Haroon Meer: SA not part of the 'inner circle'
Everyone has taken some lessons from the Edward Snowden revelations. There is the need for crypto capabilities, and the insider threat is still a problem.
However, there are deeper, less obvious lessons, says Haroon Meer, founder of Thinkst, speaking at the ITWeb Security Summit 2014 in Sandton this morning.
What is interesting, he says, is that there have already been many revelations, and we don't know how many more are still to come. "Estimates from the NSA vary widely, it has been reported that around 1.7 million documents were accessed."
The lesson from this, says Meer, is that you need to know what you have, and who has access to it.
"One of the first revelations was that Verizon was sharing its users' data and metadata with the NSA. The lesson here is truth, lies and redirection. Director of National Intelligence General Clapper caused an uproar when caught lying during sworn testimony delivered to the Senate. He initially claimed that the NSA does "not wittingly" collect and store data on US citizens. However, Edward Snowden's leaks belied this statement, and he was forced to take back the statement."
Meer says, interestingly, when Snowden's revelations first came to light, many were outraged on the NSA's behalf. "It is interesting to see how we default to trusting the environment."
The next revelation was Prism, the NSA's covert c mass electronic surveillance data mining program. "We saw the companies that were on board. Although this clearly brought home the dangers of cloud storage, it also brought home the 'us versus them' mentality. How much did we, as non-Americans, matter in the scheme of things? In short, we don't."
The third revelation, he says, was the G20 Summit leaks. "This penetrated the security of delegates' BlackBerry's to monitor their e-mails and phone calls, and supplied 45 analysts with a live, round the clock summary of who was phoning who at the summit."
What was interesting here, other than the techniques used, says Meer, was that this had nothing to do with terrorism. They were feeding info back to the analysts at the Summit to help them with their negotiations.
The lesson here is the "myth of the Chinese bogeyman", adds Meer. "What came out was the issue of moral high ground vs exceptionalism. It's ok when we do it, but let's cry blue murder when someone else does it. It is interesting to note that the maxim today is 'everyone is doing it' when before China was the culprit."
He asks, as South Africa, where do we stand? "Surely we don't have top ranking people using public mail services?"
The case of the National Intelligence Agency spying on prominent South African businessman Saki Macozoma in 2006 showed this not to be the case. "A quick Google search will show that many prominent government figures and bodies are still using Yahoo and other public e-mail addresses. This makes the work for foreign entities wishing to spy, really easy."
The takeaway here, says Meer, is that if you use the cloud for anything sensitive, you are doing it wrong.
Reliance on Silicon Valley
He says it is dangerous to assume that we are not targeted. The hacking of Belgacom illustrates this point. Many countries were affected in this case, although they might not have been the primary targets. "There are five billion cellphone records per day hoovered up by the NSA."
Are we saying don't use cloud? Don't use US software? Meer asks. "Right now, no. We are deeply dependent on foreign skills for this stuff, and businesses like Microsoft are deeply entrenched with NSA, and over and above Microsoft, we are deeply dependent on Silicon Valley."
"Is there some way to break it? Can we build our own?"
He cites In-Q-Tel as an example. Its mission statement is: "We identify, adapt, and deliver innovative technology solutions to support the missions of the Central Intelligence Agency and broader US Intelligence Community."
In-Q-Tel funds many security start-ups, and is a winning strategy. "Use military funding to fund these start-ups - successful businesses such as FireEye and ArcSight were funded initially by In-Q-Tel."
However, in SA we are not even close, he says. "We have bodies to fund research such as the CSIR, but we are not channelling enough resources into this, and we do not have enough students."
What we can do here is lean on free and open source software, as it will allow us to pool resources with others in the same position. "This will lessen our reliance on Silicon Valley, so we won't be held hostage. We can piggy back of existing open source projects that have good security and strong encryption instead of building our own."
Ultimately, he says the leaks have made it clear that no matter how we try, we are not in the inner circle. "For example, FVEY or Five Eyes Surveillance, an alliance comprising Australia, Canada, New Zealand, the UK and the US. If you're not part of it, you're not."
In SA, he says, we must be careful whose advice you take. "Judge the people on our cyber advisory board. The people you take advice from. Judge them on yesterday's headlines, as they should have predicted those."
More hacks are coming. For governments, the divide is growing. It's not just the NSA, the US is treating cyber space as one of its colonies."