It’s been a thrilling month on the ‘Full Monty’ information disclosure front. We have been told, by a former NSA insider, that every phone call and every item of stored data passing through major US ISPs, mobile carriers, and cloud service providers is ‘screened’ by deep packet inspector Narus on behalf of the US National Security Agency.
The US government, helped by subcontractors, is apparently sifting through all this data looking for terrorist-related information, though it claims to stay well away from prying into commercially valuable information — this, they accuse the Chinese of doing. China, the behemoth behind its Great Wall-of-Fire, is also screening all its content carriers, but instead of seeking terrorists, it is looking for dissident political utterances, while at the same time claiming to be the innocent spying victim in a networked world — a world where the US has defined the technologies and the traffic rules that govern the Internet, as well as hosting most of the world’s great data gatherers and cloud service providers.
One comforting claim for the European audience is that the US screening is not directly aimed at monitoring communication between parties that are outside the US. However, we know that the US, Canada, UK, Australia, and New Zealand operate the ‘Five Eyes’ program (formerly known as Echelon) that monitors vast amounts of international communication over any electronic channel, so perhaps all lines of electronic communication and all cloud data storage facilities are considered fair game for national security agencies to spy on.
In addition, the use of advanced persistent threat (APT) techniques to penetrate private, public, and commercial organizations that are suspected of harboring a threat to any nation’s national security is considered fair game. Then there are the million strains of malware developed to snoop on our machine’s data, steal our identity, or block access to our sites — malware either controlled by hackers that are out to loot us, or angry hacktivists out for gory renown. National security ops, cybercriminals, and hacktivists target any entity that has value — with a lot of collateral damage along the way.
So, does all this make a mockery of our attempts to maintain the confidentiality and integrity of our personal and corporate data? Actually, no — we just have to live with it, like we live with the millions of bacteria and viruses which surround us. Sterile environments can be just as dangerous for ‘life as we know it’ as the organic and digital soup we wade around in every day.
Of course, we need to know our enemies; we need to know what we have to protect. We need to be educated, and need to be dressed for the occasion. Going overboard with paranoia and suspicions will only slow us down and make life miserable. And while security companies like Symantec,Sophos, Checkpoint,F-Secure and McAfee clearly have an interest in selling us their protection, and thus use the ‘fear, uncertainty and doubt’ rhetoric, they are also providing best-practice assessments based on heuristic security incident analysis.
The great change in IT strategies that shifted us from in-house servers and data centers towards more and more remote cloud services, clearly increases the ease of access to our data. While cloud providers may have better security than we have in our own data center, we do need to be more sophisticated in our use of encryption — both for communication, and for data storage purposes. We need to be more aware of the metadata footprint we leave in cyberspace, be it location specific information, travel patterns, or knowledge access routines. And we need to educate our users on the threats stalking us in our everyday digital lives.
But first and foremost we must recognize that the significant improvements in overall productivity and responsiveness provided by the new communication and data access paradigms come at a price. We decided long ago to pay that price — not out of fear, but out of hope that we can do more with less. That hope remains — if we can keep our wits about us.