The True Cost of Surveillance

Uploaded on 2015-12-28 in NEWS-Cybersecurity News, INTELLIGENCE--International, GOVERNMENT-Law Enforcement, GOVERNMENT-National, FREE TO VIEW

UK Home Secretary Theresa May

The British Conservative government recently published proposals for new legislation to regulate spying in the UK. The draft Investigatory Powers Bill, introduced by Home Secretary Theresa May, seeks to do many things, particularly gathering up powers already contained in a lot of different existing laws and subjecting them all to a coherent oversight procedure. Most of the discussion generated by these proposals has been about the implications for liberty. But there is another and related dimension that should be considered, and that is the potential for the Bill to harm the economy.

Whatever form the final Investigatory Powers Act takes, some kind of spying bill will have to be enacted by the end of next year as the main existing legislation covering digital surveillance (the Data Retention and Investigatory Powers Act) expires at the end of 2016. The government’s stated intention is to have a single package of measures in place that updates that and a lot of other disparate powers and practices that have gradually emerged into the light of day over recent years, such as the activities of the security and intelligence agencies in hacking computers and smartphones, and gathering large scale ‘bulk’ information at both an individual and group level.

As the Bill itself admits, there are now so many surveillance powers in the UK that it is ‘difficult to be sure that the Bill identifies and amends every power,’ although that is the intention. But in the process the powers of the state to seize and analyse private information are being expanded, adding to what is already Europe’s most intrusive government surveillance system. There are some signs that the existence of such extensive powers – however they are actually used – may have a negative effect on investment in UK industries that rely on secure digital technologies (in other words, most of the economy).

Businesses – like individuals – do not care to have governments wielding sweeping powers over the information they hold, and in particular they do not like large numbers of government departments or (in the phrase of the draft Bill) ‘public bodies’ having access to that data, not least because every additional key holder increases the vulnerability to breaches of data security.

Unlike individuals many businesses can shift jurisdiction with ease, and these concerns are already apparent in the way that US technology companies that hold large amounts of user data are reorganizing their operations to move data banks out of the US, in response to customer fears about the intrusive powers of the US National Security Agency. Last month, for example, Microsoft announced a deal with Deutsche Telekom that will allow the US company to move much of its customer data to servers in Germany, with the intention of putting it out of the reach of US security agencies.

Other companies are likely to follow Microsoft; the US Information Technology and Innovation Foundation, an independent think-tank, recently estimated that US technology companies could lose tens of billions in sales due to customer fears over US government surveillance, adding that for international companies foreign surveillance laws are now the deciding issue when it comes to where companies store data. The Foundation points out that in addition to Microsoft, other companies including Cisco, Qualcomm, IBM and Hewlett-Packard have recently reported lost sales due to concerns about data security in the US. Companies outside the tech sector are also affected; for example, Boeing recently lost a Brazilian contract to replace fighter aircraft due to similar concerns.

In many ways the draft Investigatory Powers Bill is an attempt to address such commercial concerns, by making digital surveillance in the UK more transparent, and also by allaying fears that the UK government will attempt to control all encryption of data (although the Bill does include continued powers to force communications companies to unpick their own encryption if the government requests it). But by increasing the volume of data that official bodies can acquire, it is possible that the Bill may end up doing the opposite of what is intended.

It is no easy thing to summarise what the government proposes. The draft Bill including preface, guide and notes runs to 296 dense pages, and the supplementary materials add another 224 pages. The Bill itself is the result of recommendations from three separate reviews of the UK’s surveillance laws, and unsurprisingly the result is a draft that includes a bit of everything, from procedures for acquiring routine data sets like electoral rolls, to rules for spooks charged with breaking into the computers of individuals and organizations.

Amongst all of this detail, two things stand out as new. The first is that the legislation will for the first time explicitly legalise and regulate the capture of large scale sets of data such as communications data (records of who communicated with whom, and how, and when, although not necessarily what they said), without the need for the investigating agencies acquiring the data to know exactly who or what they are looking for in advance. These are the so-called ‘bulk powers’ (not to be confused with the proposals on ‘bulk personal datasets’ which cover unglamorous matters like digital telephone directories).

Secondly, communications companies will have to keep and potentially make available a 12-month set of the Internet connection records of any person or organisation in the UK that uses the Internet. The government has made much of the fact that Internet connection records do not constitute a full record of Internet activity, but in fact the Bill allows that security agencies can make specific requests (in addition to the general record-keeping requirement in the Bill) for data that does amount to a full record.

Both of these innovations mean that government agencies will have legal powers to hold much more private information than before. Although the Bill proposes additional limits on whether they can actually analyse this data (depending on who the data relate to, whether or not the relevant individuals are in the UK, and whether there is a clear operational purpose to the analysis), these do not much alter the inherent risk of large data sets being held by a range of public bodies.

There remains uncertainty over who in government will be able to access the data that the draft Bill covers. In certain cases there are stated limitations on the use of data by local authorities, for example, suggesting that where there is no specific limitation then local authorities and many other bodies may have access to at least some data.

The purposes of the UK’s entire digital surveillance arrangements are described as law enforcement, security and intelligence, a definition so broad that in principle data could be accessed, by almost any, UK public body. And public bodies in the UK do not have a great record of digital security. If history is any guide, the more data they hold, the more they are likely to lose, and the greater the risk of sensitive data – including commercially sensitive data – leaking into the wrong hands.

These are not idle fears. The list of UK government departments and official organisations that have suffered significant data breaches in recent years is a long one. Various NHS trusts and individual hospitals are the most frequent offenders, along with local government bodies. But there have also been data security failures at the Ministry of Justice, the Department of Work and Pensions, the Ministry of Defence, the Foreign Office, the Serious Fraud Office, and amazingly enough the Information Commissioner’s Office, the body that is supposed to oversee data protection in the UK.

These data breaches have typically involved either lost disks or memory sticks containing unencrypted data, although there have also been cases of data accidentally being distributed by email. They have not involved direct access to large-scale officially-held databases, either through online hacking or the loss of physical storage devices that happen to contain access keys to online databases, although such losses would represent the ultimate data security nightmare scenario. That such losses are possible is very clear: if teenage hackers can break into the online databases of internet service providers such as TalkTalk – companies that have a strong commercial incentive to secure their data – then it is difficult to be optimistic about the chances of sluggish official departments keeping safe the oceans of data that the draft Bill would put in their hands.

This is a concern for any business that holds data it regards as commercially sensitive – and that really means all businesses. Information companies in Europe and Asia are already using their claimed ability to avoid official US digital surveillance as marketing tool. The US is not highly trade-dependent, and perhaps it can afford to make itself unattractive to international companies. The UK does not enjoy that option. If it joins the US as the place that businesses with valuable data need to avoid, the economic consequences could be dire.

CapX:  http://bit.ly/1RkhIKG

« Malware Mixed Into A Cyber Threat Cocktail
Encrypt A Message In the Big Bang Afterglow »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Fuel Recruitment

Fuel Recruitment

Fuel Recruitment is a specialist recruitment company for the IT, Telecoms, Engineering, Consulting and Marketing industries.

Patchstack

Patchstack

Patchstack (formerly WebARX) is a web application security platform, which allows digital agencies and developers to monitor, protect and maintain their websites.

ThreatQuotient

ThreatQuotient

ThreatQuotient delivers an open and extensible threat intelligence platform to provide defenders the context, customization and collaboration needed for increased security effectiveness.

macmon secure

macmon secure

macmon secure develops network security software, focussing on Network Access Control.

AppTec

AppTec

AppTec is a leading software vendor in the field of Unified Endpoint Management and Mobile Security.

Outsource UK

Outsource UK

Outsource UK is an independent recruitment company supplying highly-skilled technology, change and engineering talent to clients within a range of specialist sectors including Cyber Security.

Vivitec

Vivitec

Vivitec security services are tailored for your business, industry, risk, technology, and size to ensure great protection and planned response for the inevitable cyber-attacks on your business.

Concentric AI

Concentric AI

Concentric Data Risk Monitoring and Protection. Deep Learning to discover, monitor and remediate risks to sensitive data on-premises and in the cloud.

HacWare

HacWare

HacWare is a data driven cybersecurity awareness product that leverages machine learning and behavior analytics help IT professionals combat phishing.

Lavabit

Lavabit

Lavabit's Dark Internet Mail Environment is a secure, open-source, secure end-to-end communications platform for asynchronous messaging across the internet.

ANY.RUN

ANY.RUN

ANY.RUN is an interactive online malware analysis service created for dynamic as well as static research of multiple types of cyber threats.

Bleach Cyber

Bleach Cyber

Bleach Cyber helps small businesses with an affordable and user-friendly solution for managing cloud security.

Brunswick Group

Brunswick Group

Brunswick is a critical issues firm. We advise the world’s leading companies on how to navigate the critical issues they face and engage with their critical stakeholders.

Closed Door Security

Closed Door Security

Closed Door Security is the only cybersecurity team in the north of Scotland offering everything from IASME Certification to CREST-Accredited penetration testing.

FoxPointe Solutions

FoxPointe Solutions

FoxPointe Solutions is a full-service cyber risk management and compliance firm.

Skillfield

Skillfield

Skillfield is a Melbourne based Cyber Security and Data Services consultancy and professional services company.