Last week, The Guardian continued its publication of information being leaked by former National Security Agency contractor Edward Snowden, by revealing that Microsoft had helped NSA circumvent its encryption to gain access to web chats and other activity of its customers. The revelations beg an interesting question: Could Microsoft have gotten away with being less cooperative than it has been in terms of the access NSA enjoys?
I spoke about the Snowden case and the lessons IT security pros can learn from it earlier this week with John Dickson, principal at Denim Group. As I noted in that post, Dickson is a former U.S. Air Force intelligence officer with extensive experience in network and software security within the U.S. intelligence community. In a second interview with Dickson, I raised the question of Microsoft’s cooperation. He said he would be wary of the way it’s being characterized in the press:
Did Microsoft cooperate with enthusiasm? That I don’t know. I’m not an apologist for or defending Microsoft, but they’re an easy target. It’s very driven off of the corporate cultures and the individuals interacting with NSA and law enforcement. Some of them pushed back, as we’ve seen; some of them didn’t. The big thing is they thought they were doing it in a private way, and didn’t even think about the implications if this came out. So I think those decisions were made without ever considering that this might become public. If you asked them if they would have handled it differently if they were told three or four years ago that it might be exposed, the answer is probably yes. So if you look at companies’ private actions with intelligence agencies and law enforcement, and their public pronouncements on privacy and the way they handle customer data, they should jive. The reality of it is they do get asked from time to time to do these things. I think the thing that’s gotten everybody’s attention is the breadth and scope of it.
Dickson added that he doesn’t see a lot of difference between what was asked of Microsoft, Yahoo and the other Internet companies, and requests that have been made of telcos like Verizon and AT&T. What is different, he said, is the government’s ability to analyze the data:
Skype is a great example. The focus, particularly with Skype, is not the mass collection—there’s no way NSA can collect all the Skype video calls and interpret them in anything that approaches real time. If you’re an intelligence or law enforcement agency, you would like a similar setup in order to do the same things you would do in the telco world. I would give you the example of drones, or RPAs (remotely piloted aircraft]—what the Air Force and the intelligence community found out in Iraq, Afghanistan, and other places, is their ability to collect full streaming video from these aircraft far exceeds their ability to watch it and analyze it. So apparently there are years of uninterpreted data, because you can’t do it in a mass way. So the Skype thing is a little bit interesting.
I asked Dickson whether Microsoft or any other company has any legal recourse if it feels the government is overreaching in its demands for access to its systems. He said that, in a nutshell, is the challenge:
It’s supposed to be interpreted through the FISA [Foreign Intelligence Surveillance Act] courts, and that’s where the rub is—are the FISA courts actually throwing out as many requests as they approve? I think the numbers show that they’re approving the vast majority of them. So not just Microsoft—Yahoo, Facebook, all these guys—if you’re getting all of these requests in from intelligence agencies, and you’re pushing back on 50 percent of them, and the FISA courts overrule you every time, that’s one story. If you’re doing this with enthusiasm or alacrity, that’s another story, and I think that’s kind of how it’s been portrayed with Microsoft, whether that’s fair or not.
The Yahoo guys are now trying to distance themselves, and everybody’s trying to find examples of how they did push back. So what’s happened with this NSA stuff is companies are reevaluating and trying to figure out how they jive what they do with what they say they do.
In a footnote to our previous discussion about lessons learned, Dickson mentioned that shortly after we last spoke, he participated in a panel discussion at a security event at Rackspace in San Antonio. He said he asked the roughly 200 attendees whether any of them conduct more extensive and rigorous background checks on system administrators than they do on their other employees. He said none of them did:
So you’re treating a call center person or a front-office person who answers the phones no differently from a system administrator who can wreak havoc. System administrators can destroy backups and absolutely bring a company down for days. The only reason it doesn’t happen more frequently is you pretty much have to leave the country at that point—you would go to jail for a long time for destroying intellectual property. But the point is, that doomsday scenario could very well happen.