Reputable news organizations have been covering the NSA data gathering and spying stories for months.
For Financial Services, the short version is that we can have little confidence in the information security or privacy of cloud-based collaboration services or the standard commercial encryption products and services we use in the day-to-day operations.
Months ago it was revealed that NSA’s Prism program allows participants to collect material hosted by Apple, Facebook, Google, and other US internet giants, including search history, the content of emails, file transfer/storage, and chat sessions.
The U.S. intelligence-gathering operation is also accessing data from smart phones from all leading manufacturers. Spiegel reported on NSA documents they have seen explicitly that note the NSA can copy encrypted “private” information from Apple iPhones & iPads, BlackBerry devices, and mobile devices running the Android operating system. This is not simple access to contacts or browser history. The NSA documents said they have “access to at least 38 iPhone features.”
UPI summarized a key issue: “tech firms and ISPs said they were coerced into handing over their master encryption keys or building in hidden methods, known as ‘back doors,’ to bypass normal computer, cryptosystem and algorithm authentication systems.” Regardless of whether cooperation or intimidation was the path to this vendor access, the breaches seem to be factual and we need to adapt our business practices to this new environment.
The NSA information gathering and decryption capabilities appear to have invalidated many of our standard claims about data security and privacy. Our VPNs, our secured email communications, high-speed mobile data communications, and virtually all the “plumbing” used to communicate and store data are now vulnerable to active NSA data gathering programs. Given compliance obligations in our industry, continuing to sign SOX attestations may present ethical and legal challenges for many. Some may also be in violation of contracts with customers, partners, and other banks.
At a minimum, you should advise senior staff in all organizations who develop strategy and senior decision makers that their written interactions as they explore ideas and attempt to identify the edges of compliance and legality are likely to be stored in U.S. government databases in clear text into the foreseeable future.
The same is true for those involved in the sensitive tactical work of implementing strategy. If there is any question about identifying the edges of compliance and legality, it is likely that increases the probability of showing up in government searches of this data.
Because of the way information about these capabilities are leaking out, it is unclear how that information is shared, and who is authorized and who is able to gain access for ‘discovery’ activities. The governance of that access control is also unclear as is how access policies and decision-making practices might evolve over time.
In that context, consider the operations of a normal global financial services corporation. It is commonplace to write the names of countries, cities, companies, and individuals located across the globe, many of which would likely match U.S. government filtering criteria. Once tagged for additional analysis, that once private information is exposed to examination of types and means that are still leaking out. It seems like an elevated-risk gamble for some categories of communications to be subjected those odds.
Much reporting on this topic has been delivered by The New York Times, the Guardian and ProPublica based on documents obtained by The Guardian.
For the Guardian: James Ball, Julian Borger, Glenn Greenwald
For the New York Times: Nicole Perlroth, Scott Shane
For ProPublica: Jeff Larson
“Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security.” Sept. 5, 2013
“N.S.A. Able to Foil Basic Safeguards of Privacy on Web.” Sept. 5, 2013
“Revealed: how US and UK spy agencies defeat internet privacy and security.” Sept. 5, 2013
“Privacy Scandal: NSA Can Spy on Smart Phone Data.” Sept. 7, 2013
“Documents show NSA can crack most Web privacy encryption.” Sept. 6, 2013
“NSA Prism program taps in to user data of Apple, Google and others.” June 6, 2013