal.
The difference in security features offered in free cloud products versus business class tools came up during the Snowden videoconference. “Shadow technology”—or software used outside of the sponsored IT ecosystem—is becoming a hot topic. What can businesses do to combat this security risk?
There are definitely privacy and civil liberties issues at stake here. For a company really to have tight security, they would have to impose security protocols on every employee’s devices where company information might be stored or discussed. This would include smart phone and tablets—not just the single desktop or laptop that the employee uses at work. I, for example, can run all of my work-related applications on my Surface, but my IT department doesn’t even know that I have one, so it’s very likely that my Surface doesn’t meet my company’s security requirements. In order for that to happen, companies would have to become the personification of Big Brother. I do see the possibility that 2014 will move many businesses closer to Orwell’s 1984!
SSL has been providing encryption of traffic to and from many websites and web applications for a long time. What about file and hard drive encryption? Is this also becoming a must for business security?
When dealing with sensitive data, hard drive encryption is worth considering although there might be performance impacts. Still, like SSL in which some underlying technologies have been shown to be vulnerable to attacks, there might be vulnerabilities with such encryption. Encryption provides protection and can reduce risk of exposure of sensitive data. In itself, it will never solve all security problems. It’s important to recognize the inherent insecurity of doing business on the global Internet in order to put in place processes to deal with this insecure reality.
Providing any sort of web-based service or product inherently means discussing security with customers. Has the NSA surveillance story changed this conversation in any meaningful way for your company? Do your customers mention it?
The NSA revelations have become one of the defining moments for solidifying an open, transparent and trusting relationship with our customers. As an Internet company with security in its DNA, we’ve always had the philosophy of building products with security in mind instead of tacking it on as an afterthought. On our web site blog, we have discussed PRISM and the use of forward secrecy in TLS to thwart it, explained why random numbers are important for security, described how the NSA may have put a backdoor in RSA’s random number generator, and made it easy for our customers to participate in The Day We Fight Back against Internet surveillance. Engaging our customers about these issues also helped drive new initiatives such as Strict SSL usage, an open source cryptography project, and the publication of our first transparency report.
What’s the role of development community in ensuring that the NSA or others aren’t successful in creating encryption backdoors of the variety sought via “The SIGINT Enabling Project”?
Vendors should make their encryption code public, including the protocol specifications. The community should create independent compatible versions of encryption systems, to verify they are operating properly. There should be no master secrets. These are just too vulnerable. All random number generators should conform to published and accepted standards. Encryption protocols should be designed so as not to leak any random information.