In all the debate over the leaks of highly-sensitive security information by Edward J. Snowden, a National Security Agency contract employee, one glaring fact is being largely overlooked: The leaks have caused, and will continue to cause, serious damage to U.S. businesses, large and small. The damage is both direct and immediate, and indirect with the quantifiable effects most likely never known.
In this article, I do not discuss whether Snowden is a hero or a traitor, or something in between, nor do I address the important issue of how this particular individual had access to such sensitive national security information in the first place. What I do discuss is the nature of the information leaked, the damage the leaks have caused and will continue to cause to U.S. businesses, and what you can do about it.
The critical information disclosed by Snowden
To fully appreciate the consequences of Snowden’s disclosures, I look first to the scope of the information he disclosed. Thanks to Snowden, it is now clear that for some time the NSA has had access to the Verizon phone records of U.S. citizens and probably the records of AT&T and other major companies. This is not access to the content of the calls, but to Internet traffic metadata that reveals who was called, by whom, when and by what mode of communication. The NSA can store, data mine and can keep indefinitely virtually everyone’s cellphone or landline phone records. Metadata, which is a lot easier to store and analyze than content, can be extremely personal to the individual, and provides enormously valuable intelligence. And, while metadata collection constitutes the bulk of the NSA efforts, the agency can also obtain the content of selected conversations.
“So what?” you may ask. “I have nothing to fear from the government looking at my communications and, if this activity results in even one terrorist plot uncovered, the tradeoff is well worth the risk of having my privacy breached.”
A fair question and the answer is a lot scarier than you might expect.
It is not the fact that Snowden revealed that the NSA is conducting large-scale surveillance of U.S. citizens’ email, voice and data transmissions that concerns us here. (The efficacy and even legality of those efforts is a conversation for another place.) Rather, it is the consequences of Snowden’s leaks that we should care about, the most serious of which is that the documents Snowden released give critical information to hackers around the world, state-sponsored and otherwise, about what the government is doing to combat their work. The revelation about certain of the government’s security methods, in particular, inserting vulnerabilities into critical hardware — the now-infamous “back doors” — permits the hackers who are trolling 24/7 in their sophisticated attempts to hack into U.S. businesses to be a lot more successful. This past Sunday, The New York Times said that according to its reporting, and that of The Guardian and ProPublica, “the [NSA] now has access to the codes that protect commerce and banking systems, trade secrets and medical records, and everyone’s email and Internet chat messages, including virtual private networks.”
As Michael Janke, a former Navy SEAL and CEO of Silent Circle, a high-level security firm, said, “Because the criminals and hackers know that the NSA has put a vulnerability into hardware, they can now focus on finding that attack vector and exploiting it. The criminal hacking population has been given a gift.”
The enhanced capability that Snowden has given the hackers significantly increases the likelihood that U.S. businesses (and colleges and universities, financial institutions, health care organizations, law firms and any others with a duty to protect sensitive information) will be hacked and data stolen or compromised, all at great expense and with huge potential liabilities. The expensive consequences to U.S. businesses and other entities resulting from data breaches of critical information are already well-known. New, indirect and unexpected consequences, for example, claims that any data breach in this day and age, particularly in light of the Snowden leaks, must be the result of negligence, if not gross negligence, are predictably on the horizon.
What can we do about it?
The “so what?” question now becomes, “What can we do about it?” The answer is not complicated, is not rocket science, and may not be that expensive. The obvious first step is assessment. You can’t fix what you don’t know is broken, and for sure you don’t want to fix what isn’t broken. Any assessment you undertake should address IT as well as non-IT exposures (social media, cloud contracting, privacy and compliance issues, among others); be cost-effective; have a rapid report turnaround so it is not outdated when given to senior management; give at least high-, medium- and low-risk evaluations for resource allocation purposes; and have solid remediation recommendations for IT and non-IT exposures. And assessments need to be done on a regular basis to address the continual implementation of new technologies, multiplying threat vectors, reoccurring staff turnover, and continually changing business practices. All affect the potential for cyber-risk exposure.
A good assessment and report will, among other things, address encryption. Encryption is but one example of a relatively easy and inexpensive fix to secure voice, text and data and to dramatically limit exposure to hacking. As Snowden himself said in an online interview shortly after he released the documents, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
With a thorough report in hand, you will be in a position to make informed cyber-risk management decisions, i.e., whether to fix, ignore or transfer by way of insurance, any given risk. As a quantifiable bonus, any underwriter of cyber-risk insurance would be happy to have a report addressing the full range of your cyber exposures as a primary resource for providing you the most appropriate coverage at a reasonable, and possibly reduced, premium.
The bottom line is that, even though Snowden’s revelations have made it easier for those who are working to steal and compromise all the data they can get their hands on, those risks have been out there since the dawn of the Internet. Snowden has only increased the scale of the risks, not the risks themselves, but his leaks should serve as a serious wake-up call for all of us. The good news is that excellent, effective remedies are at hand.
Ned Dunham is a member of Kleinbard Bell & Brecker’s litigation department. He concentrates his practice in the areas of cyber-risk management, insurance coverage and commercial litigation. He can be reached at firstname.lastname@example.org or at 267-443-4109. For more information on the firm, visit www.kleinbard.com.