The disclosure by Edward Snowden of broad NSA access to domestic and foreign digital communications is having an adverse effect on the U.S. technology market. Brands like Cisco and Juniper have been used in the disclosures, resulting in bans against some of the related hardware even though no evidence exists that such a ban would have any effect whatsoever on the NSA program. This is because the programs focus on the firms that control the equipment, not those that supply it. This implies, however, that a lot of companies have yet to be identified as participating in the program and that the names and level of participation may be in the “insurance” document that Snowden and WikiLeaks have broadly distributed in encrypted form.
Once that document is decrypted, either because Snowden provides the key, or because some group has found a way to break the encryption (foreign governments with anti-U.S. agendas have both the resources and the motive to do this), we will likely get a longer list of firms that have been actively part of this program.
Anticipating this disclosure and the fact that it could panic some boards or executives, IT may want to have some unique contingency plans in place.
It is possible that a hardware vendor may be named as supplying technology with a secret back door, and you could have inadvertently deployed it. Having a plan for what you will do with that hardware depending on what is disclosed would be a wise exercise at this time. Should you have to execute, you’ll be ahead of the game. You’ll also look particularly competent, which isn’t bad for the career. More importantly, you will avoid the kind of problems a knee-jerk, poorly thought through process might cause.
While we have had technologies like the old Clipper Chip, it is very difficult to keep them hidden. Monitoring technology and security audit processes continue to evolve and this portion of the hardware would be difficult to update reliably or without triggering a flag. This is why I believe this scenario is unlikely. Still, governments aren’t exactly famous for always doing the smart thing. You need to at least consider a response.
Responses could range from going back to the vendor, which likely did this involuntarily, anyway, and demanding a fix or replacement, to assuring the hardware didn’t come into contact with confidential data, to outright disposal. Particularly if you have relationships with Cisco or Juniper, both named, it might be wise to work out some what-if scenarios with those vendors. But understand that if a problem arose, the customer-facing folks wouldn’t know of it until the story broke.
One thing is clear: The NSA activities are having an adverse effect on U.S. hardware technology sales internationally.
The most likely firms to be named are cloud service providers, particularly those that handle any form of communications, data storage, data analysis or data transfer. This is where an intelligence-gathering organization would focus because it would give the broadest coverage for the least cost and, as has been disclosed, allow the intelligence-gathering organization to off load some of the work to those firms.
This is more problematic because the NSA cast a broad net. Virtually every major U.S. communications brand, and most of the major public cloud communications service providers, have already been named. This suggests that if your communications aren’t properly encrypted and powerfully so, it could appear to be negligence that you hadn’t better secured these communications.
What makes this particularly problematic is that encrypted communications are automatically flagged. Clearly, attempts may be made to decrypt them. The easiest way to do this would be to get the key from you. That may have been done, which would put the name of your company and whoever approved this in an NSA file, a file that may be sitting encrypted on a lot of reporters’ desks at the moment.
It might be wise to ensure that top executives are aware of this so that they are less likely to contain the problem by terminating the folks that made this decision. Firms that sell internationally will clearly be exposed if their names show up on an NSA spying list and are likely to try to mitigate the sales damage by firing those responsible. Making sure that isn’t a viable path would be prudent. That means finding out if your firm will be named and making sure your up-line is aware of any related exposure before the disclosure occurs. Folks tend to behave far more reasonably if they aren’t getting calls from reporters responding to your firm being listed on the disclosure.
Wrapping Up: Data Transport Isn’t Secure
While you should anticipate, particularly if you sell technology or services internationally, that you or one of your vendors will be embarrassed by a future disclosure, one thing is clear: Data transport isn’t secure. Programs in the U.S. and other countries, which appear now to be in a digital arms race, will make even encrypted transmissions more difficult to protect. Some of these countries are as interested in intellectual property as they are illegal activities. Certainly, the belief that any unencrypted communications are secure is no longer well founded. Interestingly, the only thing that has really changed is that we are now aware of what apparently has been going on for some time. Only our perception is changed.