NSA's Actions Threaten U.S. Economy and Internet Security, New Report Suggests
The U.S. National Security Agency�s (NSA) actions have and will continue to cause �significant damage� to U.S. interests and the global Internet community, the New America Foundation suggests in a new report released Tuesday morning.
Written by New America�s Open Technology Institute,� Surveillance Costs: The�NSA's Impact on the Economy, Internet Freedom, and�Cybersecurity�details how the NSA has been using a variety of programs and methods to collect metadata on Internet users and engage in a massive surveillance effort that impacts the global Internet community. In�the report,�the authors move past the debate over tradeoffs between national security and individual privacy to focus on the overall costs and benefits of the NSA�s programs on the U.S. economy, American foreign policy, and the security of the Internet as a whole.
Direct Economic Costs to American Companies
Since leaks by former NSA contractor Edward Snowden were published about the NSA�s activities, trust in American businesses has decreased. Those facing the �most acute economic fallout� are cloud computing and webhosting services as �nearly 50 percent of the worldwide cloud computing revenue comes from the United States,� the report said. Just weeks after Snowden�s leaks were reported, cloud computing companies�like Dropbox and Amazon�announced they were losing business to foreign competitors.
Additional calculations predict that the cloud computing industry will suffer anywhere from a $22 to $180 billion loss over the next three years because of the NSA�s PRISM program. These losses may already be playing out as a survey of 1,000 global information and communications technology (ICT) decision-makers found that the NSA disclosures �have had a direct impact on how companies around the world think about ICT and cloud computing in particular.�
However, cloud computing isn�t the only market at risk as over the past year numerous American companies �have reported declining sales in overseas markets, loss of customers, and increased competition from non-U.S. services marking themselves as secure alternatives� to U.S. products. Cisco, Qualcomm, IBM, Microsoft, and Hewlett-Packard have all reported decreased sales in China due to the NSA revelations.
Also, U.S. companies are sometimes being left out of business deals because of the NSA disclosures, especially in Germany. Following accusations of spying on Chancellor Angela Merkel, the country said that it would not renew its contract with Verizon because of the NSA spying allegations. Verizon had previously supplied the several German government departments with Internet service.
Economic and Technological Costs
Since the creation of the Internet, countries and activists have expressed concerns with Internet jurisdiction. After the Snowden leaks, more than a dozen countries have introduced or are contemplating data localization laws, �which would prevent or limit information flows,� the report said.
Germany is one of the countries considering such legislation and Merkel has supported the concept to protect against NSA efforts to intercept information. Brazil has proposed similar measures, asking Internet companies to establish local data centers to force them to comply with Brazilian laws, and Greece, Brunei, and Vietnam have also introduced similar proposals.
Additionally, India has�considered a policy that would �force companies to maintain part of their IT infrastructure in-country, give local authorities access to the encrypted data on their servers for criminal investigations, and prevent local data from being moved out of the country,� according to the report.
�Until now, most foreign countries accepted America�s comparative advantage in the technology industry, but the threat of NSA surveillance may be the catalyst that pushes countries to invest heavily in technology sectors that they would otherwise have left to the United States, including cloud computing and data storage,� the report suggested.
Political Costs to U.S. Foreign Policy
One of the most apparent effects of the NSA disclosures are the strained relations the United States is now working to ease with its allies, particularly Germany and Brazil.
After the Snowden leaks were published and it became public knowledge that her own cellphone was targeted in a spying effort, Merkel refused to visit the United States for months until finally agreeing to a visit that was �tense and awkward,� the report said. Brazilian President Dilma Rousseff went one step further than Merkel and decided not to attend a meeting with U.S. President Barack Obama at the White House, becoming the first world leader to turn down a state dinner with an American president.
The report�s authors also suggested that the NSA disclosures have �undermined American credibility� when it comes to the Internet Freedom Agenda. In 2010, the United States began promoting a policy of an open and free Internet, but the recent disclosures about the NSA have �led many to question the legitimacy of these efforts in the past year.�
�Concrete evidence of U.S. surveillance hardened the positions of authoritarian governments pushing for greater national control over the Internet and revived proposals from both Russia and Brazil for multilateral management of technical standards and domain names, whether through the International Telecommunications Union (ITU) or other avenues,� according to the report. Many developing nations are now declining to work with the United States and are instead embracing assistance from Russia, China, and the ITU when it comes to Internet availability and control for their citizens.
Costs to Cybersecurity
Along with collecting phone records and monitoring Internet communications, the NSA has also been actively participating in conduct that �fundamentally threatens the basic security of the Internet,� the report said. Such activities include working to weaken security standards issued by the National Institute of Standards and Technology (NIST) in 2006 and developing relationships with companies to weaken their standards and build backdoors into products, sometimes without the company�s knowledge.
The NSA has also been accused of stockpiling information about security holes to later exploit them instead of alerting companies about the vulnerability so it can be patched. �This leaves companies and ordinary users open to attack not only from the NSA, but also from anyone who discovers the weaknesses,� according to the report, which cited the Heartbleed bug as one of the many vulnerabilities the NSA was aware of.
When the NSA can�t gain access through a vulnerability, it has been known to use its Tailored Access Operations unit to hack in. These employees specialize in computer network exploitation and target endpoint devices, like computers, routers, phones, and servers.
�One tactic for scooping up vast amounts of data is to target networks and network providers, including the undersea fiber optic cables that carry global Internet traffic from one continent to another,� the report said. The NSA has used this method to target the cable system that connects Europe to the Middle East and North Africa, along with links that connect Google and Facebook data centers outside the United States.
The NSA has also used its QUANTUMTHEORY toolbox to insert malware on target computers. One tactic includes pretending to be a major company, such as Facebook, and redirecting traffic to the �NSA�s own servers to obtain access to sensitive information or insert malware.�
The U.S. government has taken some steps to reduce the damage of the NSA allegations, but New America said more can be done to mitigate the damage and rebuild trust. It offered eight recommendations for the government, including strengthening privacy protections, increasing transparency around surveillance, and recommitting to the Internet Freedom agenda.
New America also suggested that the United States begin to restore trust in cryptography standards through the NIST, discontinue inserting backdoors in hardware and software products, eliminate security vulnerabilities instead of stockpiling them, develop clear policies about secretly installing malware, and separate the offensive and defensive functions of the NSA to minimize conflicts of interest.
For more information, visit theNew America page on the report.