NSA Data Gathering Hits Financial Services Privacy & Security Promises

Reputable news organizations have been covering the NSA data gathering and spying stories for months.

For Financial Services, the short version is that we can have little confidence in the information security or privacy of cloud-based collaboration services or the standard commercial encryption products and services we use in the day-to-day operations.

Months ago it was revealed that NSA’s Prism program allows participants to collect material hosted by Apple, Facebook, Google, and other US internet giants, including search history, the content of emails, file transfer/storage, and chat sessions.

The U.S. intelligence-gathering operation is also accessing data from smart phones from all leading manufacturers. Spiegel reported on NSA documents they have seen explicitly that note the NSA can copy encrypted “private” information from Apple iPhones & iPads, BlackBerry devices, and mobile devices running the Android operating system. This is not simple access to contacts or browser history. The NSA documents said they have “access to at least 38 iPhone features.”

UPI summarized a key issue: “tech firms and ISPs said they were coerced into handing over their master encryption keys or building in hidden methods, known as ‘back doors,’ to bypass normal computer, cryptosystem and algorithm authentication systems.”  Regardless of whether cooperation or intimidation was the path to this vendor access, the breaches seem to be factual and we need to adapt our business practices to this new environment.

The NSA information gathering and decryption capabilities appear to have invalidated many of our standard claims about data security and privacy. Our VPNs, our secured email communications, high-speed mobile data communications, and virtually all the “plumbing” used to communicate and store data are now vulnerable to active NSA data gathering programs. Given compliance obligations in our industry, continuing to sign SOX attestations may present ethical and legal challenges for many.  Some may also be in violation of contracts with customers, partners, and other banks.

At a minimum, you should advise senior staff in all organizations who develop strategy and senior decision makers that their written interactions as they explore ideas and attempt to identify the edges of compliance and legality are likely to be stored in U.S. government databases in clear text into the foreseeable future.

The same is true for those involved in the sensitive tactical work of implementing strategy. If there is any question about identifying the edges of compliance and legality, it is likely that increases the probability of showing up in government searches of this data.

Because of the way information about these capabilities are leaking out, it is unclear how that information is shared, and who is authorized and who is able to gain access for ‘discovery’ activities. The governance of that access control is also unclear as is how access policies and decision-making practices might evolve over time.

In that context, consider the operations of a normal global financial services corporation. It is commonplace to write the names of countries, cities, companies, and individuals located across the globe, many of which would likely match U.S. government filtering criteria. Once tagged for additional analysis, that once private information is exposed to examination of types and means that are still leaking out. It seems like an elevated-risk gamble for some categories of communications to be subjected those odds.

REFERENCES:

Much reporting on this topic has been delivered by The New York Times, the Guardian and ProPublica based on documents obtained by The Guardian.
For the Guardian: James Ball, Julian Borger, Glenn Greenwald
For the New York Times: Nicole Perlroth, Scott Shane
For ProPublica: Jeff Larson
“Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security.” Sept. 5, 2013
http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption

“N.S.A. Able to Foil Basic Safeguards of Privacy on Web.” Sept. 5, 2013
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0&pagewanted=all

“Revealed: how US and UK spy agencies defeat internet privacy and security.” Sept. 5, 2013
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

“Privacy Scandal: NSA Can Spy on Smart Phone Data.” Sept. 7, 2013
http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html

“Documents show NSA can crack most Web privacy encryption.” Sept. 6, 2013
http://www.upi.com/Top_News/US/2013/09/06/Documents-show-NSA-can-crack-most-Web-privacy-encryption/UPI-60871378450800/#ixzz2eMBRBQy4

“NSA Prism program taps in to user data of Apple, Google and others.” June 6, 2013
http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data

Sarbanes-Oxley (SOX):
http://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act#Sarbanes.E2.80.93Oxley_Section_404:_Assessment_of_internal_control

.

Advertisements

One Response to NSA Data Gathering Hits Financial Services Privacy & Security Promises

  1. […] involves elevated risk. Risk that is difficult to quantify. Late last summer I wrote a little about the potential for NSA data gathering to influence Financial Services privacy and security promisesy […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: