Has The NSA Destroyed Our Trust Of The Cloud?
Why the government's activities are inflicting a massive blow on US computer businesses.
‘It’s an ill bird,” runs the adage, “that fouls its own nest.” Cue the US National Security Agency (NSA), which, we now know, has been busily doing this for quite a while. As the Edward Snowden revelations tumbled out, the scale of the fouling slowly began to dawn on us.
Outside of the United States, for example, people suddenly began to have doubts about the wisdom of entrusting their confidential data to cloud services operated by American companies on American soil. As Neelie Kroes, European Commission vice president responsible for digital affairs, put it in a speech on 4 July: “If businesses or governments think they might be spied on, they will have less reason to trust the cloud and it will be cloud providers who ultimately miss out. Why would you pay someone else to hold your commercial or other secrets, if you suspect or know they are being shared against your wishes? Front or back door – it doesn’t matter – any smart person doesn’t want the information shared at all. Customers will act rationally and providers will miss out on a great opportunity.”
Which providers? Why, the big US internet companies that have hitherto dominated the market for cloud services – a market set to double in size to $200bn (£126bn) over the next three years. So the first own goal scored by the NSA was to undermine an industry that many people had regarded as the next big thing in corporate computing.
The second own goal (or unintended consequence, to give it its technical name) came from the revelation that the NSA had cracked or circumvented the encryption systems used by internet companies, banks and other organisations to persuade consumers that online transactions could be confidential and secure. Given that one of the great triumphs of the industry had been to persuade initially sceptical users that it was safe to conduct transactions online, this was a staggering revelation, the implications of which will be very far-reaching. And it brought to mind a conversation I had last year with a fairly senior executive of a major internet company, who casually mentioned that his organisation’s head of security “wouldn’t dream of using online banking”. I thought it was amusing at the time and filed it away as a curiosity: geeks, after all, are notoriously paranoid about these things. Now I wish I had been more perceptive.
But, in a way, even more disturbing was the realisation that the NSA seems to have covertly suborned the process by which encryption standards are set by the supposedly independent US National Institute of Standards and Technology (NIST). In 2006, NIST published the standard (ie technical protocol) for encryption on the web that was subsequently adopted by the International Organisation for Standardisation (ISO), which has 163 countries as members. What nobody knew until Edward Snowden revealed it was that the 2006 standard was effectively written by the NSA and that it had inserted a secret back door into the encryption system for its own use. “The road to developing this standard was smooth once the journey began,” a NSA memo noted. “However, beginning the journey was a challenge in finesse.”
I’ll bet it was. Technical standards are to networking as oxygen is to life. And, broadly speaking, the way they are shaped has always been co-operative and open. In the internet world, for example, it’s done by groups of engineers with specialist expertise in a particular area who gather to hammer out, by a process of open discussion, successive versions of a protocol until they converge on something that is agreed to be workable. “We believe,” one of the pioneers of the process wrote, “in rough consensus and running code.” But at the heart of the process is the assumption that everyone participating – whether from companies or academia – is working in the public interest rather than trying to advance the narrower interests of their organisation.
That’s why the discovery that the NSA abused that kind of trust is so depressing. And, in a way, it represents the biggest own goal of all, because it fatally undermines one of the fundamental tenets of US foreign policy, namely that governance of the internet is best left in American hands. As the net became increasingly global, this was already looking like a threadbare proposition. The NSA has ensured that it is now untenable.
Which brings us back to birds and their nests. I forgot to mention that of course the official seal of the US president is… an eagle.