Security Experts:

Why I'm Not (very) Worried about PRISM

The NSA is tapping into our digital lives, monitoring voice calls, emails, social media, and who-knows-what-else. It’s for national security, say those on the side of the NSA; it has stopped terrorist plots already and will stop more. It’s a heinous breach of privacy, say those on the opposing team; it is nothing less than a blatant intrusion of our personal lives, a digital version of breaking and entering and rifling through our closets, looking for skeletons.

I say, “meh.”

Government Surveillance

The reason isn’t because my closet lacks skeletons, or because I’m blinded by absolute patriotism and faith in the morality of my government. It’s because I understand, and try to live by, one of the best pieces of advice I’ve ever received on the topic of privacy: “assume that everything you do and say is being watched and heard, always.” It’s a fundamental principle of cyber security and Internet privacy, but it is advice that was given to me in grade school by my first grade teacher, after I had said something mean about a fellow student that was overheard. Then, I’d hurt someone’s feelings unintentionally. Now, the consequences of leaving a trail could be more severe. Then, there was no such thing as the Internet, or social media. Now, it’s almost impossible to avoid leaving an indelible digital trail of everything that you do and say.

The benefits of following this advice is that it fosters safe(r) digital behavior. If you have a secret, don’t email, text, tweet or even talk about it unless you are confident that you can’t be overheard. Is that document confidential? Then use TrueCrypt or something similar and jiggle your mouse like mad before emailing it to your colleague, or even your most trusted friend (random mouse movements are used to create entropic crypto seeds).

This advice also breeds a cautious paranoia, and that’s why I’m not shocked or outraged by the recent leaks of government spying. I’ve always assumed that the government was spying. The hackers certainly have been — they’ve been trying to steal my credit cards, passwords, and other details of my digital life for decades now. If I absolutely don’t want something to be stolen, I simply shouldn’t inter it into the digital landscape. Period.

We still buy thing online with credit cards, and we still connect our bank accounts directly to various third party agencies to automatically pay bills and direct deposit our paychecks. We do it because we’re relatively confident that we’ll be okay, and if a breach does occur, the breached institution will most likely help to solve the problem.

The irony is that, for most of us this is a risk/reward decision that we make and that convenience almost always wins; but for the bad guys it’s a decision that will most likely be made in favor of privacy. So the lesson is being learned, just not by the right team. The average citizen will continue to show their cards at the poker table and then complain about cheating, while the bad guys will smile with an ace up their sleeve.

view counter
Eric D. Knapp (@ericdknapp) is a recognized expert in industrial control systems cyber security, and continues to drive the adoption of new security technology in order to promote safer and more reliable automation infrastructures. Eric is currently the Director of Cyber Security Solutions and Technology for Honeywell, and is the Chief Technical Advisor, North America for the Industrial Cybersecurity Center. He is also the author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA and Other Industrial Control Systems.” His new book, “Applied Cyber Security for Smart Grids” was co-authored with Raj Samani, McAfee CTO EMEA. The opinions expressed here represent Eric's own and are not those of his employer.