In the fall out of the NSA Government spying row a number of things have become readily apparent from both the business security viewpoint and the personal security viewpoint.
From the Business Viewpoint we have landed firmly in the Catch 22 world, on one side we have government regulations that tell companies what they must do as in terms of information security. But now we have the added complexity of Government as Hacker. We cannot assume that all of the attacks will come from insiders and outsiders, we also need to start accounting for a Government role in reducing the security posture through the reduced effectiveness of the crypto keys we use, to the idea that the Government might be spying on one of our employees, and we might stumble across a Government hacked computer system.
Local information security departments are woefully unprepared for the Government as Hacker. If we find a government root kit, if we find government sponsored monitoring tools on an employee’s computer (especially in a BYOD environment) how do we even plan to cope with something like this. Are we violating yet another law by clearing their computer of the government sponsored malware, or should we let it continue to work? Who do we contact? Should we contact anyone, above all do we inform the employee that we found all this stuff and we don’t know where it came from, but looks like someone is very interested in what you are doing? It is a lot like a car mechanic finding a GPS device on the underside of a car doing their inspection of the car, what is the responsibility, where is the reporting tree, what does reporting look like?
The Government as Hacker also introduces complications in other laws that companies must adhear to, SOX, HIPAA, GLB, and a myriad of others in the USA. How do we report to our customers or clients that the Government hacked our systems and took a direct copy of X number of records from our payment processor? Can this be reported, should it be reported, what are the consumer protection rules going to say about this.
Of course all this comes with a Gag Order on the part of the company, but what law takes precedent, the reporting laws or the Gag Order? So far that has not been tested. As of today we really don’t know what the mandatory disclosure laws are going to do when we find out that the government is hacking our systems, for consumer information. Or does a law enforcement request even mean that there was a disclosure that must be reported to the consumer. We all know about those lovely FBI boxes on computer networks, we all know that the NSA is hoovering meta data wherever and whenever they can, are any of these reportable under mandatory reporting laws, or other national or even international laws. So far everyone seems ok with complying with Law Enforcement, and not reporting that there is a listening post inside the ISP’s network. No one is asking about them, but I would be interested in knowing if my ISP has one. Gag orders seem to take precedence over all other mandatory and legally required reporting mechanisms and laws in place. This needs to be tested.
From the personal side, our computer systems are sitting in our living room, the microphone might be turned on, the video camera going while people are engaged in discussion of events or even how the day went. We might be angry, sad, or having issues. Much like the TV sets in 1984, those computers then become the way that we can be monitored if we are worthy of being monitored. I am waiting for my speaker system to say Winston, Smith, 1944222X get up on your feet, or for some creepy voice to come out and finish the poem about the bells of saint mary. We are at that point, our phones, our computers, our cars, everything we have can betray what we do, where we go, who we associate with, and innocent or intentional, paint what could be a “politically unreliable” picture of who we are. Am I monitored every time I go by Left Bank Books? Does that make me politically unreliable? Can my employer find out about this, can I get fired for this?
What defines political non-reliability? What is the government really looking for? This will lead to millions of little acts of censorship on the part of people. People will suppress what they want to say or think or do because they think or know they are being monitored. While we might be able to do things or say things, we don’t know what group or person above us will select us for special attention. In the normal course of live we probably won’t fall under special attention rules, but what if we do or say something unpopular. What if we join a PAC or a political party that is deemed unreliable, suddenly every single one of my connections on Facebook, G+ and/or Twitter become suspect. Maybe they are all innocent, maybe not, someone will decide, we are guilty of something we don’t know what. So it is better not to participate, better not to say anything, better to be quiet and not rock the boat for those things we believe in. It makes us less likely to do anything that an employer or a government representative would get upset over.
I see this in my own writing, all my information security writing has just about shut down because I have seen far too many information security researchers go to jail, go to court, get arrested, or have other problems with the law. Information security research has gone underground in private channels, or is sponsored by organizations big enough to deal with the legal ramifications of that research; you need deep pockets and pray your employer will stand by you. It is simply the path of least resistance to stop writing publicly and go to places where we can discuss openly information security issues. The ultimate easy answer is to simply stop researching, politically reliable, self censoring, not rocking the boat, not going to jail, not getting SWAT’d in my own house and all my computer systems confiscated. Pain for my friends and family, and no deep pockets to fight it.
This goes beyond the simple monitoring, broken encryption standards, this goes to the very core of a technologically based society. When the tools and systems we use could be used to monitor what we do, what we say, where we go, who our associations are, to determine political reliability we all lose. When we have to self censor so we don’t go to jail like other security researchers we lose. As a whole, as a society, somehow we are less than we could have been. And that is the tragedy of the whole thing, in the end we lose a creative element, we lose a reporting structure, we have nothing to replace it with, we have to assume everything we do and say at some point will be held against us.
(Cross-posted @ Hacking Cloud Computing)