Following Latest NSA Leaks Will Anyone Now Trust the Security Industry?
Following the latest revelations from documents leaked by Edward Snowden we ask security experts what this means for their industry.
The latest revelations from Edward Snowden's cache of highly sensitive documents has revealed that the National Security Agency (NSA) in the US and the Government Communications Headquarters (GCHQ) in the UK are able to break through the encryption technology used to protect internet users' emails, online banking, or medical details from being hacked and access reams of private information.
It was also revealed that the NSA's covert programs was designed to "insert vulnerabilities into commercial encryption systems" as well as introducing weaknesses into security standards issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.
This means that the NSA has been able "to leverage sensitive, co-operative relationships with specific industry partners" to insert vulnerabilities into certain security products.
"Cryptography forms the basis for trust online, by deliberately undermining online security in a shortsighted effort to eavesdrop, the NSA is undermining the very fabric of the internet," renowned security expert Bruce Schneier said.
The fallout from earlier revelations has already been said to adversely affect the US cloud storage industry, so could the latest leaks have a similar effect on the security industry.
Are the latest revelations a surprise for the security industry?
It seems that no one within the security industry is remotely surprised by the scope and ability of intelligence agencies around the world to monitor and access the vast amounts of 'encrypted' traffic on networks.
Sean Sullivan, security advisor with Finnish security company F-Secure is certainly not surprised at the latest revelations
"Surprised? No, not really," he says, adding that "breaking encryption is the NSA's job." He does add though that this would not have been the same for everyone:
"I suppose it must have been quite surprising for non-technical folks the first time plain old telephone wiretapping made the news."
Rik Ferguson, vice president security research at Trend Micro says there has been a lot of security and cryptography circles for years and he is "definitely not" surprised that the "NSA has invested large sums and significant numbers of employees in minting a cryptographic advantage."
What does it mean for the security industry?
"These latest revelations from the apparently bottomless briefcase of Mr. Snowden may serve to undermine public confidence in the technology provided by some security companies, particularly those with significant US-based operations," Ferguson says.
However he points out that when looked at in the light of previous leaks, its seems like the all-pervasive nature of NSA monitoring may not be as widespread as we have been lead to believe:
"If the NSA had the ability to decrypt, for example SSL encrypted traffic, at will and instantaneously, then there would be no need for the previously revealed PRISM program. In the majority of cases, access to end-point systems seems still to be required, to access data either before or after the encryption/decryption process."
Sullivan says that the latest revelations will only impact certain parts of the security industry, but for his company, it is business as usual:
"As an antivirus company, our Internet Security is designed to protect computers (and thus people) from criminal schemes. So for us, it means that we continue to do our job."
Ferguson adds that it is likely these revelations "will spur new advances in the practical application of symmetric cryptography and possibly a wider adoption of open-source frameworks in encryption technologies" - with the "scrutiny of the crowd" enough to ensure the underlying code is not tampered with.
Is it possible to stay secure online?
Ferguson echoes Snowden himself by saying "encryption works" but adds worryingly "for now." He believes the real problem is that "the vast majority of internet users, and unfortunately a large part of commercial enterprise have still not made encryption technologies a mature part of their security portfolio."
For Sullivan, how the majority of users stay secure online hasn't changed: "For the typical user - the same advice [today] applies as it did yesterday."
However he warns those involved in nefarious activities should be looking over their shoulder. He refers to a case last year when US prosecutors secured a $1.92 billion settlement with HSBC for laundering money for Mexican drug cartels.
"For the Mexican drug cartels, they should now perhaps ask themselves just how it was that the Feds where able to make a case against HSBC, and then they should be worried about their money being tracked down and seized by law enforcement."
© Copyright IBTimes 2024. All rights reserved.