In a recent Computing survey, 19 per cent of IT managers said that recent revelations about the extent of surveillance by spy agencies make it very likely that they will avoid using the big cloud firms which, being US-based or US-owned in the majority of cases, are required to hand over information to that nation’s authorities on demand (figure 1). Whether this actually results in a mass exodus from the likes of Amazon and Google remains to be seen, however, because it is unclear that the alternatives are any more secure from prying eyes.
All organisations prefer to base strategic decisions on hard evidence, but given the fluid nature of our understanding of the surveillance situation, with the steady drip-drip of fresh revelations eroding certainty at every turn, deciding where and how to manage sensitive data is guesswork at best.
In view of the close relationship between the US’s National Security Agency (NSA) and this country’s GCHQ revealed by whistle-blower Edward Snowden, where it appears that national laws are regularly bypassed by the spooks, is sensitive data really any better shielded from US government snooping if it’s held in the UK by a UK-owned cloud provider, as has long been assumed?
Can we really believe the agencies when they insist that they are only after the “bad guys”? After all, GCHQ has been found to have been hacking into commercial ventures such as Belgacom, which has no obvious terrorist links, while the NSA has snooped on Brazilian oil firm Petrobras, again with no obvious security motive. And it’s not only the UK and US establishments that have been involved in what looks very much like industrial espionage. The Communications Security Establishment Canada (CSEC) was recently accused of hacking the Brazilian Mining and Energy ministry and informally sharing the results with Canadian energy corporations, a clear case of the state using cyber attacks to benefit private interests.
Then there are unintended consequences of such large-scale information gathering. Snowden was one of many thousands of relatively junior contractors granted high-level access to sensitive data and information about surveillance techniques. The chances of data or details of vulnerabilities and exploits being sold to third parties by disgruntled or greedy individuals must be significant.
Doubtless there are more revelations still to come involving the security agencies of UK, US and other nations’ targeting of commercial interests, quite apart from their practising the sort of blanket surveillance that effectively makes everyone a suspect in a criminal case of the agencies’ choosing. Suffice to say, whether you are a corporation or an individual, when it comes to protecting sensitive data from the state surveillance apparatus there are few hiding places.
Assumption of compromise
“The NSA has sabotaged some of the underpinnings of communication and e-commerce,” said Dan Gillmor, director of the Knight Center for digital media entrepreneurship at Arizona State University, speaking at Structure Europe last month. “That would worry me if I were an enterprise trying to sell things to other people using secure technology where the assumption must be that it’s been compromised.”
Gillmor was referring to evidence first published in the New York Times that the NSA has circumvented or cracked “much of the encryption that guards global commerce and banking systems”, including SSL.
[Turn to next page]