PRISM: will the cure be worse than the disease?

Now here’s a thing. As a private citizen, are you horrified or reassured by the revelations that the American NSA has been intercepting and monitoring internet traffic wholesale?

I suspect you’re closer to appalled than comforted. Certainly, this is the public mood. The Europeans have been particularly vocal in expressing their concern at governmental level, with Germany taking a firm stance on privacy (motivated perhaps by recent memories of Stasi surveillance – remember that Angela Merkel, the present Chancellor, is an Ossi) and the French getting huffy about national security.

Prominent commentators from the IT world have also been vocal in their criticism, notably Bruce Schneier’s call to arms. While reaction to his cri de coeur has been mixed, the main industry players have – with no little irony – fallen over themselves to jump on the privacy bandwagon.

One consequence is that there’s been a lot of talk from industry majors about developing new, and more secure, protocols for internet traffic. It has been suggested that the NSA has cracked the fairly dated encryption that protects HTTPS traffic; if this is true then, even if you don’t mind the Americans watching your bank transactions, you should still be concerned. Genies don’t go back into bottles, and cypher algorithms don’t unbreak themselves. If the NSA can do it today, the criminals will be able to do it soon. Remember that Moore’s law means today’s multi-million-dollar supercomputer is tomorrow’s budget smartphone.

So the drive for new and improved cypher techniques and secure internet communications can only be a good thing, right? After all, privacy is an eternal and unassailable right, isn’t it?

Well, yes. And then again, maybe not. It all depends on your point of view.

This isn’t a political blog, so I’ll try to stay away from the War on Terror. Let’s think about this instead in business terms. Here are three reasons why I’m concerned about the Prism backlash:

  • Smarter criminals: the NSA has some of the best cryptanalysts in the world, effectively unlimited computing power and  significant legal force. I don’t. So if the bad hats inside or outside the organisations I help to protect raise their game, I’m going to find it harder to keep up. As a simple example, if VPNs and obfuscated routing become core features of webmail services, I won’t be able to block them on my network – without outraging staff – nor will the existence of a VPN be a useful alert in my monitoring.
  • Internet isolationism: many would argue that globalisation has been the great growth engine of the last century. Certainly access to innovation (a lot of originating outside the EU) has been a significant contributor to increased productivity. So calls for a fortress Europe with increased data protection and local-only Cloud, even if they’d be to my benefit, worry me. Will Europe’s focus on privacy hold her economic recovery back?
  • Higher maintenance costs: most of the time, most of the stuff we do on the internet is pretty mundane. It’s neither highly confidential nor especially valuable. If the reaction to Prism is to try to apply substantially higher levels of security to everything, I’m concerned that more stuff will break more often. Our service desks will be dealing with more calls relating to missing or obsolete certificates, or browsers not supporting required encryption standards; our firewalls will need to open more ports and implement more protocols. And users will be spending otherwise productive time on the phone to support.

In general, as a security professional, and as a private citizen, I’d say that more security – and more privacy – is generally a good thing. But as with all things, more is not always better, and everything has a cost. Let’s be careful of the unintended consequences.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.