LAS VEGAS, NV — Throughout the last week of July and the first week of August (encompassing Black Hat, B-Sides, IOactive and the “mother of all security conventions” DEFCON ) there were easily thousands of discussions and presentations on security.
More than 15,000 IT security practitioners shared their thoughts on the complex, challenging and ever-evolving digital world. As a security professional and former intelligence analyst, these security conferences only confirmed to me that our digital world is fragile, wounded and in need of – if you talk to the American Civil Liberties Union (ACLU) or Electronic Frontier Foundation (EFF) – an ethical reboot.
The U.S. Government has been diligent in trying to maintain the narrative of “surveillance is necessary for the security of the state.” In their estimate, this may in fact be the case, but many in the groups I talked with have challenges embracing this notion.
Take Edward Snowden as an example. Whether hailed as a hero or reviled as a villain, his controversial revelations about PRISM shook the very foundations of the Internet. The complicity of telecommunication companies, Internet Service Providers, Google, Facebook and Twitter has impacted heavily on the psyche of those which maintain, implement and fix the Internet. Defending your network against malware and exploit has come to include discussions around confidentiality. The ACLU was quick to identify that the NSA’s unfettered surveillance activity may violate the judicial privilege of the Attorney Client relationship; one of the most important foundations of the American criminal justice system.
Controversy at DEFCON
This year Jeff Moss, the founder of Black Hat and DEFCON, asked the Federal government to remove itself from the conference.
The feeling of betrayal by the Federal government was evident from regular sarcastic remarks during the event and, more specifically, in the words of one presenter at DEFCON,
“I owe an apology to every crazy person I’ve ever met who was obsessed with the idea the government was listening to them and recording their every online activity.”
The “crazy” people were right; the U.S. Government was doing it – although perhaps the tinfoil hat was overkill.
Jeff Moss’ request for the Federal Government to remove themselves from the conference was deeply controversial in the info sec community – especially considering that he and his DEFCON staff have deep ties to the U.S. Government.
The hopes of many of the 15,000 attendees that the Snowden event may trigger an awaking of consciousness at a high level of government and industry may not be realized. Many DEFCON coordinators claimed “excluding the ‘official’ U.S. Government attendance at DEFCON has prevented the public shaming of individuals who traded ethics for pay checks. Grass roots movements are not going to start if those responsible are asked not to appear to face the consequences of their actions.”
Personally, I believe that the shaming will be done in a different and more personal forum.
Snowden’s revelations & consequences for US
Snowden’s revelations, whether courageous or reckless (depending on your view), will have far reaching consequences for the U.S. Although it confirms what most people suspected was happening, the secrecy and complicity of the Public, Private, Partnership (P3) is perhaps the most troubling. The customer privacy policy of every major provider of service on the Internet is now called into question.
Interestingly, there is a whispered conspiracy theory that Snowden’s revelations were actually helpful to the U.S. in a geopolitical sense. The cyber-relationship between China and the U.S., the two largest economies in the world, are strained. The U.S. regularly accuses China of cyber espionage and uses China’s internet censorship as a constant barb in any official discussion or sound bite.
Snowden’s revelations have effectively leveled the playing field, allowing the dialogue between the two nations to move beyond a game of cyber-pokey-chest and discuss items of trade – ultimately a far more important (and potentially lucrative) dialogue. We will never know if Snowden’s revelations were orchestrated or not. One thing’s for sure; it had the effect of ending the cyber relationship of which country is “more guilty” by trespassing on their citizens’ privacy and civil rights. When all are shown to be equally guilty, there is equality.
Where to from here?
Since the nature of hackers is to look at ways to fix broken things, there were many suggestions provided: Stop the outsourcing of ethical accountability to contractors, increase the visibility of the activities of Intelligence operators and increase the discussion of ethics within the security community. These mirror long standing mantra’s of “just because it can be technically accomplished, does not necessarily mean it should be done,” and “when duty, ethics and responsibility are replaced with financial opportunity, the truth becomes a commodity.”
Although only time will tell if Snowden’s documents revealing the web of secrecy and surveillance complicity of private companies will enable change, it is feared that change will only come if the U.S. Internet economy is seriously impacted. Overseas companies may choose to remove themselves from key U.S. service providers and isolate themselves from the U.S. surveillance infrastructure.
Ian Trump is a Cyber Threat Intelligence Analyst for Paradigm Consulting Group with 15 years of experience in IT security and information technology. With a diverse intelligence background from the Canadian Forces and RCMP, Ian’s security skills have helped secure global companies from cyber-attacks. His many projects include being the lead architect on the Canadian Cyber Defence Challenge and serving as a board member and Treasurer for Canada’s largest hacker space.