The NSA, Surveillance, And What CIOs Need To Know

Plan X: DARPA's Revolutionary Cyber Security Platform

Kurt Opsahl, General Counsel for the Electronic Frontier Foundation took the stage for the Interop Keynote and told a chilling tale of government spooks, secret facilities, hidden courtrooms, and high technology used to track the world's communication.

If you're a CIO, especially at a multinational, and you aren't yet worried about the way the US government is tracking global internet and phone traffic, you need to hear what Opsahl said. It will keep you up all night for all the right (and some wrong) reasons.

As Opsahl puts it, "After 9/11, President Bush unleashed the full powers of the dark side." A mix of existing laws to monitor foreign communications and new powers given under the Patriot Act allowed for a vast expansion of the power for the NSA to collect and store communications data.

But it isn't just the laws that made this possible.

It is the power of our internet and telecom industry. The United States receives much of the phone traffic from other nations, especially Canada and Europe, because as Opsahl points out, "communications signals don't take the shortest path. They take the cheapest." As these signals enter our shores, they are fair game under various laws including FISA and its later amendments.

How do they intercept the communication?

According to Opsahl, the government uses 22 secret facilities equipped with "splitter closets" that split and make perfect copies of fiber optic signals and direct one copy directly to the NSA. Opsahl said an engineer once described the facility as having a door with no door knobs or obvious ways to get in.

If that doesn't spook you, remember that FISA courts are secret as well. The FISA court is protected by a Faraday cage to eliminate electronic signals. Permission to intercept signals is given in secret by the court with logic that is chilling. Opsahl told a story of a subpoena granted in the court. The government successfully argued that a terrorist site has been accessed by every ISP in Sweden, and therefore, they had the right to monitor the internet traffic of the entire country of Sweden. Not just the people who were accessing the site, just anyone who innocently happened to use the same ISP.

That's like saying because one terrorist saw Tom Hanks in "You've Got Mail" everyone who still uses AOL is subject to search.

According to Opsahl, the government is storing 40 petabytes a day.

The US government has a facility in Utah capable of storing between three and 12 exabytes. Despite claiming that they only observe a few thousand "selectors" (people of interest) the law allows them to capture data on anyone they call and anyone that those people call and even anyone that those people call, making a net of millions of people being observed constantly (and Opsahl would say illegally). Opsahl also says they've begun spending $250 million per year on defeating encryption and have begun to use covert and overt ways to get companies to allow backdoors into that encryption.

[ In fact some have accused the NSA of stealing encryption cards. Read NSA, GCHQ Theft Of SIM Crypto Keys Raises Fresh Security Concerns. ]

So why does this matter if you're doing nothing wrong?

Well, aside from the obvious issues of freedom and justice, this can be a problem for your job. For one, depending on where you do business, you may be violating law by allowing your signals to pass through the wrong space. For another, your encrypted data may not be all that encrypted.

Perhaps the most worrisome part about all of this might be that you might be doing something not all that different with your data than the NSA. Sure, you're using customer data that they volunteered rather than split signals. Sure, you don't have a secret court or someone locked in a facility with no doors trying to steal data.

But there is a monkey see, monkey do trend in IT. Consumerization of IT, mobile devices, cheap storage, wearables and Internet of Things is creating a mad scramble to grab big data (huge data) and use it to engage (exploit?) the consumer. Sure, the data started out as voluntary, but have you been combining it with public data to "learn more" about your customers? Have you tracked them by phone to see where there were going and what they did?

What are you doing with your data, and do you feel any better about what you're doing than what the NSA is doing? I hope, even if the chilling facts about the NSA don't keep you up at night, the question of what you do with your own data does.

Attend Interop Las Vegas, the leading independent technology conference and expo series, designed to inspire, inform, and connect the world's IT community. In 2015, look for all-new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.