Every day new information emerges on the extension of NSA’s PRISM program. We discovered that e-mail, phone calls, services, even conference systems have been cracked and gone under illegal surveillance. We also learned that the NSA paid US tech giants like Microsoft, Google, Yahoo, AOL to allow this and when this was not possible resources were brutally hacked.

From a security point of view, a discussion on whether the reasons that moved the US government to do this can be approved or not is of little interest. Our task, on the other hand, is to consider causes and consequences in order to design security countermeasures. When designing a security infrastructure we should design with every risk in mind and try to figure who and why could interfere with our processes.

Could we have anticipated this?

Reactions to PRISM have been naive from this point of view. In fact, was this mess really totally unexpected?

Let’s think for a moment about developments in the last years. In technology we have seen a boom in communication platforms which has led to the massive exchange of information. In addition, we have witnessed growing concerns about cyber warfare, cyber espionage and so on. Even the least expert reader might remember aktivism activities carried out by groups like Anonymous or Lulzec or the Stuxnet affair.

Under these circumstances, thinking that the US Government would not use intrusive and offensive techniques in order to “protect” its assets would be close to ridiculous.

On the other hand, ethical questions like “is this legal?” or “Is this Bad or Good?” should not be our concern as security professionals. Because security requires a paranoid approach where everyone both on the inside and the outside are potential threats. Even the extension of PRISM, which is what caused the media outcry, would have been less of a surprise if the warnings of security experts had been taken more seriously.

Security is a trust based affair

When we talk about security, no matter if Information Security or Physical Security, we should realize that trust is the corner stone around which to devise our solutions. Product, services, providers should be chosen keeping in mind that we have to trust them.

What PRISM really crashed is our trust in US companies, and Lavabit or Groklaw episodes have been significant in this sense. When we need a security service or product, we should be able to trust that the provider will not fool us. When seeking an antivirusantimalware solution, we expect it to catch the viruses, but after the FBI malware program can we still be so sure that there won’t be backdoors to allow specific code to remain undetected? Or, if we buy an IPSIDS can we actually trust the manufacturer that there will be no backdoor allowing PRISM like intrusions? This is even more difficult considering that rumors about US government backdoors on commercial products have a long story, even Linux has been involved in the long magic lantern scandal. This is why a good security developer should always take into consideration past occurrings.

Cloud considerations

When I talk about cloud, I always point out challenges related to data privacy. The distribution of data access rights is one of the main concerns in cloud deployment, and it is not just related to PRISM but simply to the different legal requirements from country to country. From this point of view, the Patriot Act is enough for European companies to avoid US cloud providers. Without a common set of rules that safeguard privacy, cloud will always raise security concerns. I am not saying that we should not use cloud providers but that we should pay attention to cloud constrains and use concurrent technologies to protect our data. For instance, one can resort to a separate encryption system with keys not managed by the cloud provider itself and the possibility to control data geo location to avoid areas where the legislation could raise concerns as in the US.

Privacy and encryption

Every time we consider the need of privacy in our communication, we should consider encryption. Current communication systems on the internet or by phone does not provide security of any kind. Email are all but a secure systems (I’ve already discussed security requirement in emails elsewhere) and of course we cannot expect privacy from Twitter or Facebook. At the same time we should consider not safe any mail provider that provide free mail service, for the mere fact that a free service can not justify big security investments. Encryption now is the best solution even for personal use, although it can be difficult to be correctly managed by a not tech savvy user.

Conclusion

Security programs are not a way to squeeze cash out of naive companies and individuals but a serious requirement which to be efficient should be carried out in a (little) paranoid attitude.