Since the NSA’s extensive domestic and international monitoring was revealed by Edward Snowden via The Guardian’s Glenn Greenwald in June 2013, much ink (or many pixels, as the case may be) has been spilled discussing whether or not the NSA has gone too far, whether the programs are unconstitutional, and a variety of other issues.
One view that I have not yet seen is that of someone on the front lines of information security, who deals with many of the threats that the NSA has been monitoring on a fairly regular basis.
Someone like me.
I’ve alluded to my background and profession on a number of occasions, but I figured I’d reiterate my credentials before I begin. I’m a Certified Information Systems Auditor who’s worked for a major healthcare software developer, a major public accounting firm, a Fortune 100 company, a major healthcare provider, and currently with a very well regarded information security consulting firm. My specialization is technology governance, risk, and compliance. I’m not a hardcore network security guy, although some of the people I work with are regarded as the best in the field in that particular area of expertise.
A few months ago, I had the opportunity to discuss the Snowden leaks with a number of these individuals. The general consensus, one that I agreed with as well, was that the only thing the NSA did wrong was get caught.
If I have learned anything over my career, it’s that what we perceive to be a right to privacy is an illusion. There is no right to privacy on the internet. If you are out there, you are subject to being “doxed”, or having your personal information revealed and your anonymity stripped away. As we created online communities, we also carried over a notion of privacy from the real world that is non-existent and impossible to enforce in the virtual world. In essence, it’s a form of Mutually Assured Destruction; reveal my identity, and I can reveal yours. Given enough time and resources, no one is truly anonymous.
The outrage over the NSA turning their vast information gathering apparatus on United States citizens was, at least to me, almost comical. For starters, this assumption that the NSA, CIA, FBI, etc. have extensive access to pretty much everything on the internet has been around for over a decade. We knew what was in the PATRIOT Act, even if Congress didn’t. There wasn’t any shock and surprise; as I mentioned, it was just mild amusement that the NSA got caught doing it. What made it even funnier was the NSA’s response, which amounted to a bureaucratic Kanye Shrug. They knew exactly what they were doing, and the vast majority of it was legal; not legally grey, just straight up legal.
I think what annoyed me the most was the response of the different countries around the world to the revelation that the United States was spying on them in some capacity. Since the end of World War II, the United States has been a superpower; after the fall of the Soviet Union, the United States has been THE superpower. With that comes certain responsibilities, first and foremost of which is ensuring that the world does not blow itself up. No one wants to be king of a radioactive wasteland. For most of the last century, the Western world in particular has lived behind the shield provided by the United States and it’s allies, and have prospered for it. Many of those same countries, most notably in Europe, were the most vocal critics of the NSA’s information gathering programs. To them I reply, “Tough Noogies.” That’s the price of American protection. If you don’t like it, you’re free to spend as much of your GDP on defense as the USA does to provide for your own national defense. Just don’t call us when things go horribly wrong.
Getting away from the politics and back to the technology side of things, any network admin worth their salt has big blocks of IP addresses blocked. Russia, Eastern Europe, China, the Middle East, and Africa are all likely candidates. Why? Because the more civilized among them, especially China and Russia, are out to steal whatever information they can get their hands on, and the less civilized are just out to scam comparatively wealthy Westerners out of their American dollars. That’s the way the world works. To pretend that any nation is clean, that there is anyone that doesn’t engage in similar, if less sophisticated, activities to gain an edge in negotiations or law enforcement or industry is only fooling themselves. Everyone does it; that doesn’t make it right, but that does make it what is.
At the end of the day, the only person we should collectively be angry at is ourselves. Congress can repeal the PATRIOT Act and it’s successors anytime they want. Congress can place restrictions on what the NSA is allowed to do to United States citizens. Ultimately, our own fear and paranoia are what keep them in business. To be perfectly honest, I’m not sure that’s such a bad thing.
