PRISM has brought the issue of cyber spying to the fore and the furore surrounding it continues…
Over recent years, cyber attacks, cyber terrorism and cyber espionage have become more prevalent in the public consciousness. Many governments have helped drive the issue of cyber security up the corporate agenda and brought attention to a phenomenon which is costing economies an astronomical amount each year. As if to make certain that consumers and businesses alike paid attention to online security, Edward Snowden then leaked details of PRISM in early June.
A conspiracy theorist’s dream, PRISM was the U.S. National Security Agency’s project giving it access to the server contents of US internet giants – which is pretty much all internet giants. All data which flows through these servers is now viewable by the US Government. Moreover, the Government now readily admits that it is to conduct surveillance on non-US citizens. It is irrelevant whether people using these giants are outside the US – if their data flows through their servers, then PRISM can spy on them.
The global sense of outrage at PRISM has seen government complaints, as well as governments being implicated (stand up, GCHQ). However, few can say that it comes as a total surprise. In the UK for example, ISPs are required to hold all data for a year, in case it is required by police forces or government agencies. The advent of Big Data has meant that the colossal amount of information passing through these servers can now be analysed.
So what can businesses do to combat PRISM? The most obvious first step to make is to stop using online services which route traffic through the US. Equally, if the servers are based in a non-US country, know what the local laws are of that region. Some countries are inherently more protective of privacy than others. However, this would mean putting out an edict to the company stating that no one is to use Google’s many services, Microsoft’s Internet Explorer or Facebook.
The biggest issue with using alternative services is that the rest of the world has simply failed in being able to compete with the trailblazing American tech companies. We should be doing better here. In order to circumvent PRISM, we need to have an equivalent tech industry in Europe which will compete on features and functions, and offer privacy which is lacking over in the US. PRISM is likely to be the impetus which will see the tide turning.
In the short-term though, businesses should be realistic about the information they own. Would the US Government really be interested? Probably not. Would competitors? Almost certainly. Would cyber criminals? Definitely. And this is where the real danger lies. Cyber espionage will cause more problems for the average business than PRISM ever could.
Startups often fall foul of security breaches because they look to save costs by using free services. Not only do most of these services pass through US servers, but they are also not as secure as is necessary for the corporate world. Using Dropbox to share files or Gmail for corporate email may seem like simple safe solutions, but they are free for a reason – they will use your information in return. In addition, European companies’ data must be held within the EU to comply with data protection laws. European countries using Dropbox break these laws, opening themselves up to heavy fines, as well as snooping.
Companies can deploy systems like VPN services and internal clouds to cut back to the amount of potential surveillance. However, these are worthless deployments if the network and devices being used are susceptible to attack.
There is commercial spyware legally available for the purposes of committing cyber espionage. These tools can intercept emails, SMS messages, voicemails – everything that could give another company a competitive advantage. The legality of these tools is deeply questionable, but there they are for sale.
Bring-Your-Own-Device (BYOD) is a popular concept which is clearly growing in popularity. The issue comes when companies adopt it not because employees want to use their own device for ease and convenience, but when businesses don’t want to pay for dedicated devices. Often, this frugal mentality transposes to the security which is deployed on the device as well. One unsecured device on the corporate network is an entry point for cyber criminals. This is aside from the risks posed by disgruntled (ex)employees with access to company data and communications channels.
Edward Snowden has certainly done the world a favour by bringing PRISM to the attention of the world. European businesses especially now need to take this warning and look at their security strategy in the short and long-term. They need to plug the exploitable gaps in their networks immediately, but also consider the services they are using and whether they are comfortable using US-based internet services that can be snooped upon.
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018