From the December 2013 print issue of Professional Security magazine.
The Edward Snowden affair – the American computer analyst who went to the press (and now Moscow) with US surveillance details – has touched high politics; for instance it’s claimed that US allies such as the German chancellor Angela Merkel have had their phones tapped. What though of private business? In diplomacy as in business, having your conversations spied on can do your side harm – and benefit someone else.
At the International Chamber of Commerce (ICC), the Counterfeiting Intelligence Bureau (CIB) notes that part of the Snowden leaks was that any encrypted data the NSA (National Security Agency) finds is captured and stored indefinitely until technology has advanced enough to decrypt this data. Given developments in quantum computing the prospect of all this data being decrypted may not be far off, the CIB adds. Companies who value their intellectual property may think that everything they have ever securely emailed is sitting somewhere on the NSA servers waiting for a time it can be decrypted.
Economic well-being
ICC CIB Assistant Director Max Vetter says: “One argument in favour of this kind of data collection is that the US and UK governments are only looking to stop terrorists and organised criminals, not spy on innocent people and companies. However, one of the clauses used for this data collection includes ‘economic well-being’, an arbitrary catch-all clause could mean anything at all. Could this mean the ‘economic well-being’ of a US based company, and therefore the US, over that of a Chinese or British one? This could blur the line between data collection for “economic well-being” and simple corporate espionage.” Another question the CIB has raised; who can we trust with this data? In the US there are reportedly 4.9 million people who hold a security clearance, and 1.4 million of them hold ‘top-secret’ clearance. Vetter added: “The US knows to its chagrin (with Bradley Manning and Edward Snowden) that not all of these people can be trusted to keep this data secret. It is not too difficult to imagine that some of these people have less moral and more financial interests in this data, and secret data breaches are far easier to hide if they do occur.”
An insider compromise
Another concern: the relations between the US defence industry and private sector clients with a revolving door of work between the two. And as for those insiders bringing out sensitive information from the NSA (or blowing the whistle, whatever you want to call it), the NSA has said that in the year 2012-3 it planned to initiate 4,000 re-investigations on civilian employees to reduce the ‘potential’ of an insider compromise of sensitive information and missions. The NSA said that its periodic re-investigations are one due-diligence component of what the agency terms its ‘multifaceted insider threat program’. Not that misuse of SIGINT (signals intelligence) is necessarily of the Wikileaks level; the NSA has admitted cases of its civilian staff abroad checking the phone numbers of their foreign boy- or girlfriends.
MI5 speech
Director General of the Security Service, Andrew Parker, spoke in October to the Royal United Services Institute (RUSI). When he joined MI5, communication was by telephone or by letter. Where there were grounds to do so, MI5 could covertly intercept either under legal warrant. Now, as he added, there’s e-mail, IP telephony, in-game communication, social networking, chat rooms, anonymising services, and mobile apps; good for all of us, but including the terrorist; and many are encrypted. MI5 will still need the ability to read or listen to terrorists’ communications, to have any prospect of knowing their intentions and stopping them, Parker said. As he put it: “We would all like to live in a world where there were no good reasons for covert investigation of people. But as events continue to prove, that is not the world we are in.”
RUSI comment
Charlie Edwards, Senior Research Fellow/Director National Security and Resilience at think tank RUSI said that Parker rightly suggested that the leaks from Edward Snowden gave terrorists ‘the gift to evade us and strike at will’. Nevertheless, according to Edwards, the revelations should now be an opportunity. Edwards said: “We live in a surveillance society where everyone is assumed innocent until proven guilty. We might be sceptical of that principle now that we know GCHQ is able to access large amounts of global internet data. But we needn’t be. The data mining programmes, revealed by Edward Snowden, are a response to the fundamental challenge facing the intelligence agencies: how to do their crucial work in an era of big data. As data has become more abundant (more than five billion people are calling, texting, tweeting and browsing websites on mobile phones) so agencies have had to find new ways of handling vast troves of data and metadata. What the agencies need is information about information. In this data-rich world it has become near impossible to find a needle in a haystack – today it is about finding the relevant haystack in a thousand fields.” p
Not in front of the Cabinet
Raili Maripuu, MD of counter-surveillance company WhiteRock, admits that as people are practically married to their tablets and mobile phones, particularly in business, banning and taking away mobile devices is a tough decision to make. He comments on the reported demand by British intelligence that tablet computers, such as iPads, be removed from the Cabinet room before Prime Minister David Cameron (pictured) and Cabinet meets. Maripuu says: “Whilst we have been advocates of ‘mobile-free zones’ for many years, we also accept that due to commercial reasons such policy does not work in most organisations. Instead, savvy businesses control and manage the use of mobile devices, especially at their most sensitive meetings. The action by the British Government illustrates a knee-jerk reaction to the problem and highlights that at government level there is no strategy on how to manage the mobile devices against unauthorised surveillance.”
Internet intelligence
The ICC Commercial Crime Services runs a bi-annual ‘internet intelligence’ course. This covers how to find better information online in less time, at less cost; and deals with encryption and meta-data techniques. Visit www.icc-ccs.org/IIcourse.
