Tuesday, June 18, 2013

A Quick Enumeration Of The PRISM Program

Enumeration of PRISM
As IT security consultants, former representatives at the GSMA, contributors to IETF's "Raven", and one-time employes of the worlds largest ISP, the inevitable questions started coming up in meetings and conversations shortly after the 8th June.

"...two reporters from the Guardian newspaper announced to the world the source of one of the most significant classified-document leaks in history. Edward Snowden, a 29-year-old national-security contractor from Hawaii, revealed that he was compelled by conscience to inform the world about a massive abuse of authority perpetrated by the US National Security Agency. According to the documents Snowden provided, which have been authenticated, the US government has been systematically collecting the phone records and online communications of millions of American citizens for years."

Clients, commentators, and friends all want answers to the same questions:
  1. What are the NSA doing, and how are they doing it?
  2. What does this mean for IT security?
  3. Where does this go next?

While we can expect this story to develop over many months as more information is dripped out,  we can already go some way towards answering question (1). See the 360is enumeration of PRISM possibilities. PDF.

Where will the story go next? That this story will run and run is something of which we can be sure. It has elements of Manning/Wikileaks (an ethically conflicted individual with access to state secrets), of Leeson/Barings (a young man, on the run from authorities in a foreign land), and just enough direct relevance to UK readers through glimpses into the actions our own GCHQ, who are normally more publicity shy than their US counterparts. The UK intelligence services have been relatively fortunate in recent years, suffering  few leaks, disgruntled former employees, or clumsiness. This episode illustrates both the frequency and extent to which intelligence sharing occurs between the UK and US and the fact that occurrences such as the Snowden event can have an impact for both services with unintended consequences that cannot be anticipated easily.

Timing is everything,  the publication of these revelations may have some bearing on future of The Draft Communications Data Bill or "Snoopers Charter" as it is commonly known. With well publicised recent convictions of a number of terrorist individuals and groups, significant good-will had been earned among the UK public. Any poor handling of the existing Snowden disclosures, and further leaks that are yet to come, may diminish this good-will and make introduction of such a bill more difficult in the future. Futhermore, the disclosure of GCHQ's activities around the 2009 G20 summit in London is bound to have an impact at the G8 event currently in-progress in Northern Ireland.

Looking further out, companies and individuals in Europe may seek to engage with services and providers that do not come directly under US law. Apple, Microsoft, and FaceBook (3 out of many providers) have stated that they handed over data from 10000, 32000, and 19000 accounts respectively in 7 months. US cloud providers are already having trouble persuading European enterprise customers that their sensitive (but completely legal) data is safe from US government spying. This leak will only make matters worse. As one journalist put it "Not subject to American law' - the next desirable IT feature?"

All that we need now is a catchy name for this episode. Dotcomgate? igate? How about "Cloudgate"?

360is will be presenting further analysis of "Cloudgate"and advice for UK organisations in the next edition of Executive Intelligence, our quarterly for UK CSOs and Information Security Managers.

Related Postings:
WikiLeak's Lessons For UK Information Security Professionals.

Update Saturday 8 June 2013 18.56 BST: Leaked NSA slides confirm, PRISM includes direct monitoring of fiber cables and collection directly from the servers of MS, Yahoo, Google, and Co.