This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
1. - Enterprise risk management is not to be overlooked: Read more in this section
- How to sell a risk management strategy to the C-suite
- Executive boards have cybercrime on their minds
- NSA data surveillance, lesson learned for CIOs
Explore other sections in this guide:
- 2. - Risk advice from Baroness Pauline Neville-Jones
- 3. - Innovative enterprise risk management strategy for new technologies
- 4. - Risk management terms for CIOs
It's a balancing act that's as old as democracy itself: Build systems for the greater good or protect individual rights? For today's information society, the push-pull is layered and complex largely because of big data, security technologist Bruce Schneier said during his recent talk at the Cambridge, Mass.-based Massachusetts Institute of Technology. His example? The National Security Agency (NSA) data collection mission.
To give a sense of the scale of the NSA's data collection operations, Schneier, the author of several books on computer security and cryptography, began his talk with a tiny sampling of NSA code names: Muscular, Bullrun, EvilOlive, FoxAcid, EgotisticalGiraffe, Highlands, Vagrant, Pinwale, Somberknave, Stormbrew.
"No one's done a code name database yet, but we've seen hundreds" of such names, said Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School. "The main takeaway is that the NSA has turned the Internet into a giant surveillance platform. And this surveillance platform is robust: It's robust politically, it's robust legally, and it's robust technically."
'Metadata equals surveillance data'
One of the reasons the NSA has been able to turn the Internet into said surveillance platform is a principle CIOs are deeply familiar with: "This is just Moore's Law," Schneier said. Sure, NSA data collection may have taken root in the Cold War era and grew because of 9/11, but its life force, as Schneier put it, has everything to do with "the natural trends of IT."
Today, it's easier than ever before to collect, keep and search the bits and bytes of data generated by a digitized environment -- from Web log traffic to geolocation data. "Data storage drops to free, data processing drops to free, and it becomes easier to save everything than to figure out what to save," he said.
As the technology becomes more affordable, the consumerization of IT -- in the form of smartphones, tablets, laptops, GPS and wearable devices -- continues to grow. "The result is we're leaving digital footprints everywhere in our life," he said. Today, these digital footprints (created by our willingness to share personal data in exchange for online services) mark where someone has been and where someone is right now, and can suggest where someone might be headed. The government categorizes this kind of information as metadata, which doesn't necessarily reveal what that someone said but can reveal certain behaviors.
By bulk-collecting and analyzing cell phone metadata, the NSA, for example, can look for "secret meetings" (pairs of phones that are turned off as they come near each other and turned back on as they move away from each other) or "burner" phones (an anonymous phone used for a short period of time that's turned off as another is turned on in the same location), according to Schneier and explained nicely by The Washington Post here.
Companies 'self-correct' in 'golden age of surveillance'
Sound familiar? It should. Businesses also are interested in gaining similar insight about their customers. They'd like to figure out ways to leverage location data and push offers to loyal or potentially loyal customers; they're tracking what websites users are visiting in the hopes of serving up a more personalized advertisement experience and increasing click-through rates. "Fundamentally, metadata equals surveillance data," he said.
In fact, Schneier calls our time the golden age of surveillance, and businesses are part of the zeitgeist. Several have provided portals and created partnerships (sometimes cooperatively and other times not) with the NSA. Businesses such as AT&T, Cisco and IBM are pointing to NSA data collection as a potential reason for a loss of sales, and it's causing corporations to "self-correct" and "lobby for openness," Schneier said. He pointed to the Yahoo and LinkedIn legal challenges as examples. "Reputation matters a lot here," he said.
The Data Mill
Visualization tools for spreadsheets and sleep stories
Dropbox CEO on recruiting top talent
Data products, ethical dilemmas and the data scientist
So does technique. The NSA may be a political and legal problem but, as Schneier said, it's also a technical problem for companies. One of his big ah-hahs post-Edward Snowden breach was this: "Properly implemented strong cryptosystems are one of the few things you can rely on. And this is an important lesson: Cryptography works." The bad news? Endpoint security tends to be so poorly done that the NSA and cybercriminals can find ways around it. They're exploiting weak keys, sabotaging standards, taking advantage of unencrypted streams of traffic or Internet data -- even stealing.
Beefing up endpoint security will help protect against the unauthorized surveillance of private data, Schneier said, but it doesn't go far enough: Ubiquitous encryption, protocol redesign, better anonymity tools, cloud encryption and more open standards are there for the using. But they push against the golden ticket so many businesses are after: insights from big data. Boil NSA data collection down enough and, at the center of it, "this is fundamentally a problem about data," he said. "It's a problem that comes up again and again: How do we build systems that benefit the society as a whole while at the same time protecting the individual?"
That "is the fundamental issue of the information society," he said, "the one we will struggle with for decades." As businesses break down silos in the hopes of connecting data together from different systems and streams, figuring out the right balance between the greater good and individual rights will become more difficult -- and more crucial.
NSA code names
And now for a closer look at some of the NSA code names Schneier rattled off.
Muscular: NSA's program to collect Google and Yahoo user data by eavesdropping on trunk lines or telecommunications links between data centers.
Fairview, Blarney, Stormbrew, Oakstar: All part of NSA's program to collect Google and Yahoo user data by eavesdropping on the links between individual users and Web servers.
Prism: NSA's program to collect Google and Yahoo user data by asking the companies directly.
Somberknave: The NSA program that is designed to jump air gaps, which ensures a computer network is isolated from unsecure networks. The software sits on computers not connected to the Internet, turns the wireless on when you're not paying attention, sends stuff over it and turns it off again.
EvilOlive: The IP location database that monitors where everyone on the planet is -- if they have a cell phone.
Bullrun: The NSA program to deliberately subvert the security of products, protocols and standards that we all use.