The indiscriminate surveillance programs revealed by Edward Snowden required the cooperation of thousands of people. Large numbers of them will have been security professionals who were members of industry associations such as (ISC)², ISSA and SANS. The idea that information security professionals helped weaken security mechanisms and then lie about it to customers makes the profession look dirtier than a gossip magazine in a hospital waiting room.
How did we get to this point, with so many surveillance programs embroiled in accusations of law-breaking, lying to customers, and a loss of public trust for the companies and agencies involved? What happened to our values of acting according to the “highest ethical principles”, “reporting illegal activity” and “maintaining public trust”?
Whereas targeted surveillance based on just cause remains necessary and has a clear basis in law, support for indiscriminate surveillance is difficult to reconcile with the industry’s notions of professional ethics. In some ways, how we reached this point is logical. As Snowden pointed out, the Western security agencies involved are trying to protect people from danger. The problem is that the national security mindset seems to be that surveillance is justified if it produces anything of value. However, there are a number of reasons why security professionals should not be supporting this mindset.
Dubious Legal Standing
First, the legality of many of the indiscriminate surveillance programs we’ve learned about is unclear. In commercial practice, it’s common to insist that all activities are carried out with clear and unambiguous legal authority. In contrast, many of the indiscriminate surveillance programs were obviously conducted on shaky legal ground.
For those that consider the debate about legality to be a grey area subject to differing interpretations, consider how the arguments for legality unraveled when subjected to scrutiny. In the US it emerged that the government’s legal authority for indiscriminate surveillance was the tenuous application of case law from 1976. The Foreign Intelligence Surveillance (FISA) court, which was responsible for providing judicial oversight, complained that its rulings were being widely disregarded. In the UK it emerged that the legislation designed to regulate the security services was being bypassed. What was described in the UK as “one of the strongest systems of checks and balances and democratic accountability for secret intelligence anywhere in the world" turned out to be just a chat.
When considering the ethical considerations of cooperating with indiscriminate surveillance programs, security professionals would be wise to ask ‘How is this legal?’ Professionals shouldn’t stop asking that question just because their client is a government agency. There are three ways we can understand why security professionals decided to cooperate in the absence of unambiguous legal authority. Either they didn’t care if the activity was legal or not, they didn’t know the activity was illegal or they were happy just to accept instructions from positions of authority. None of these options reflect well on the security profession.
In a profession that was supposed to be expert at asking tough questions, some practitioners appear to have been complacent in accepting assurances of dubious standing. Although there is an argument that people were just doing their jobs, at various points in history the notion of ‘just following orders’ has been challenged and found wanting. ‘Only following purchase orders’ as a variant on the Nuremberg defense hardly constitutes an ethical high-tide mark for the security profession.
Disproportionate Harm
Second, security professionals are supposed to avoid harming the public. In addition to making the internet less secure by building back doors into systems, indiscriminate surveillance has exposed the public to future harm that will occur when bulk surveillance information eventually leaks. The last two big leaks have been of government data in the form of diplomatic cables and of the surveillance programs themselves. Sooner or later the next big breach will be of public data, such as the browsing history of an entire country. When that happens there will be consequences. There will be suicides, families will break up and real harm will occur.
We’re assured that surveillance information is held securely, but as the NSA has publicly demonstrated, no organization can guarantee the security of the content it stores. Consider for a moment that there are over a million Americans with top secret security clearance; nearly half are contractors. Those numbers are huge even before information is then shared throughout the global ‘Five Eyes’ intelligence club. Make no doubt, the spectacular volumes of data being stockpiled in specially built data centers will one day cause a spectacular fallout.
It would be a fair point to argue that supporting indiscriminate surveillance was ethical if the benefits to society convincingly outweighed the harm. However, the benefits have been disappointing despite the vast sums of money spent. In June 2013, it was claimed that these programs prevented more than 50 terrorist plots. In October that figure was revised down to 13. Then it emerged that there was actually only one case that would not have been detected without indiscriminate surveillance – a San Diego man who sent money to an African militant group.
To date, the US government has not made a case for a single terrorist attack that would have succeeded but for indiscriminate surveillance. The problem is the math. Finding rare events in large populations produces astronomical numbers of false positives. Because terrorists are relatively rare and the population of the world is so large, even a method that allowed a detection confidence of 99% would throw up hundreds of thousands of false positives in a population the size of the US or the UK. The math gets even worse if you take into account that detection rates are unlikely to be anywhere near 99%. Computers struggle just to recognize a cat, let alone someone’s political intent or state of mind.
What Next for the Profession?
The security profession has sleepwalked into supporting indiscriminate surveillance systems that are legally dubious and have the potential for disproportionate harm. Even if some in the profession are comfortable doing whatever is asked of them by a Western intelligence agency, where should a line be drawn? What happens if North Korea was hiring? For some security professionals these are real questions that they’ve already had to face.
As a profession, we need to be much more discerning before accepting jobs where the objective is the indiscriminate compromising of privacy or breaking the laws of other nations. The medical profession is starting to confront how its members were co-opted to cause harm in the War on Terror, and it’s time that information security profession did the same. Otherwise, the profession’s support for the NSA and its international affiliates risks the perception that the only thing the security profession stands for is the US national anthem. If compliance with all applicable laws and the highest moral principles isn’t actually what the security profession is about, then perhaps we ought to update our stationery.
Geordie Stewart, MSc, CISSP, is a principle consultant with Risk Intelligence and is a member of (ISC)2 and the ISSA. He is a frequent speaker and author on the topics of security awareness and ethics. Stewart’s award-winning master’s thesis for the Royal Holloway Information Security Group examined information security awareness from a fresh perspective as a marketing and communications challenge. In his regular speaking appearances at international information security conferences such as RSA, ISACA and ISSA, he challenges conventional thinking on risk culture and communication.