As you read this, the United States will be waking up to the one-year anniversary of Edward Snowden’s first leaks on his country's surveillance programs to the world’s newspapers.
Over the coming weeks, Snowden will be reaching out to numerous nation-states in search of a new home, knowing his temporary asylum in Russia ends in August.
US authorities, meanwhile, are formulating a plea deal in the hope of convincing the dissident to return to the United States to face espionage charges.
We can anticipate that - regardless of the outcome - we’ll all be discussing Snowden’s contribution to the world over the coming weeks.
I am as uncomfortable with describing the whistleblower as a ‘hero’ as I am with those that charge him a ‘traitor’. I empathise with his motives and greatly admire his conviction (who else would trade a comfortable life for the last 12 months he has endured?).
And yet simultaneously I fear the precedent set if, in the future, it is to be considered an heroic act to leak millions of documents, even if only a fraction of them expose serious wrongdoing.
Whistleblowers, like journalists, should be judged on their ability to filter information.
Unfortunately for Snowden, the US legal system is unlikely to weigh the positive outcomes from his leaks against the harm Western intelligence services claim to have endured.
Beyond arguments over whether the NSA’s activities were legal or constitutional, after 12 months of leaks it is worth framing both the positives and negatives of Snowden’s actions from the perspective of our community, information technology professionals.
What we gained
A reality check on cloud services
- It is important that IT professionals understand the degree to which large US cloud providers such as Google and Microsoft have been co-opted - whether by financial (payments) or legal (threats) means - to hand over user data under the PRISM program.
Snowden’s leak revealed PRISM gives intelligence analysts direct access to emails, chat logs, VoIP calls, video conferencing sessions, stored data and usernames and passwords for any of these services.
Without Snowden’s leak, IT professionals would not have known the full implications of storing sensitive data with a third party service provider, especially one located in the United States or owned by a US firm.
Lifting the gags
- While in several cases technology companies have made commercial gains from sharing data with intelligence services, Snowden’s leaks revealed the means by which US authorities are able to gag those service providers that wanted to speak out about surveillance overreach. We now know what it means to be subject to a National Security Letter.
In the wake of the leaks, the larger technology companies now feel there is enough public support to justify public lobbying of the US Government, demanding it narrow its surveillance scope and bring about greater accountability and transparency.
Those service providers that were concerned about the mass surveillance programs arguably only have a voice today because of Edward Snowden.
Informing the data sovereignty debate
- The Snowden leaks helped inform IT professionals in Australia of the extent to which Australia’s intelligence services cooperate with the NSA (as exposed by the Australian Signals Directorate’s use of the XKeyscore tool).
This revelation is very relevant to our own debate over data sovereignty. What sovereignty exists when Australian and US intelligence authorities contribute to and share the same large data sets?
A new threat actor
- Again, while long suspected, Snowden helped reveal that the NSA actively produces malware in its efforts to tap foreign enemies.
The NSA’s ANT catalogue boasted that operatives had developed exploits to hack into industry standard servers, switches, personal computers and smartphones.
The leaks do not confirm how widely this malware is distributed, but in any case gave IT security professionals a reality check in terms of who to include in their ‘threat actor’ lists when attempting to secure their networks.
A more grounded view of cryptography
- Perhaps the most startling revelations for IT professionals was the existence of the NSA's BULLRUN decryption program, which has massively eroded trust in commonly-used encryption standards.
The NSA has weakened encryption standards via several means - forcing the likes of Microsoft to hand over master keys to new products, paying the likes of RSA Security to include backdoored encryption technology in its products, or subverting encryption standards processes to ensure it can later build backdoors into products using those building blocks.
At least two - possibly three - providers of encryption services (Silent Circle, LavaBit and possibly TrueCrypt) - have shut down services owing to intimidation from intelligence services.
Today’s IT security manager subsequently has a much more grounded view of the benefits and the shortfalls of using encryption - and the process of awarding NIST standards is now subject to a long overdue review.
A reality check on equipment suppliers
- It was not entirely a secret that US-manufactured network and security devices were subject to US controls before they are shipped offshore - but the purpose for which they are intercepted is much clearer now IT professionals have seen photos that show NSA operatives planting beacons in Cisco switches marked for export to surveillance targets.
While this is not a mass surveillance program, it nonetheless raised concerns. US authorities routinely act on behalf of corporate interests. Can any IT professional working in a sensitive industry be sure a network device they have purchased is clean, without prising it open?
In any case, these revelations caused enough outrage to give US equipment vendors (in this case, Cisco Systems) just cause to lobby publicly for such operations to be reined in.
- The impact of Snowden’s revelations on trade with developing nations can’t be ignored. Tiger economies such as Brazil and China have reacted angrily, and set policies in place to favour domestic computing products and services over those supplied by the US and its allies. We are starting to see the cost in the earnings calls of IBM and Cisco, others will follow. This creates a supply chain risk for many of Australia’s largest organisations.
Further, the contribution the leaks have made to rising tensions between China and the US puts Australian organisations in the precarious position of being wedged between our nation's largest trading partner and largest strategic defence partner.
- While it is crucial that IT professionals have the full information about the implications of hosting data in public cloud services or securing a network or data store with encryption, it is also true that many IT decision makers are likely to delay implementations of some of these technologies while they investigate the consequences.
On such occasions, whatever agility, cost efficiency or extra layer of security a CIO might have sought is postponed.
The financial cost of surveillance
- Edward Snowden helped to reveal the exorbitant cost of the NSA’s mass surveillance programs (some US$52 billion a year) - enough to concern the US taxpayer as equally as they might be concerned about invasions of privacy.
Undoubtedly, however, it has also revealed an uncomfortably detailed description of NSA tactics that can be used by legitimate enemies of the United States and United Kingdom to evade surveillance.
(As an aside, many of the exploits described in the leaked documents were old enough that it can safely be assumed newer ones have since been developed.)
In any case, the cost of developing new exploits in Western intelligence services to replace those now in the public domain will likely be borne by its citizens.
- The US Government argues that any information protected to be in the interests of "national security" has the potential to cost lives if leaked. There is little public evidence thus far that demonstrates Snowden's leaks have threatened lives, but US intelligence operatives might disagree.
While Edward Snowden’s leaks created costs to be borne by the IT community, they are outweighed in my mind by one principal benefit: a more informed and aware IT decision maker.
Angst about which encryption standard, equipment vendor or cloud service can truly be trusted will be with us for some years yet, but at least the conversation now belongs to the whole community.