MIT: Spying Bad for Business
Spying Is Bad for Business
Can we trust an Internet that’s become a weapon of governments?
Following a one-day summit in Brasilia this February, negotiators from Brazil and Europe reached a deal to lay a $185 million fiber-optic cable spanning the 3,476 miles between Fortaleza and Lisbon. The cable will be built by a consortium of Spanish and Brazilian companies. According to Brazil’s president, Dilma Rousseff, it will “protect freedom.” No longer will South America’s Internet traffic get routed through Miami, where American spies might see it.
She’s not being paranoid. Documents leaked last June by former U.S. intelligence contractor Edward Snowden revealed a global surveillance operation coördinated by the U.S. National Security Agency and its counterpart in Britain, the GCHQ. Among the hundreds of millions of alleged targets of the dragnet: Brazil’s state oil company, Petrobras, as well as Rousseff’s own cell phone.
The big question in this MIT Technology Review business report is how the Snowden revelations are affecting the technology business. Some of the consequences are already visible. Consumers are favoring anonymous apps. Large Internet companies, like Google, have raced to encrypt all their communications. In Germany, legislators are discussing an all-European communications grid.
There is a risk that the Internet could fracture into smaller national networks, protected by security barriers. In this view, Brazil’s new cable is akin to China’s Great Firewall (that country’s system for censoring Web results), or calls by nationalists in Russia to block Skype, or an unfolding German plan to keep most e-mail traffic within its borders. Nations are limiting access to their networks. The result, some believe, could be the collapse of the current Internet.
Analysts including Forrester Research predict billions in losses for U.S. Internet services such as Dropbox and Amazon because of suspicion from technology consumers, particularly in Europe, in the wake of Snowden’s revelations. “The Snowden leaks have painted a U.S.-centric Internet infrastructure, and now people are looking for alternatives,” says James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies in Washington, D.C.
Many nations eavesdrop, each for their own reasons. Some target dissidents with malware to watch their keystrokes. Others, like China, also bleed companies of intellectual secrets about jet fighters and wind turbines. So pervasive and successful has digital espionage become that in 2012, Keith Alexander, the Army general in charge of the NSA, described it as “the greatest transfer of wealth in history.” He estimated that U.S. companies lose $250 billion a year to intellectual-property theft.
This is hastening the trend to secure networks, to isolate them, or even to disconnect. In this report, we visit a small energy company for which a network cable might as well be Medusa’s hair (see “Cyberspying Targets Energy Secrets”). The company is so frightened that it keeps its best ideas on computers quarantined from the Internet. Retrograde technology is winning money and resources. Following the Snowden revelations, Russia’s secret service reportedly placed an order for $15,000 worth of typewriters and ribbons. They said paper was safest for some presidential documents.
Security experts have been warning for some time that computer networks are not secure from intruders. But in 2013, we learned that the mayhem has become strategic. Governments now write computer viruses. And if they can’t, they can purchase them. A half-dozen boutique R&D houses, like Italy’s Hacking Team, develop computer vulnerabilities and openly market them to government attackers.
Criminals use common computer weaknesses to infect as many machines as possible. But governments assemble large research teams and spend millions patiently pursuing narrow objectives. Costin Raiu, who investigates such “advanced persistent threats” as director of research and analysis for anti-virus company Kaspersky Lab, says he logs on to his computer assuming he is not alone. “I operate under the principle that my computer is owned by at least three governments,” he says.
That is a threat mainstream technology companies are grappling with. The U.S. government circumvented Google’s security measures and secretly collected customer data. British spies scooped up millions of webcam images from Yahoo. In December, on Microsoft’s official blog, the company’s top lawyer, Brad Smith, said he had reason to view surreptitious “government snooping” as no different from criminal malware. Microsoft, along with Google and Yahoo, has responded by greatly widening its use of encryption (see “The Year of Encryption”).
“We’re living in a very interesting time, where companies are becoming unwilling pawns in cyberwarfare,” says Menny Barzilay, a former Israeli intelligence officer now working in IT security for the Bank Hapoalim Group, in Tel Aviv. In this new context, nobody can say where the responsibilities of a company may end and those of a nation might begin. Should a commercial bank be expected to expend resources to defend itself when its attacker is a country? “This is not a ‘maybe’ situation. This is happening right now,” says Barzilay. “And this is just the beginning.”
If the Internet and its components cannot be trusted, how will that affect business? Consider the case of Huawei, the Chinese company that last year became the world’s largest seller of telecom equipment. Yet its market share in North America is paltry, because the U.S. government has long claimed that Huawei’s gear is a Trojan horse for China’s intelligence services (see “Before Snowden, There Was Huawei”). Now American firms like Cisco Systems say their Chinese customers are turning away for similar reasons. After all, the Snowden documents suggest how vigorously the NSA worked to insert back doors in gear, software, and undersea cables—in some cases via what the agency called “sensitive, cooperative relationships with specific industry partners” identified by code names.
Mistrust is also creating business opportunities (see “Spinoffs from Spyland”). In this issue we travel to an old bunker in Switzerland that local entrepreneurs have turned into a server farm, hoping to do for data what the Swiss once did for Nazi gold and billionaires’ bank accounts. Thanks to its privacy laws and discreet culture, the country is emerging as a hub for advanced security technology (see “For Swiss Data Industry, NSA Leaks Are Good as Gold”). In Lewis’s view, these sorts of technological initiatives threaten the American lead in Internet services such as remote data storage. “It hasn’t been long enough to know if the economic effects are trivial or serious, but the emergence of foreign competitors is a sign that it’s serious,” he says.
There’s even a shift under way in consumer technology. Consumers have been rushing to download texting apps like Snapchat, where messages disappear. They are posting on anonymous message boards like Whispr and buying “cryptophones” that scramble their calls. Spy-shop stuff is going mainstream. Phil Zimmerman, a famous privacy advocate, helped create one of the cryptophones, the $629 Blackphone, launched in February at the big mobile communications conference in Barcelona, Spain (see “For $3,500, a Spy-Resistant Smartphone”).
That is how Edward Snowden is affecting business. People are asking questions about technology products, and technology companies, that they never asked before. Is it safe to connect? Are you Russian or American? “This is something that changed since last June, when the leaks started,” says Mikko Hypponen, chief research officer of the Finnish security company F-Secure. “Before, the idea was that the Web had no borders, no countries. This was the naïve utopia. Now we have woken up.”