One of the security-related topics that has the least actual impact on enterprise security has been getting the most attention from the security press and the security Twitterverse: the Edward Snowden NSA surveillance disclosures. If you made a list of the top 100 risks to any company (or any individual) NSA intercepting their communications would never make the list.
This outrage over intelligence activities tends to happen in times of relative peace and freedom from local wars or terrorists flying airplanes into buildings. This is actually a good thing, because over-reach by intelligence agencies tends to happen during those same periods. To put this in perspective, after a brief visit to the 1600s, let’s look at an abbreviated history of the domestic surveillance pendulum swings over the past 75 years in the US:
1602: Galileo discovers the properties of the pendulum, particularly that the period of the pendulum is approximately independent of the amplitude or width of the swing. If all friction and drag were removed, once put in motion a pendulum would swing forever.
Let’s flash forward a few years, even though all kinds of interesting pendulum-related research happened over the intervening centuries
1938: The US House Committee on Un-American Activities is formed to investigate individuals and organizations suspected of subversive activities in support of communism as tensions rise as Hitler tramples Europe. Activities accelerated after the end of World War II as the US and the Soviet Union began what was to be a decades-long escalation of spying on each other as part of the “Cold War.” 1967: (I can’t resist) The Newton’s Cradle “Executive Toy” based on the principle of the pendulum is first sold by Harrods of London.
1969: After years of uncovering many spies, but also producing many “false positives” in the form of blacklists of Hollywood actors and writers, bad publicity and protests caused HUAC to be renamed the “Internal Security Committee.” National law enforcement agencies, such as the FBI and IRS, and intelligence agencies such as NSA and the CIA, continue to perform domestic investigations and surveillance of suspected “subversives.”
1972: The Watergate scandal exposes Presidents Nixon’s use of these same US national law enforcement and intelligence agencies to investigate political opponents and US citizens. This causes much fallout:
- The US passed its first Privacy Act in 1974, setting rules around federal agencies’ use and dissemination of personally identifiable information about US citizens.
- President Nixon was forced to resign in 1974.
- The Internal Security Committee was disbanded in 1975.
- The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978, drastically limiting the ability of intelligence agencies to do any surveillance of domestic communications.
A bit of a personal note: I got out of college in 1978 and went to work at NSA. By then, there were drastic controls over any domestic surveillance. I was once reprimanded for tuning a lab test receiver to a ham radio frequency because it could have been construed as domestic monitoring.
September, 2001: Terrorists operating inside the US fly planes into the World Trade Center in NY and the Pentagon in Northern Virginia, and another plane crashes in Pennsylvania, killing 2,996 people overall. Later investigations showed that the Privacy Act and FISA restrictions (and the continuing difficulties of US intelligence agencies to share information with each other) caused huge blind spots in the US ability to detect the activities of terrorists operating in the US.
October, 2001: The Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001 Act (USA PATRIOT) is passed, demonstrating politicians had gotten much better at creating acronyms since 1938 but also greatly expanding US intelligence agencies’ ability to perform domestic surveillance related to terrorism. Over the next 10 years, a periods of no successful domestic terrorism against the US, the PATRIOT act is tinkered with (both expanding some abilities, restricting others) but is renewed several times by Presidents Bush and Obama.
April, 2013: Explosive devices are detonated at the Boston Marathon by two domestic terrorists, killing 3 people and injuring 264 others. In the weeks following the killing of one perpetrator and the capture of the other, it comes to light that Russian intelligence agencies had informed the FBI of suspicious telephone conversations it had monitored involving one of the bombers. Concern begins to build in the US about the FBI’s inability to “connect the dots” across intelligence data and prevent the incident.
May, 2013: NSA contractor Edward Snowden leaks classified information detailing the extent of NSA’s monitoring of US citizen phone calls and Internet activities as part of monitoring potential terrorist activities.
June, 2013: Washington Post/ABC poll shows 2/3 of Americans support congressional hearings into the domestic surveillance programs.
So, the pendulum swings on. Which is good – threats change, technology changes, social norms change and revision to regulations around government surveillance need to change, as well. Perhaps the angst over the Snowden disclosures points out that most people really don’t want privacy to be dead, after all?
So, I’d like to see as much outrage about the information collected in the name of “free” Internet content and search engines, where there isn’t even a FISA court to review things. The continuing headlines around massive data breaches of customer information collected by private industry point out where the real risks are.