One year ago today, the world learned the truth about surveillance by the US and UK Governments.
Since then, the security industry and wider world have been made to decide whether the man behind the leaks is a hero or a villain? Surveying some key names in the security industry, Lancope’s director of security research Tom Cross said that it is hard to view the situation strictly in black and white terms.
He said: “There is no question that documents Snowden disclosed have materially advanced the public policy dialog in the United States regarding mass surveillance. However, he also disclosed a lot of information that could harm the national security of the United States but does not contribute significantly to the public interest, and people are understandably angry with him about that.”
Michael Sutton vice president of security research at Zscaler, said: “History will decide, but the court of public opinion is clearly uncomfortable with what they've learned about the tactics of the US Government.”
Calum MacLeod, vice president EMEA Lieberman Software, said: “As far as the security industry is concerned, it has provided a goldmine. Every vendor is selling Snowden. He should have employed an agent before getting on the plane to ensure that he got paid royalties for the use of his image. His picture is supporting a burgeoning industry of "Next Generation Threat Protection" solutions. Every organisation is being told it probably has a "Snowden" working for them. And yet the threat to our everyday life of identity theft, corporate attacks on intellectual property, and the rest go on unabated. What Snowden has done is provide a distraction that allows many vendors to sell more FUD, and solve less problems.
“Certainly some of Snowden's revelations have shed light on the fact that actually there are some really clever geeks in the NSA, who are able to do some really cool stuff, and to show how totally ineffective most of the technology is, that is being foisted on an unsuspecting market.”
Undoubtedly the greatest revelation of the stories of early June 2013 was that it substantiated what we already suspected. Cross said that it is very important to substantiate things that some people suspected may be true, such as the fact that phone companies in the United States were turning bulk meta-data over to the Government – which was reported in the press in 2006, but the phone companies denied that this story was true, and that denial, coupled with a new law ensuring that surveillance programs would be reviewed by the FISA court, put to rest much of the discussion over the issue.
“Although some people suspected that the program was real, without proof, there was no room for further debate. Now that proof is available, that debate is proceeding, and serious questions have been raised about the wisdom of the program as well as the correctness of FISA court rulings that authorised it,” he said.
Dwayne Melancon, CTO of Tripwire, said that this is far more of a political issue than a security issue, as even though security has benefitted some from the increased public awareness of cyber security, much of the conversation is centred around "right vs. wrong” which is inherently emotional.
“I believe we need to focus our energy on what is ‘effective vs. ineffective’ when it comes to protecting our data, our users and our businesses,” he said. “Being effective is a defensible goal, regardless of whether you agree with the actions of Snowden or world Governments.”
Sutton said that nation states have engaged in espionage in the name of security and financial gain for decades, but it didn't always involve smartphones and Facebook accounts.
He said: “The security community has long known that the US Government engaged in offensive tactics, but eyebrows have been raised even among the most well informed given just how deep some of the programs ran. Whether tapping directly into the backbone of a data centre or intercepting and backdooring hardware shipments, the tactics went beyond the keyboard hacks that were expected.”
The revelations gave us the evidence we needed to prove that surveillance was done, but many were shocked, and continue to be shocked about revelations of the scale. Asked if this was the best or worst thing to ever happen to the security industry? Sutton said that the revelations brought to the surface what the informed had already suspected and what the public was oblivious to.
He said: “Many wrongly assumed that cyber espionage was black and white. The West represents the 'good guys', while the East and specifically China is the enemy, stooping to tactics that Americans would never adopt. Snowden's revelations showed us that the picture is not so clear. At best The US engages in the same tactics as the Chinese in order to gain the upper hand but steers clear of corporate espionage.”
He said that if there is a loser to be declared in the Snowden revelations, it's the US Government, as the US is no longer able to throw stones in a glass house, and it will be forced to adapt as technology vendors raise the bar, eliminating some of the previously relied upon spying techniques.
MacLeod asked if we should be surprised that the US Government, along with the virtually every other Government, were using the internet to spy. “Well given that every country, Government or whatever have done this since time began, maybe we should be comforted by the ancient words that there is nothing new under the son,” he said.
We are in a new world of privacy, internet freedom and those seeking a change. Yes Edward Snowden changed many things including how businesses and people see Governments, how secure transmission of data and communications are used, and how to avoid being spied on. Can you manage these things?
A year ago it may have been called paranoia, in June 2014 you are one of many fighting for free speech.
Dan Raywood is editor of the IT Security Guru