I’ve been avoiding writing about the Snowden revelations since they starting appearing mostly because people that are much more eloquent than I have said pretty much everything already. However, I was at the JANET CSIRT conference this week and I was inspired by a talk from @stephenbonner and felt I ought to add my voice as one of the ‘good guys’ in infosec out there, even if it is just shouting into a void.
Stephen Bonner suggested, and I feel he’s right in this, that the majority of money sloshing around the infosec world is spent on offensive capabilities ($50bn in the US, £2bn for the entire UK ‘single intelligence account’) and that therefore their voice is loudest. Those of us whose budgets are tiny often have to defend organisations that have much higher turnovers and assets. The force multiplier works to our disadvantage: we have to do a lot with less whereas members of three-letter-agencies can spend huge sums to achieve relatively little.
To put it on record, albeit after the fact, I don’t think anyone is massively surprised about the extent of government intrusion into our lives, it’s just that we’re surprised how accurate the tin-foil-hat-wearing brigade were. Within my organisation we’ve been warning against putting sensitive data (or indeed any data without adequate protection) into cloud services for exactly this reason; we just didn’t feel comfortable that things like the Patriot Act gave governments carte-blanche if they just uttered the magic password ‘terrorists!’
But what about the terrorists?!
I don’t want to downplay the effect on people’s lives that murder and mayhem cause: I remember being abroad during the 7/7 London tube bombings and unable to get hold of my husband made me sick with worry; I remember the constant fear the IRA instilled during the 90s. But, terrorism is just that – an attempt to bully and threaten by exaggerating your abilities through fear.
The UK has an independent reviewer of terrorist legislation whose job is to provide a degree of balance in the argument. They are entitled to view secret data not available to the public or parliament and are therefore perfectly placed to dispassionately analyse how terror laws work and whether they are proportional.
In their 2012 report they were able to report that the annualised rate of mortality from terrorism in the UK, over the course of the 21st century (so including the tube attacks), is 5 deaths per year. To put this into context there are 5 deaths on UK roads every day and there are more deaths from stinging insects each year than from terrorists.
Governments have a responsibility to protect their citizens, I get that. I’m also not naive enough to believe that some secrecy in a society isn’t necessary, but this is about balance, and we have it way wrong.
“The threat of terrorism is, no doubt, sometimes exaggerated for political or
commercial purposes. It is certainly a powerful rallying-cry for the flourishing
security and surveillance industries.” – DAVID ANDERSON Q.C. Independent Reviewer of Terrorism Legislation
This is all legal!
We’ve had a debate in the UK twice about the security services storing all of the internets. On both occasions we – as a democracy – decided that on balance our privacy and liberty won out against the risk of not detecting all of the bad guys.
In the US, where a mock court pretends it’s providing oversight, the NSA decided that the Prism programme wasn’t actually convenient and that it was far easier to compromise the internal data centre networks at Yahoo and Google instead. A private citizen hacking a company is, rightly, punished with years in jail, but if a government does it, that’s somehow ok?
GCHQ aren’t even sure if what they’re doing is legal. If you have any doubts about the ethics of what you’re up to, I reckon you’re probably on the wrong side, but hey, it’s not like they don’t have form in usurping scrutiny and due process.
It’s only metadata
OK, two things:
1) I can learn an awful lot from who you email, what the subject lines are, what websites you visit and what search terms you use. It’s said that Google knows you’re gay before you even realise it yourself and although that might not accurate, I’m not convinced I want any government storing a giant database of my friends, sexual desires and allergies. If you don’t think this in itself a problem, how would you feel about CCing every email to me, or maybe getting changed with the curtains open in your bedroom? Probably not great I’d guess – fancy 1.4m people with top secret clearance having access to that? But it’s not as if they’d use that privilege to actually check out prospective dates or their spouses.
2) GCHQ have decided to store everything anyway. Even though we had debates, twice, about just storing metadata, GCHQ hoover up the whole lot, content and all, under a program called Tempora. The internet’s quite big so they can only store it all for three days, but they then go and select for things of interest and store them for much longer. On a technical level, this is absolutely mind-blowingly-cool, but just because you can do it doesn’t mean you should.
We’re protecting you really
Whilst we’re busy building new “cyber reserve units” to attack we’re not putting a great deal of investment into things like the CPNI. And isn’t there a bit of a conflict of interest – one arm of government telling you to do one thing to protect and the other actively working to subvert that? I’m not entirely sure what monitoring Angela Merkel’s phones has to do with terrorism either.
To make life easier, standards have been subverted and backdoors introduced into major pieces of infrastructure through the Bullrun and Edgehill programs. It’s double standards to complain that Huawei might be up to the same tricks, and of course this then leaves those same flaws open to exploit by the bad guys too.
Secret three-letter-agencies have become self-perpetuating industries; they exist only to prolong their own existence. To do this they have to fight for budget. To justify that, they have to bring in product. Counter terrorism is one of those roles for sure, but their political paymasters aren’t likely to turn down information that helps them at a negotiating table either, just as long as they don’t want to know exactly how they came by it.
What can we do?
Under sustained attack by governments, there’s not a great deal anyone can do, it’s just a matter of time, but we can make it harder for them. We can do better at defending our own networks. We need to make it easier to use encryption by default: the maths is sound even if some implementations are broken. We need to think carefully about cloud computing and take service from those companies that are able to preserve our privacy and ignore those that don’t. Take your business away from US & UK computing firms and they will quickly pressure the politicians. Make it more expensive for the NSA & GCHQ to do their jobs and their paymasters will eventually baulk at the cost.
The previous generation to mine started the internet and considered it a kind of utopia free from interference. The internet is broken and we need a new one.
There’s been some great talk over on twitter that I thought I’d bring over:
– The UK’s National Cyber Crime Unit (merger of SOCA & PeCU) has just opened up which is a good sign that defensive infosec is getting the attention it needs.
– The UK’s CERT is also supposed to appear some time next year (there is currently a government CERT run by GCHQ which is the conflict of interest alluded to in the main piece). Again, this is a positive step.
– The parliamentary oversight committee, ISC, is woefully unequipped for the job. Apparently they didn’t even know of half the GCHQ programs until they were disclosed by The Guardian.