It should be clear to everyone by now that our cyber society is in a deep crisis. Most of the systems we have learned to use and love require that we trust the infrastructure. That trust has been compromised badly for years. And we learn this at a time when Internet is becoming a more and more integral part of our daily life. At a time when trust in the system is more important than ever before. I’m naturally talking about the US spying scandal. If you feel that you need a summary of the situation, I recommend @Mikko Hyppönen’s excellent TEDx talk.
But what will happen next? Will the new awareness change anything and in what direction will the world move? I can see a couple of possible scenarios. Or are they all plausible? Let’s see which of them are possible and which aren’t.
The easiest way would be to just accept the current situation. Some people think privacy is dead and are ready to do that. But that does still not save the world. Imagine you are building a house. When you are halfway done, you learn that the constructor has cheated on you and left out the reinforcing bars from the concrete foundation. It doesn’t stop you from continuing the project, but that would hurt you later when the house collapses. This is pretty much the state of Internet today. We have learned that the foundation of trust that we are building upon is severely flawed. That foundation is needed even if you are willing to accept a personal loss of privacy. A global world economy can’t work if one of the players is controlling the infrastructure, and utilizing it selfishly to gain benefit over others. Not to talk about what impact lack of privacy has on democracy, journalism and other building blocks of a free society.
As pressure mounts on the White House, US top leaders will eventually be forced to launch investigations and take a critical look at the situation. The first signs of this are already visible. But trust in US officials has already been hurt badly and we can’t know how seriously these investigations are to be taken. The worst possible scenario would be a successful smoke screen investigation that get massive publicity, fires a couple of scapegoats and calms down the public. The president could come out as a hero and still get his daily reports on who Merkel has been talking to. This is the likely strategy if the US top leaders want to maintain their strong surveillance benefit. Whether the public buys it remains to be seen.
Obama promised to shut down Guantanamo, but failed. This is a similar challenge but several magnitudes bigger. I don’t expect him to do any better in this case.
The US president and other top leaders are no doubt in a key position if US wants to solve the problem themselves. But a solution requires leaders with high morale and a true will to restore trust. This could only happen if the clean-up becomes a major election theme and a majority of the US voters really want change. We are far from that today, but the idea is perhaps not totally unrealistic.
A key here is what future revelations Snowden has in his pipeline, and if other whistleblowers will join him. A big part of the scandal has been evolving around US spying on foreigners, and that does not move US voters. There’s however also a lot of proof showing that NSA has been lying about domestic activities. It’s also clear that many of the signal intelligence efforts really can’t distinguish between US citizens and others. More focus on this aspect may change the political climate.
We read news daily about leaders in other country being upset about intelligence activities targeting them or their country. A part of this is no doubt honest anger, part is theatre for the people.
All state leaders are in the same boat. They are users of intelligence data and run their own agencies, small or big. NSA has got tons of data that others are highly interested in too, and US can buy their silence by sharing small pieces of it and cooperating with their own agencies. How successful this is depends totally on the other leaders’ morale. The world is also a complex economical machine where problems in relations can have directly measurable impact on trade. This makes it even harder to prioritize ethical and privacy values. Don’t expect much progress on this front.
Encrypt your traffic and laugh at NSA. This is often repeated in nerdy societies, but will not solve the real problem. Privacy savvy individuals can use encryption to protect themselves, and it’s a daily routine for many. But lack of awareness and technical skills still prevents this from becoming the norm for the masses. Encryption schemes that are embedded in standards or enforced by service providers are more successful. The SLL/TLS standard that encrypt web traffic is a good example.
But encryption can never eliminate the need for trust completely. Simple services, like e-mail, can easily use end-to-end encryption, which makes it impossible for the service provider to spy on you. Social media is another cup of tea. It would for example be impossible to make a Facebook where all data is kept encrypted on the server so that Facebook or he authorities can’t paw through it. It might be possible technically, but in conflict with Facebook’s business model. So encryption will not eliminate the need for trust in our service providers and the nation where they operate, even if it plays an important role when protecting the truly valuable data. Not to talk about the positive side effect that increased use of encryption makes mass surveillance more expensive and less profitable.
A negative side effect is that a fully encrypted Internet also would protect the real bad guys. There are forms of surveillance that really benefit us all, and we loose that too if total encryption would be our protection against overblown surveillance.
One of the root causes of this problem is our dependency on US cloud services. Google, Facebook, Apple, Microsoft, all American companies. The lack of privacy in US services wouldn’t be such a big problem if there were serious alternatives available in other countries. @Mikko came to this conclusion pretty soon after Snowden’s first disclosures: Europe needs its own dot-com industry. This would not only benefit people outside US, also Americans would have better privacy on services overseas.
The US dominance in this area is massive and we certainly have a long way to go. But this approach is probably still the most plausible solution to the problem. To use an old cliche, it may be our last, best hope. Have you by the way checked out younited yet? It’s F-Secure’s contribution to an European cloud infrastructure.
You rarely have to go looking for cyber security news anymore. Whether it's WannaCry, NotPetya…
August 9, 2017