Microsoft, Google security: Edward Snowden won where Barack Obama failed
Washington: Former US National Security Agency (NSA) contractor Edward Snowden succeeded where President Barack Obama couldn’t—getting Microsoft Corp., Google Inc. and Yahoo Inc. to upgrade computer security against hackers.
The companies are adopting harder-to-crack code to protect their networks and data, after years of largely rebuffing calls from the White House and privacy advocates to improve security. The new measures come after documents from Snowden revealed how US spy programmes gain access to the companies’ customer data—sometimes with their knowledge, sometimes without—and that’s threatening profits at home and abroad.
“These companies actively fought against numerous mechanisms that would have mandated far more secure data,” Sascha Meinrath, director of the Open Technology Institute at the New America Foundation in Washington, said in a phone interview. “Now they are paying the literal price.”
While Google, Yahoo, Microsoft and Facebook Inc. provide data to the government under court orders, they are trying to prevent NSA from gaining unauthorized access to information flowing between computer servers by using encryption. That scrambles data using a mathematical formula that can be decoded only with a special digital key.
The NSA has tapped fibre-optic cables abroad to siphon data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into coding, according to reports in The Washington Post, The New York Times and the UK’s Guardian newspaper based on Snowden documents. He is now in Russia under temporary asylum.
Microsoft is the latest company considering measures to ensure the protection of customer data and strengthen security against snooping by governments, according to Brad Smith, general counsel for the Redmond, Washington-based company.
Microsoft’s networks and services were allegedly hacked by NSA, The Washington Post reported on 26 November. Documents disclosed by Snowden suggest, without proving, that NSA targeted Microsoft’s Hotmail and Windows Live Messenger services under a programme called MUSCULAR, the newspaper said.
“These allegations are very disturbing,” Smith said in an e-mailed statement. “If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.”
Smith didn’t provide details about what the company is considering doing.
Microsoft lags behind other major companies when it comes to protecting users against extra-legal attacks on its networks to obtain user data without a warrant, said Kurt Opsahl, senior staff attorney for the digital-rights group Electronic Frontier Foundation, based in San Francisco.
The non-profit has compiled a report providing a side-by- side comparison of the encryption measures companies have adopted.
“We have asked companies to implement encryption on every step of the way for a communication on its way to, or within, a service provider’s systems,” Opsahl said in an e-mail. The news about NSA’s MUSCULAR programme served as a wake-up call, and it’s encouraging to see so many companies working to ensure that user data is not stolen out the backdoor.
Internet companies resisted efforts to be included under an executive order Obama issued in February to better secure vital US computer networks.
The 12 February order said the government can’t designate commercial information technology products or consumer information technology services as critical US infrastructure. That exempted services like Mountain View, California-based Google’s Gmail, Microsoft’s Windows and Cupertino, California-based Apple Inc.’s iPhone software.
“The difference now is the companies are responding to market pressure,” said James Lewis, director of the technology and public policy programme at the Center for Strategic and International Studies, a Washington non-profit.
“They’ve got to do something to show the foreign customers they’re protecting them from surveillance,” Lewis said in a phone interview. “The administration was looking for incentives and it appears they found one.”
The Obama administration and members of Congress say cyber-security legislation is still needed to secure the networks of power grids, banks and pipelines, which haven’t been affected by the Snowden disclosures. Legislation has been proposed in the Senate to establish voluntary cyber-security standards for companies, while the House passed a Bill that would give companies legal protections for sharing hacking threat data with each other and the government.
“News about the spy programmes has great potential for doing serious damage to the competitiveness of US companies,” Richard Salgado, Google’s director for law enforcement and information security, told a US Senate panel on 13 November.
Revelations of NSA spying may cost the US cloud industry as much as $35 billion by 2016, according to the Information Technology Industry Council and the Software Information Industry Association, two Washington trade associations.
Even after the NSA revelations to date, it isn’t clear whether the agency bypassed or received cooperation from companies that provide the fiber-optic cables and other equipment that make up the Internet’s backbone, such as Broomfield, Colorado-based Level 3 Communications Inc. and Sunnyvale, California-based Juniper Networks Inc.
NSA collects the communications of targets of foreign intelligence value, irrespective of the provider that carries them, agency spokeswoman Vanee Vines said in an e-mail.
Level 3 is constantly monitoring, testing, adapting and improving our security measures to protect against the ever- evolving threat landscape, Dale Drew, the company’s chief security officer, said in an e-mailed statement.
Our top priority remains to protect our customers and our network infrastructure—the source of an attack is immaterial, he said.
Juniper products are designed to meet the high security and privacy standards that users require and the company has multiple layers of security, including the right policies, protocols and technologies to counter a variety of security risks and vulnerabilities, spokeswoman Cindy Ta said in an e-mailed statement.
Meinrath, with the Open Technology Institute, said companies that claim to secure data while allowing it to be intercepted due to lax security should face legal liabilities.
The smartest minds in these companies completely fell down on the job in terms of identifying risks to these business models, Meinrath said. “The fact that the Snowden revelations can act as a catalyst to implement best practices for secure communications and data integrity is a great outcome.” BLOOMBERG
Nicole Gaouette in Washington contributed to this story.