Before embarking on a description and analysis of the blowback from the recent Snowden revelations relating to the NSA spying operations, one point should be underscored: economic and military cyber penetrations and threats from around the world—China, Russia, terrorist cells, and even from US allies—are still steeply rising and will continue to grow as other nations and groups struggle to catch up with the undoubted superiority and sophistication of US global cyber surveillance capabilities. As an example, the US-China Economic and Security Review Commission, in a new report, points out that earlier this year, after the security firm Mandiant identified a single PLA office building in Shanghai as the source of numerous cyberattacks, and the Defense Department for the first time publicly accused the Chinese government of cyberespionage (commercial and military), Beijing reined in the attacks temporarily—but after attempting to disguise the activity, the site has resumed attacks at an even larger level.
It is this reality that has led US intelligence to forcefully push back against many proposals to curb or more firmly regulate US cybersecurity operations. As former CIA and NSA director, Michael Hayden bluntly stated: “I ran NSA. We steal stuff. We make no apologies about it. But we steal things to keep our citizens safe.” Still, current intelligence officials have conceded that the Snowden disclosures will alter future calculations. Thus, Director of National Intelligence, James Clapper told Congress that “many things we do in intelligence, if revealed” would have the “potential for all kinds of blowback”—and the fallout from Snowden “would change the criteria, obviously.” Clapper’s concession was underlined by New York Times reporter David Sanger (and a co-author) in an article titled: “In Spy Uproar, ‘Everyone Does it’ Just Won’t Do.”
What follows are preliminary observations regarding three complicating factors as the US searches for a more viable balance between security and economic/diplomatic strategic goals: (1) the impact of cybersecurity policies on the competitiveness of US global firms; (2) the danger of a “balkanization” of the internet; and (3) challenges to US trade and diplomatic relations with key allies. This posting will deal with the first factor: impact on US telecoms firms. Subsequent posts will analyze balkanization dangers and the diplomatic fallout.
US companies at risk from the NSA revelations represent the “crown jewels” (a cliche, but an accurate one) of the US telecommunications sector—Google, Yahoo, Facebook, Microsoft, Apple, AOL, Cisco, among others. Most have a dominant or commanding share of their segment of the sprawling Internet ecosystem; and all are under challenge from foreign competitors invoking NSA intrusions and violations of consumer trust to undermine confidence in the security of their products.
US companies’ defense is complicated by both what is known about NSA’s activities and what is not known about their own relationship with the agency. Thus, Snowden’s documents show that, through cooperation, coercion or stealth, the NSA has tapped into millions of phone and online communications; forced US companies to build entry points for spyware; and, cracked encryption codes that protect global banking and consumer records, trade secrets, and medical records.
The revelations have provided large openings for competitors. For instance, Germany’s Deutsche Telecom is strongly wooing German internet users with promises to “protect” their e-mails with defenses that shun international routes—abetted recently by the German federation of journalists which has advised its members to shun Google and Yahoo. Swisscom, the public/private Swiss internet provider is following the German example and touting the “Swiss Cloud” to attract new customers away from the global—and allegedly unsecure US giants. And Beijing has used the Snowden documents as an excuse to signal (without formal declaration) that Chinese companies in the future should rely less on products from US firms like IBM and Oracle. Cisco has been particularly hard hit, with worldwide revenue dropping 8 percent last quarter, pulled down by an 18 percent drop in China (Cisco has been struggling with other internal problems but the Chinese reversal greatly added to its woes).
Though clearly a work in progress, the companies are fighting back on several fronts. First, there is a big push to close existing gaps in security—most particularly by beefing up encryption technology in supposedly protected areas on commercial transactions and internal company routes to data centers where the NSA exploited still vulnerable traffic. They are also acting on other fronts, from building their own fiber-optic lines, to more frequent changes to security keys, and in Twitter’s case encrypting private direct messages. The interplay has become a cat and mouse game with the NSA, though a New York Times report noted that many private firms still feel as if they are “playing a game of Whack-a-Mole” with the government.
Their frustration and “outrage,” in Google’s Eric Schmidt words, has also led them to uncharacteristically bold public policy stands against current NSA practices. They have backed legislation reining in the agency, including a bill to end “bulk” collection of data from millions of US citizens; but the main thrust of their effort has been to push hard for legislation mandating greater transparency in the relations between private companies and national security agencies. In his November 13 testimony, Google’s head of security and law enforcement, Richard Salgado, undoubtedly spoke for the major companies when he told a Senate privacy and technology subcommittee: “In a democratic society the government simply cannot be the sole arbiter of who gets to speak and what they may say on issues of paramount national importance. The right to speak about such weighty matters of public interest is not and should not be the exclusive province of the intelligence community […] Publishing the number demands by legal authority and the number of users or accounts impacted would go a long way to putting the relationship between US-based companies and the US government into a more accurate perspective.“
The policy outcomes are still uncertain, but the stakes are high for US competitiveness in high-tech internet sectors. The Information Technology and Innovation Foundation, a Washington think tank, has estimated that the NSA scandal may cost cloud companies with US-based servers between $21 billion and $35 billion over the next three years as customers migrate to non-US firms that are not subject to US jurisdiction. Such figures – and all other such projections – should be taken with substantial caution because of measurement difficulties and because the US technology options are in flux. Still, whatever the exact numbers, the decisions of US policymakers over the next several years will have a profound economic - as well as national security – impact.