I don’t know if you’ve been following the NSA story. Recently it’s reached proportions that have shocked me and changed some of my beliefs.
Most shocking to me is that the NSA has been undermining American business security in every way you can come up with, from pressuring security software makers to defeat their own products, to compromising security standards, to hacking American business’ networks. Every popular filesystem encryption product is compromised, or must be assumed compromised. Large network switches and routers are hacked in bulk to ship data to the NSA. The SSL security infrastructure that we all want to believe is safe is deeply compromised in multiple ways.
Here’s a nice list that someone put together of the NSA actions:
- Bulk collection, cataloging, and processing of any and all unencrypted data, worldwide. In places where it doesn’t have an agreement to tap all data, they do it surreptitiously in undersea fiber, etc.
- Bulk collection, cataloging, and processing of metadata about encrypted and non-encrypted connections.
- Spotting and decrypting known-bad encryption systems whenever they appear. So for example, if they spot MS-CHAP in the wild, they automatically break it.
- Dictionary and rainbow table attacks on encrypted content.
- Using political, legal, or financial pressure to make companies insert backdoors into hardware and software products. Note that this explicitly includes router, switch, and firewall software.
- Using political, legal, or financial pressure to make companies and individuals insert difficult-to-spot vulnerabilities, like a less-than-random random number generator, or a common exponent to a public key exchange protocol. When these issues are discovered, they are easily explained as mistakes.
- Using political, legal, or financial pressure to make companies give up private keys for user data.
- Actually hacking into resources to take a copy of their private keys.
And these activities in the US & Britain shed light on the Chinese, Russian, Indian, German, Israeli and other governmental hacking efforts. Take everything that the NSA is doing and recognize that every other country fighting for economic dominance is doing it too. It’s doubtful that the Israelis focus on us over their neighbors, but the Chinese are well known to focus squarely on US companies of all kinds.
What we weren’t prepared to learn is that they are treating US citizens and companies– whom they are not supposed to be spying on at all–as equally valid targets, capturing everything they can indiscriminately, and not doing anything to prevent the penetration of US targets by other countries with the same sophistication. Quite the opposite, they’re actively undermining everyone. And they don’t seem to think at all about American competitiveness or cyber-supremacy. In their calculations, it’s better to let hackers from other nations vacuum up the same data as the NSA than to lose the NSA’s entree and betray the depth of their penetration.
Now, with the depth and scope of the hacks revealed, and the total loss of trust in commercial security software makers, I don’t see how companies that are strategically competitive can put their data on a public cloud or allow it to flow outside their networks. I’m thinking of global economic strategic assets: financial services, banks, large manufacturing, military sub-contractors, industrial electronics firms, utility operators. The assets at risk could be physical infrastructure, or pure information: it’s anything that would give rising powers around the world competitive or economic advantage.
We can’t say “well, it’s just the NSA and GCHQ in Britain” because it’s not. This is exposing what every globally aggressive country is doing. The NSA is doing all this on a budget that seems quite small to me. Some of their most effective programs are just tens or hundreds of millions, and billions for the largest. I would think that the Chinese have mounted huge efforts to achieve the same results or better. They’re number 2: they try harder. It wouldn’t surprise me if the attacks that we do hear about are from the Chinese Junior-Varsity Hacking Team, or even meant to serve as a distraction rather than a full attack.
You may have heard about a recent brouhaha with a Chinese telecom manufacturer, Huawei. “Would Huawei put backdoors in their telecom products that China can use to spy on us?” Well, it turns out that the NSA is loading US equipment with the subtle and crafty backdoors we were worried about. So I’m going to say yes, telecom and network equipment is all hackable. And even if it isn’t hackable as it rolls off the factory floor, the NSA is buying and leveraging zero-day exploits, creating their own unknown exploits, and hacking right into equipment all around the world, including the US.
This is going to take some time to absorb and more stories are still coming. It’s hard to look at any security practices as being sufficient. We still believe, based on the NSA’s unfiltered writings, that strong cryptography works. But everyone and everything else that touches our data is weak. The basic plan is to attack weak points: the networking hardware, unpatched software, misconfigurations, bad security practices, etc. The NSA, Brits, Chinese, Russians, Indians, Germans, Israelis and others work to capture it before or after encryption.
Security is a state of mind and I think it’s something we’re all going to have to think differently about. We’ve learned that our fly has been down this whole time. No, it’s worse… this is the emperor’s new clothes. The most security-conscious companies I know are trusting vendors that are compromised and trusting the “best practices” of web encryption that are nothing more than fig leafs. So what does a company do? If a strategic business’ protection hinges on encryption and vendor solutions, they must:
- Assume that every digital asset produced until now is copied, stored and open to multiple countries around the world.
- Assume that this copied data is being repeatedly perused for economic espionage.
- Assume that all data leaving the network is copied and stored, because it is.
- Realize that these surveillance capabilities are going to follow Moore’s law and empower more governments and non-governmental entities to perform silent espionage in the years to come.
- Adopt a completely different risk model that assumes that data is already being copied and will continue to be copied without comprehensive security practices.
- Revisit every decision about security practices and ask whether the cost of protection exceeds the risk of espionage, because you know damn well that the data is already available.
I have not been a big fan of “private cloud” and have preferred “public clouds” like Amazon. My reasoning was that in public clouds you benefit from continued innovation in ways that you wouldn’t with a private cloud in your own data center. Public clouds also make us consider failure more rigorously instead of believing that “our network is different.” Security in the broad sense–which includes maintaining availability through techniques like failover, disaster recovery and componentized services, to name a few–is better understood, better documented and hopefully better incorporated in public cloud architectures.
Unlike the initial revelations of NSA’s PRISM, these latest revelations seriously question the security of the public cloud. Yes, cloud providers are doing a brilliant job architecting their offerings. But are they able to match wits with the NSA? Even cloud providers incorporate commercial software offerings, so have they introduced backdoors? We just can’t know for sure. There are devils we know and devils we don’t.
Will Amazon open-source it’s code for security review? It’s doubtful because a real security review has to account for the entire architecture. It would reveal a big chunk of your intellectual property. OpenStack, which is the private/hybrid cloud stack produced by a broad consortium of companies, may benefit greatly because it is already open-source. This is some rich irony, since OpenStack is delivering outstanding benefits to the NSA.
Open source software just got a huge boost. On one hand the NSA may be able to insert a bug or compromise the source code. But on the other hand we know they’re compromising commercial software. At least with open source we can inspect it, and there are many dedicated developers that already do. I think that community of professionals is going to get a shot in the arm with more money and donated development time from commercial companies that just realized there is no security in non-open-source software.
I encourage you to read the sharp, piercing critiques of the NSA around this bombshell revelation. I’ve included links below and you can find more in my Twitter feed. There’s more to come, but the tipping point just passed and serious action is inevitable, both in technological overhauls, political action, legal action, and the necessity for everyone to reevaluate what they’re ok with the government knowing. Keep in mind that the NSA still has no idea what Edward Snowden took. That’s why the NSA/White House/ODIN and others are issuing denials that keep turning out to be lies when the next article emerges.
This is showing that security must be integral to every purchase, every design, every implementation and every change. The only other option is to assume the data isn’t secure at all. In other words, we have to ask ourselves if we’re OK with multiple international governments and unknown other non-US groups having access. Because it’s not a hare-brained conspiracy theory, it’s a fact. Security pros used to joke that there are two kinds of companies: those that know they’ve been hacked, and those that don’t know it yet. It’s no joke anymore, so now what?