Beware spooks bearing gifts

by Naomi Colvin

There’s much in yesterday’s batch of Snowden revelations that still needs to be explained fully – this blog post by Matthew Green offers the most useful analysis I’ve seen so far.

In the meantime, this paragraph from the New York Times’ version of the story (as tweeted by Trevor Timm) caught my eye:

Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.

This caught my eye because it reminded me that, just this summer MI5 and GCHQ offered a “cyber-health check” to all FTSE 350 companies as a prelude to “an in-depth discussion with each company’s audit firm about areas in which a company may be particularly vulnerable.” In response to this announcement, John Colley, managing director of (ISC)², a membership body for information security professionals, questioned whether the methodology of the “health check” – asking company chairs, rather than technicians, to fill out a questionnaire – was likely to be draw out a well-informed response:

Logically, infosecurity professionals are better placed to provide such information as they are dealing with security issues on a day-today basis, they have knowledge of the exact security measures in place within their organisation and insight into areas where more investment is needed as they closely monitor the evolving threat landscape, and so are more likely to provide the relevant and accurate data.

Colley went on to note that it was not clear if audits were mandatory and sounded a note of caution over what might happen to data the authorities went over the heads of security professionals to obtain:

It is also unclear as to what the GCHQ and MI5 will do with the information revealed by these cyber-audits.  In this age of state sponsored cyber-attacks and PRISM, there are great sensitivities surrounding governments’ objectives for accessing data.

The “cyber-health check” is just one of a number of initiatives central government has recently launched in the area of cyber-crime, several of which are aimed at private companies. Some of this activity may be well intentioned, no doubt, but we also know from yesterday’s reports that GCHQ have a specific programme that focuses on compromising VPNs, the means by which many large companies enable employees to securely access their systems from outside the office:

By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300.

Ongoing revelations about Anglo-American attempts to undermine the fabric of online security make it difficult to assume good faith in this area. It is certainly interesting that the initial approach of the “cyber-health check” is being made to senior corporate positions, rather than those in the best position to weigh up the potential risks of such an approach.  Ultimately, if security of information is a selling point for any FTSE 350 company, they might be well advised to be wary of spooks bearing questionnaires and promises of audits.

Update (9/9)

This post started with a link to Matthew Green’s excellent discussion of the latest NSA revelations. Today it has emerged that the author has come under pressure to remove his post from the servers of his employer (Johns Hopkins University). The mirrored version of the post on university servers has in fact been removed.  It is not clear from where the impetus for this move originated, but Green has said that “this isn’t my dean’s fault.”

While there is no reason to suspect that Matthew Green’s post will disappear from Blogger, it is sensible to take precautions. The first link in the previous paragraph will take you to an archived version of the post.

Update II (10/9)

The move from John Hopkins became a textbook example of the Streisland effect – and it does not look like direct external pressure was involved. Ars Technica provides a comprehensive account here.

Update III (24/9)

Australia’s Security Intelligence Organisation (ASIO) is taking a different approach (“Unlike the UK government’s cyber security evaluation centre, the ACSC’s offer to the private sector will not focus on vetting technology equipment”), inviting private business to co-locate within their new headquarters.

A senior analyst at the Australian Strategic Policy Institute, Dr Tobias Feakin, welcomed the move to integrate private firms into the new cyber operations centre, but said companies would have to be “willing to share data with government, otherwise momentum will be lost and they won’t keep their focus on such efforts”.