APT & Targeted Attacks
US surveillance impacta encrypted email, cloud
Fallout from revelations about the NSA's Internet surveillance programs has particularly impacted providers of encrypted email and cloud computing in the U.S.
Fallout from revelations about the National Security Agency's Internet surveillance programs has particularly impacted providers of encrypted email and cloud computing in the U.S., prompting their leadership teams and security analysts to question whether these services will ever regain even the appearance of diligently protecting their customers' data. Under the specter of PRISM and security law, email and cloud companies are frequently asked to supply the U.S. government with sensitive information stored on their servers. Rather than grant these requests, at least two secure email providers have opted to cease all operations, despite years of custom development focused on locking down the notoriously porous email protocol.
In its attempts to uncover the details of potential terrorist plots, the NSA has pursued proactive general tactics such as procurement of SSL keys, yet its specific focus on encrypted email services may be related to their role in facilitating the original leaks about its oversight initiatives. The advanced methodology employed by since-closed providers Lavabit and Silent Circle may have offered a technical respite from most governmental snooping, but political and legal pressures have made it publicly infeasible. Similarly, the sophisticated security practices of U.S. cloud providers may be useless in the face of NSA surveillance, potentially leading to billions in industry losses and a reduction in global competitiveness.
Shutting down preferable to complying with NSA requests
Lavabit, a Texas-based provider of encrypted email, was originally marketed as an alternative to consumer email services that automatically scan messages for keywords that are then used to deliver targeted advertising. After 2004, it became increasingly complex and it finally reached a mass audience when it was revealed as the service of choice for an NSA whistleblower, according to Forbes' Kashmir Hill.
Under heightened scrutiny from the NSA, Lavabit opted to close down, its proprietors arguing that compliance with any investigation would represent a violation of the spirit if not the letter of the U.S. Constitution.
"I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit," wrote Lavabit creator Ladar Levison. "After significant soul searching, I have decided to suspend operations." Levison also implied that, as per the National Security Letter that Lavabit received, he could not discuss his individual experience with the information request, despite his own perception of a right to do so under the First Amendment.
ISP entrepreneur Nick Merrill faced a similar situation nearly a decade ago when the FBI requested information about a client. Speaking to Hill, he argued that the current pace and depth of data requests is both inefficient security practice and damaging to privacy.
"It would be one thing if dragnet surveillance was in compliance with the Fourth Amendment and bedrock American values, and it would be another thing if it was proven to keep us safer," wrote Merrill. "But unfortunately, neither of those is true."
Underscoring the gravity of the NSA's efforts, email provider Silent Circle quickly became the next domino to fall, despite enormous recent revenue growth as a result of heightened enterprise fears of government surveillance.
Writing for TechCrunch, Josh Constine stated that until recently the company had ambitious plans for its Silent suite of privacy-first security services, which included the encrypted email solution Silent Email. Revenue grew fourfold from June to July after PRISM became public knowledge, but rapid growth was not a panacea for the organization in the face of government requests and the fundamental, structural shortcomings of email.
Silent Circle's executives highlighted email's reliance on Web protocols whose standardization and age have made them less conducive to security measures compared to latter-day messaging solutions. It may be impossible to completely secure email protocols like IMAP and POP3 against metadata leakage, which by itself can supply agencies with invaluable information about the geographic location of a device or message sender/recipient.
Ultimately, Silent Circle CEO Michael Lanke closed up shop after seeing "the writing [on] the wall," seemingly referring to data requests.
"We wanted to be proactive because we knew [the U.S. government] would come after us due to the sheer amount of people who use us - let alone the highly targeted high profile people," said Janke about the scope of turnover demands, later adding, "They are completely secure and clean on Silent Phone, Silent Text and Silent Eyes, but email is broken because government can force us to turn over what we have" to emphasize the protocol's central weakness.
Email may be fundamentally resistant to security
Email and the ubiquitous Simple Mail Transfer Protocol were designed decades ago as means of facilitating communication across a wide spectrum of networks and service providers. Because of its necessary concessions to interoperability and remote storage, email may be resistant to comprehensive security.
Security expert Joel Hruska argued that these intrinsic flaws, coupled with the hassle of appending appropriate encryption keys to messages sent over a consumer email service, made email a no-go for secure communication.
"[M]ost of the methods used to make email more secure make it less useful," wrote Hruska. "If you're going to communicate with someone, and you need it to be really, really secure, email is probably the wrong way to go."
Cloud industry stands to lose billions as a result of government surveillance
While it has not witnessed the high-profile shutdowns of the secure email industry, the U.S. cloud sector has also struggled to adjust to heightened awareness of data surveillance, and it may soon face stiffer competition from providers in Europe and other parts of the world.
ZDNet's Zack Whittaker cited a report from the Information Technology and Innovation Foundation that estimated that in a worst case scenario, U.S. providers could lose 20 percent of their foreign customers to competitors in other countries, resulting in $35 billion in losses by 2016.
These figures appear to bear out sentiments expressed in a Cloud Security Alliance survey from last June, which found that more than half of organizations outside the U.S. would not use an American cloud in the future.