Edward Snowden and data security for the Internet of Things

A projector fired up in a moderately sized conference room at The Boulders Resort in Carefree, AZ on Monday, and from it appeared the image of a young man dressed in all black wearing rimless glasses. A day or two’s worth of stubble suggested fatigue although he was very much alert, and a green screen backdrop gave off occasional distortion whenever he gestured abruptly.

He was Edward Snowden, streaming live to the audience of the 2016 Privacy Xchange Forum (PxF) from an undisclosed location, presumably in Russia.

By now the story of Edward Snowden and his leaking of classified documents related to the National Security Agency’s (NSA’s) dragnet mass surveillance program is infamous. His actions in the summer of 2013 sparked a chain of investigations into a state-sponsored global surveillance coalition that spanned the Western world, and brought the issue of privacy versus security to the forefront of public discourse.

Regardless of your views on Snowden, his actions, or the social ethics of mass surveillance, it’s undeniable that NSA’s dragnet surveillance has some stark similarities to the most widely embraced concept in technology today, the Internet of Things (IoT). Specifically, both the NSA surveillance program and the IoT encourage the almost indiscriminate collection of data, and secondly, both are based on the notion that collected data will be stored, perhaps indefinitely, in the event that it needs to be referenced later.

Just as with the NSA surveillance programs, both of these notions raise serious concerns for the IoT that are centered around one question: Does the fact that we can collect data, mean that we should?

Can versus should in IoT data security

On the one hand, a challenge of indiscriminate data collection is the dark side of Big Data. Analyzing countless bytes of structured and unstructured data in an attempt to extract trends and “valuable insights” from the IoT has proven difficult even for some of the most advanced organizations on Earth, as, for instance, the NSA “collected everything in a giant bucket” which is the reason the “surveillance programs have not been effective,” Snowden said.

“What the programs are doing is building a haystack of human lives, and you’ll find data that looks like needles, but isn’t,” he explained. “We collected it all instead of what was necessary. This didn’t achieve our goals.

“Ultimately someone – me – has to go to a desk, sit down, and look at the ocean of data. We’re drowning in the surveillance data … It’s not effective, and we know it’s not effective,” Snowden added.

A 2013 statement from Senator Ron Wyden of Oregon (D) and former Colorado Senator Mark Udall of the Senate Select Committee on Intelligence seems to affirm Snowden’s statements, saying “Gen. Alexander’s testimony yesterday suggested that the NSA’s bulk phone records collection program helped thwart ‘dozens’ of terrorist attacks, but all of the plots that he mentioned appear to have been identified using other collection methods.” Here, the lesson for IoT organizations should be clear: Sensor data can be indiscriminately acquired, though the complications of data analytics should make doing so a non-starter.

On the other side of data collection lies the reality of securing the data itself. In the context of IoT, data security often includes protecting not only internal company information, but also that of partners, clients, and end users, as well as being able to trust that those with access to your data are capable of doing the same. As business is fundamentally built on trust relationships, successful data protection will ultimately be correlated with the success of IoT companies.

But data security is complex, multi-dimensional, and at times, it would appear, beyond the control of those handling the data. First, as Snowden pointed out, the reality that he, “a 29-year-old contractor could walk out of the NSA with an untold number of documents and they didn’t know about it until he was on TV, should give us pause.”

However, just as disquieting is the revelation from Snowden about today’s connected world related to the government practice of splitting cyber operations into two divisions: offense and defense. While these two elements are “fundamentally at war with each other,” the truth is that getting budget for securing critical systems is tougher than for stealing Iranian nuclear secrets, Snowden said. For example, Snowden stated that the NSA toolbox for accessing domain name system (DNS) servers consists of exploiting vulnerabilities in networking equipment produced by American companies like Cisco and Juniper Networks, rather than patching those vulnerabilities to harden the infrastructure for government agencies and the private sector alike.

Joel Brenner, formerly the head of U.S. Counter-Intelligence and past NSA Inspector General and Senior Counsel for the NSA, as well as author of Glass Houses: Privacy, Secrecy, and Cyber Insecurity in a Transparent World served as the keynote to Snowden’s capstone at PxF. In the introduction of Glass Houses, Brenner writes that “The technology our military relies on is mostly developed in the private sector, and most of the research it’s based on is carried out in universities and private companies. The know-how of our engineering firms, the drugs that our pharmaceutical companies spend billions to develop, the trade secrets of our aerospace industry – these are the bases of our national welfare. Much of our infrastructure is also privately owned and subject to attack … As a result, the infrastructure, the technologies, and the information that governments must protect extends well beyond government property.”

This passage is at odds with the apparent reality of Snowden’s NSA toolbox, and during his presentation, Brenner cited the 2016 Verizon Data Breach Investigations Report (DBIR) to illustrate that out of more than 100,000 cyber incidents reported last year, 89 percent had financial or espionage motives. The report’s findings are largely influenced by U.S. agency reporting requirements, but they do indicate that attacks on every industry are largely carried out by crime syndicates and nation-state actors (as many as 25 percent) against private businesses in the West (Figures 1, 2).

[Figure 1 | The 2016 Verizon Data Breach Investigations Report (DBIR) indicates that 89 percent of 2015 data breaches were motivated by finance or espionage.]

[Figure 2 | The 2016 Verizon Data Breach Investigations Report (DBIR) reveals that the 2,260 cyber incidents with confirmed data loss reported in 2015 targeted every industry.]

To Brenner, these figures classify “industrial espionage on an industrial scale,” and the unfortunate circumstance of today’s cyber climate is that companies are faced with protecting everything from technology IP and engineering designs to individual, company, and client data, often from highly motivated adversaries with extensive means.

The emphasis on cyber offense, as well as the reality of third parties with access to sensitive data, once again returns IoT businesses to the question of can versus should: Storing as much direct and ambient information about a subject can enable future business outcomes and enable marketing and sales departments, but upon careful evaluation, the storage, liability, and security costs of doing so probably outweigh the potential benefits.

On this subject, at least, Snowden and Brenner agree.

Brenner advised attendees, “Don’t collect information you don’t need. Get rid of it when you don’t need it anymore.” Especially when dealing with sensitive individual or client data, disposing of any information that isn’t essential to operations reduces liability, risk, as well as organizational attack surfaces.

Similarly, Snowden highlighted the benefits of minimalist data collection by citing a recent case in which the Federal Bureau of Investigation (FBI) issued a subpoena and gag order against encrypted messaging app Signal in an attempt to collect information on two users of the software. As Signal only accumulated the bare minimum of data needed (namely, the user’s phone number, account creation date, and last connection date), they couldn’t be compelled to turn over what they didn’t have (Figure 3).

[Figure 3 | Encrypted messaging app Signal was subpoenaed by the FBI, but due to minimalist data collection practices, the company had little to turn over.]

While not a direct IoT data security case, Signal’s limited data retention philosophy can serve as a lesson to all IoT companies concerned with protecting data protection and privacy. Their approach to data collection not only allowed them to maintain trust in their client relationships, it can also be extrapolated to cyber threats as there simply wasn’t much to steal or clandestinely observe.

“The broader picture is that everyone is getting hacked all the time,” Snowden concluded. “Many people collect everything, and they’re inviting a liability burden on themselves and their business that could bring problems down the road."