The NSA, Surveillance, And What CIOs Need To Know - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Data Management
Commentary
4/29/2015
04:01 PM
David Wagner
David Wagner
Commentary
Connect Directly
Twitter
RSS
100%
0%

The NSA, Surveillance, And What CIOs Need To Know

At the Interop Keynote, things get frightening as the EFF's Kurt Opsahle recounted the NSA surveillance history.

Plan X: DARPA's Revolutionary Cyber Security Platform
Plan X: DARPA's Revolutionary Cyber Security Platform
(Click image for larger view and slideshow.)

Kurt Opsahl, General Counsel for the Electronic Frontier Foundation took the stage for the Interop Keynote and told a chilling tale of government spooks, secret facilities, hidden courtrooms, and high technology used to track the world's communication.

If you're a CIO, especially at a multinational, and you aren't yet worried about the way the US government is tracking global internet and phone traffic, you need to hear what Opsahl said. It will keep you up all night for all the right (and some wrong) reasons.

As Opsahl puts it, "After 9/11, President Bush unleashed the full powers of the dark side." A mix of existing laws to monitor foreign communications and new powers given under the Patriot Act allowed for a vast expansion of the power for the NSA to collect and store communications data.

But it isn't just the laws that made this possible.

It is the power of our internet and telecom industry. The United States receives much of the phone traffic from other nations, especially Canada and Europe, because as Opsahl points out, "communications signals don't take the shortest path. They take the cheapest." As these signals enter our shores, they are fair game under various laws including FISA and its later amendments.

(Image: Jeff Shuler via Wikipedia)

(Image: Jeff Shuler via Wikipedia)

How do they intercept the communication?

According to Opsahl, the government uses 22 secret facilities equipped with "splitter closets" that split and make perfect copies of fiber optic signals and direct one copy directly to the NSA. Opsahl said an engineer once described the facility as having a door with no door knobs or obvious ways to get in.

If that doesn't spook you, remember that FISA courts are secret as well. The FISA court is protected by a Faraday cage to eliminate electronic signals. Permission to intercept signals is given in secret by the court with logic that is chilling. Opsahl told a story of a subpoena granted in the court. The government successfully argued that a terrorist site has been accessed by every ISP in Sweden, and therefore, they had the right to monitor the internet traffic of the entire country of Sweden. Not just the people who were accessing the site, just anyone who innocently happened to use the same ISP.

That's like saying because one terrorist saw Tom Hanks in "You've Got Mail" everyone who still uses AOL is subject to search.

According to Opsahl, the government is storing 40 petabytes a day.

The US government has a facility in Utah capable of storing between three and 12 exabytes. Despite claiming that they only observe a few thousand "selectors" (people of interest) the law allows them to capture data on anyone they call and anyone that those people call and even anyone that those people call, making a net of millions of people being observed constantly (and Opsahl would say illegally). Opsahl also says they've begun spending $250 million per year on defeating encryption and have begun to use covert and overt ways to get companies to allow backdoors into that encryption.

[ In fact some have accused the NSA of stealing encryption cards. Read NSA, GCHQ Theft Of SIM Crypto Keys Raises Fresh Security Concerns. ]

So why does this matter if you're doing nothing wrong?

Well, aside from the obvious issues of freedom and justice, this can be a problem for your job. For one, depending on where you do business, you may be violating law by allowing your signals to pass through the wrong space. For another, your encrypted data may not be all that encrypted.

Perhaps the most worrisome part about all of this might be that you might be doing something not all that different with your data than the NSA. Sure, you're using customer data that they volunteered rather than split signals. Sure, you don't have a secret court or someone locked in a facility with no doors trying to steal data.

But there is a monkey see, monkey do trend in IT. Consumerization of IT, mobile devices, cheap storage, wearables and Internet of Things is creating a mad scramble to grab big data (huge data) and use it to engage (exploit?) the consumer. Sure, the data started out as voluntary, but have you been combining it with public data to "learn more" about your customers? Have you tracked them by phone to see where there were going and what they did?

What are you doing with your data, and do you feel any better about what you're doing than what the NSA is doing? I hope, even if the chilling facts about the NSA don't keep you up at night, the question of what you do with your own data does.

Attend Interop Las Vegas, the leading independent technology conference and expo series, designed to inspire, inform, and connect the world's IT community. In 2015, look for all-new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

David has been writing on business and technology for over 10 years and was most recently Managing Editor at Enterpriseefficiency.com. Before that he was an Assistant Editor at MIT Sloan Management Review, where he covered a wide range of business topics including IT, ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
batye
50%
50%
batye,
User Rank: Ninja
5/5/2015 | 2:06:56 AM
Re: Data in your organization
@tzubair, interesting observation/question... it like you could never win it... as where is always - weak point point in the security - human :(...
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
5/4/2015 | 9:04:42 AM
Re: Data in your organization
This is then a trojan horse case - I think somehow it goes back to the old topic about the disatrous inside intruders.:-)
tzubair
50%
50%
tzubair,
User Rank: Ninja
4/30/2015 | 9:23:06 PM
Re: Data in your organization
"The varied opinions about privacy don't help the situation. Mark Zuckerberg's declaration that privacy was dead seems to have taken seriously by some"

@David: I wonder if you can use that as argument to defend your company in the court should you run into a situation where the privacy of your data has been compromised and your own internal staff is responsible for it :)
David Wagner
50%
50%
David Wagner,
User Rank: Strategist
4/30/2015 | 12:47:41 PM
Re: Data in your organization
@Broadway0474- I think we should worry about anyone who is taking the responsibility of being a steward of our data that isn't taking it seriously. In speaking with folks this week, there seems to be a spplit in companies who are trying to cram as much data as possible and those looking to offload as much personal data as possible. Just a suspicion, but I'm guessing the ones tryingt o grab more data haven't been caught with a breach or abusing their customers yet.
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
4/30/2015 | 12:16:56 PM
Re: Data in your organization
As consumers and citizens, we all still have far more to worry about from government's efforts to steal and snoop on our data than from corporations like Facebook. And as organizations, they still have far more to fear from their own failures at data stewardship and risk management than they do from the government. By the law of associations, does that make a contradiction. Is the worry of your enemy's enemy your worry? Should we be worried more about corporations simply because they don't have their act together?
David Wagner
50%
50%
David Wagner,
User Rank: Strategist
4/30/2015 | 11:29:16 AM
Re: Data in your organization
@tzubair- It seems to vary. In my talk with CIOs about data, many seemed very aware of the issue. Others seemed pretty cavalier. The varied opinions about privacy don't help the situation. Mark Zuckerberg's declaration that privacy was dead seems to have taken seriously by some.
tzubair
50%
50%
tzubair,
User Rank: Ninja
4/30/2015 | 4:02:00 AM
Data in your organization
"I hope, even if the chilling facts about the NSA don't keep you up at night, the question of what you do with your own data does."

@David: I think every CIO would become uneasy at this thought. It is indeed a sensitive issue. Regardless of what NSA does with the data, the fact that there's a high chance of data being misused by your own people should make you look into what controls you have on the data and who has access to what level of data. If you're a CIO reading this, when was the last time you conducted this exercise?
Slideshows
Strategies You Need to Make Digital Transformation Work
Joao-Pierre S. Ruth, Senior Writer,  11/25/2019
Commentary
Enterprise Guide to Data Privacy
Cathleen Gagne, Managing Editor, InformationWeek,  11/22/2019
News
Watch Out: 7 Digital Disruptions for IT Leaders
Jessica Davis, Senior Editor, Enterprise Apps,  11/18/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll