Weighing up the impact of Edward Snowden

By on
Weighing up the impact of Edward Snowden

[Blog post] One year on, what has the whistleblower taught IT?

As you read this, the United States will be waking up to the one-year anniversary of Edward Snowden’s first leaks on his country's surveillance programs to the world’s newspapers.

Over the coming weeks, Snowden will be reaching out to numerous nation-states in search of a new home, knowing his temporary asylum in Russia ends in August. 

US authorities, meanwhile, are formulating a plea deal in the hope of convincing the dissident to return to the United States to face espionage charges. 

We can anticipate that - regardless of the outcome - we’ll all be discussing Snowden’s contribution to the world over the coming weeks.

I am as uncomfortable with describing the whistleblower as a ‘hero’ as I am with those that charge him a ‘traitor’. I empathise with his motives and greatly admire his conviction (who else would trade a comfortable life for the last 12 months he has endured?).

And yet simultaneously I fear the precedent set if, in the future, it is to be considered an heroic act to leak millions of documents, even if only a fraction of them expose serious wrongdoing.

Whistleblowers, like journalists, should be judged on their ability to filter information.

Unfortunately for Snowden, the US legal system is unlikely to weigh the positive outcomes from his leaks against the harm Western intelligence services claim to have endured.

Beyond arguments over whether the NSA’s activities were legal or constitutional, after 12 months of leaks it is worth framing both the positives and negatives of Snowden’s actions from the perspective of our community, information technology professionals. 

What we gained

A reality check on cloud services

  • It is important that IT professionals understand the degree to which large US cloud providers such as Google and Microsoft have been co-opted - whether by financial (payments) or legal (threats) means - to hand over user data under the PRISM program

    Snowden’s leak revealed PRISM gives intelligence analysts direct access to emails, chat logs, VoIP calls, video conferencing sessions, stored data and usernames and passwords for any of these services. 

    Without Snowden’s leak, IT professionals would not have known the full implications of storing sensitive data with a third party service provider, especially one located in the United States or owned by a US firm.

Lifting the gags

  • While in several cases technology companies have made commercial gains from sharing data with intelligence services, Snowden’s leaks revealed the means by which US authorities are able to gag those service providers that wanted to speak out about surveillance overreach. We now know what it means to be subject to a National Security Letter. 

    In the wake of the leaks, the larger technology companies now feel there is enough public support to justify public lobbying of the US Government, demanding it narrow its surveillance scope and bring about greater accountability and transparency. 

    Those service providers that were concerned about the mass surveillance programs arguably only have a voice today because of Edward Snowden. 

Informing the data sovereignty debate

  • The Snowden leaks helped inform IT professionals in Australia of the extent to which Australia’s intelligence services cooperate with the NSA (as exposed by the Australian Signals Directorate’s use of the XKeyscore tool). 

    This revelation is very relevant to our own debate over data sovereignty. What sovereignty exists when Australian and US intelligence authorities contribute to and share the same large data sets? 

A new threat actor

  • Again, while long suspected, Snowden helped reveal that the NSA actively produces malware in its efforts to tap foreign enemies.  

    The NSA’s ANT catalogue boasted that operatives had developed exploits to hack into industry standard servers, switches, personal computers and smartphones. 

    The leaks do not confirm how widely this malware is distributed, but in any case gave IT security professionals a reality check in terms of who to include in their ‘threat actor’ lists when attempting to secure their networks.

A more grounded view of cryptography

A reality check on equipment suppliers

  • It was not entirely a secret that US-manufactured network and security devices were subject to US controls before they are shipped offshore - but the purpose for which they are intercepted is much clearer now IT professionals have seen photos that show NSA operatives planting beacons in Cisco switches marked for export to surveillance targets

    While this is not a mass surveillance program, it nonetheless raised concerns. US authorities routinely act on behalf of corporate interests. Can any IT professional working in a sensitive industry be sure a network device they have purchased is clean, without prising it open?

    In any case, these revelations caused enough outrage to give US equipment vendors (in this case, Cisco Systems) just cause to lobby publicly for such operations to be reined in.

The costs

Trade disputes

Delayed projects

  • While it is crucial that IT professionals have the full information about the implications of hosting data in public cloud services or securing a network or data store with encryption, it is also true that many IT decision makers are likely to delay implementations of some of these technologies while they investigate the consequences. 

    On such occasions, whatever agility, cost efficiency or extra layer of security a CIO might have sought is postponed.

The financial cost of surveillance

  • Edward Snowden helped to reveal the exorbitant cost of the NSA’s mass surveillance programs (some US$52 billion a year) - enough to concern the US taxpayer as equally as they might be concerned about invasions of privacy. 

    Undoubtedly, however, it has also revealed an uncomfortably detailed description of NSA tactics that can be used by legitimate enemies of the United States and United Kingdom to evade surveillance. 

    (As an aside, many of the exploits described in the leaked documents were old enough that it can safely be assumed newer ones have since been developed.) 

    In any case, the cost of developing new exploits in Western intelligence services to replace those now in the public domain will likely be borne by its citizens.

Human costs

  • The US Government argues that any information protected to be in the interests of "national security" has the potential to cost lives if leaked. There is little public evidence thus far that demonstrates Snowden's leaks have threatened lives, but US intelligence operatives might disagree. 

In sum...

While Edward Snowden’s leaks created costs to be borne by the IT community, they are outweighed in my mind by one principal benefit: a more informed and aware IT decision maker. 

Angst about which encryption standard, equipment vendor or cloud service can truly be trusted will be with us for some years yet, but at least the conversation now belongs to the whole community.

Tags:
Brett Winterford

One of Australia’s most experienced technology journalists, former iTnews Group Editor Brett Winterford has written about the business of technology for 15 years.

Awarded Business Journalist and Technology Journalist of the year at the 2004 ITjourno awards and Editor of the Year at the 2009 Publishers Australia 'Bell' awards, Winterford has extensive experience in both the business and technology press, writing for such publications as the Australian Financial Review and The Sydney Morning Herald.

As editor of iTnews Brett has led a team of award-winning journalists; delivered speeches at industry events; authored, commissioned and edited research papers, curated technology conferences [The iTnews Executive Summit and Australian Data Centre Strategy Summit and also shares the judging of the annual Benchmark Awards.

Brett's areas of specialty include enterprise software, cloud computing and IT services.

Read more from this blog: System II

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?