It's been about two months since the sweeping allegations of United States government surveillance, mainly through the National Security Agency, hit the airwaves. It seems like we get a new taste of how deeply the NSA works with various companies to enable that monitoring every couple of weeks, too.
We may never know the full extent of this program, and some details are still in dispute, but it has been long enough for the general public to start forming conclusions about the program. Considering what we now know-or at least what we think we know-here are five considerations for CIOs and technical staff at all companies in the wake of the PRISM monitoring scandal.
1. Everything-Yes, Everything-Leaves a Trail.
Essentially, every service you touch generates metadata—or information about you, the transaction and other details—which is stored and can be accessed at a later date. Understanding this is a crucial step to fully appreciating the implications of a surveillance program like PRISM.
Internally, looking at data retention policies for possible modification should move up your priority list. Externally, interrogating your vendors about what metadata is generated through your business with their companies, as well as how it's stored and when it expires, takes on added importance.
2. Assume That Most PRISM Press Is Wrong.
Or, to be charitable, assume that it's at least moderately inaccurate from a technical perspective. As is ever the case, in an effort to make a technical operation understandable and digestible to the average reader, who isn't an Internet communications professional, a significant portion of the media coverage about the PRISM monitoring contains inaccuracies.
For example, there's still much debate about what initial reports from The Guardian on NSA "direct access" to servers at Microsoft, Google and so on actually means in practice. The Guardian later reported that Microsoft had provided methods of decrypting communications stored in the company's Outlook.com and Hotmail e-mail services-specifically, that "Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept Web chats on the new Outlook.com portal."
It's unclear if this means that Microsoft helped the NSA penetrate SSL based encryption used during data transmission, or if Microsoft stores the records of chats and their contents for a period of time in an encrypted way and then gave the keys to the NSA, or something else entirely.
Put simply, we don't know. That makes it hard to guard against this type of eavesdropping. If you don't know what you are securing against, you may be employing strategies that don't address the actual breaches that are happening. The media gives you an overall impression of the scale and depth of any monitoring operation, but don't rely on the reporting for sensible, applicable technical details.
Sign up for CIO Asia eNewsletters.