Five overlooked costs of the NSA surveillance flap
Potential fallout from revelations about the NSA's aggressive surveillance activities could be far-reaching, including billions in lost business for American tech giants. What other less-obvious consequences for the cyber realm?
Global awareness of the pervasive reach of National Security Agency surveillance programs, leaked by former NSA contractor Edward Snowden, risks inflicting deep costs on American businesses and has torpedoed several cyber policy initiatives vital to America's physical and economic security, cyber-intelligence experts say.
This fallout stands apart from whatever NSA counterterrorism or other espionage operations the leaks may have undermined. This damage is difficult to gauge because it is by nature secret, but few experts doubt that the leaks have set this work back.
"It would not surprise me if there was some damage to collection," says James Lewis, a fellow at the Center for Strategic and International Studies (CSIS) in Washington. "They'll have to rebuild collection activity. That will be difficult, but not impossible."
But another set of costs is more far-reaching. Costs to the credibility of American businesses and political efforts abroad are not about the tipping off of NSA targets but rather about public backlash over the NSA actions themselves.
"While I'm sympathetic to opening things up so the public has a better idea of what is going on, it's also clear that Snowden has done a lot of harm," says Scott Borg, director of the US Cyber Consequences Unit, a cybersecurity think tank. "We've seen several important US cyber initiatives severely damaged."
Here are five areas that cyber experts often cite as overlooked but important consequences of NSA surveillance activities and the news leaks about them – ranging from US companies' potential loss of billions in business abroad to the emasculation of US efforts to persuade China to stop cybertheft of American corporations' intellectual property.
US technology giants whose data have been snapped up by the NSA, according to the leaked documents, are getting pushback from their customers and seeing damage to their brands – especially overseas, several experts say.
This is especially true in Europe, where American technology-services companies, which dominate the cloud-computing industry, are struggling to regain credibility and trust now that it's known that the NSA snared their data. Yahoo, Facebook, Google, Microsoft, and Twitter are among the social media firms to call for reform of US surveillance policies.
Since those policies became public as a result of the Snowden affair, the companies' expertise in cloud computing – once their competitive edge – has become a liability in two ways, these experts say. First, Europe-based competitors are touting their own systems as more secure and as safe from US law enforcement subpoenas to turn over data.
Second, the European Union is moving to enact privacy measures that would undercut the US firms' competitiveness. Such EU laws would force the likes of Facebook, Yahoo, and Google to get approval from European officials before handing over to US agencies data derived from European residents – or face huge fines.
"American companies have suffered a reputational blow from this," says Dr. Lewis at CSIS. "There's a lot of doubt now [among European firms] about moving toward cloud computing and big data, because that's what the NSA was doing. So we may have derailed one path toward economic growth. American companies will be hurt if we don't help them rebuild trust."
In a recent example, the United Arab Emirates may cancel its $926 million purchase of two spy satellites from France unless two US-made components are removed from the product, Defense News reported Jan. 5. Those components allegedly contain digital "backdoors" that could allow unauthorized access to data sent to the UAE's ground station, according to the report.
The cloud-computing industry worldwide is expected to see double-digit growth rates during the next three years, with revenues reaching $148 billion in 2014 and $207 billion by 2016, the Information Technology and Innovation Foundation (ITIF) reported in August. US companies currently dominate the industry, with an 85 percent market share.
The NSA spying means that the US share of cloud revenues is likely to fall, starting this year, the ITIF predicts. Under its most optimistic scenario, US companies' market share would drop to 65 percent by 2016, with lost revenues totaling $21.5 billion over three years. Under a less sanguine view, the tech companies' market share plunges to 55 percent by 2016. The cost over three years: $35 billion.
American companies that sell cybersecurity systems abroad may also see sales slide. Suspicions are that the NSA has created cyber-backdoors to the wares of US firms, and prospective clients are wary of new interfaces that link their own networks with those of Americans.
"There's been a very real and growing concern in Silicon Valley that they are losing competitive advantage to European companies that simply tell customers that their systems are not subject to the same spying US companies are," Chris Finan, a Truman National Security Project fellow and former Obama administration official, says in a phone interview. "It's a serious problem that if not dealt with could do long-term damage to a key US industry."
Less pressure on China
White House momentum to finally begin dealing with Chinese cyber-espionage aimed at US corporations has largely dissipated since the document leaks, analysts say.
One key casualty: less enthusiasm among US allies to cooperate with America, especially now that it's known that the NSA monitored the phone communications of top political leaders in Germany, France, Spain, and Brazil.
"I don't really think we're going to make a lot of progress for a while," James Mulvenon, vice president of Defense Group Inc.'s intelligence division, said at a government roundtable in July on US-China cybersecurity issues. "I would say it [the flap over NSA activity] is probably going to delay progress six to 12 months."
The US and China are still holding bilateral talks about corporate cyber-espionage, but there is little progress to report.
"Our goal was to convince the Chinese that, hey, in cyberspace it's not appropriate for a nation-state to use its technical capabilities to rip off intellectual property and use it to benefit its national companies," Mr. Finan says. "That's a relatively nuanced argument that I am sure is still being made in bilateral discussions. But in order for those to take root and gain ground, they have to have public pressure, including support from US allies. Unfortunately, that level of nuance has been lost in the noise around Snowden."
The timing of the revelations was most unfortunate for the US. The Obama administration had been poised to intensify efforts to crack down on Chinese cyberspying, after security firm Mandiant revealed in February 2013 that a group tied to China's military, dubbed APT1, had infiltrated corporate computer networks and stolen data from at least 141 companies spanning 20 industries since 2006. Of the targeted companies, 115 are in the US.
Such theft is not peanuts. It amounts to about $300 billion a year, according to the Commission on the Theft of American Intellectual Property. That organization is spearheaded by Dennis Blair, a former director of national intelligence, and Jon Huntsman Jr., a former US ambassador to China. China is responsible for at least half of the data theft, the group reports.
By March, the Obama administration had confronted China about cyberstealing, and in early June President Obama reportedly reiterated US concerns to Chinese President Xi Jinping during a "working visit."
But the White House needs Congress to put a spur to the Chinese to encourage cooperation, and legislation to do that has been shoved down the agenda while lawmakers focus instead on whether and how to rein in the NSA. One Senate bill, for instance, would have created a "watch list" of countries engaged in cyberspying – and allowed the president to block imports of classes of goods if the foreign companies providing those goods have benefited from stolen US technology or proprietary information.
"There was talk [in Congress] about putting visa restrictions on individual hackers or even financial sanctions" on offending nations, says Adam Segal, a senior fellow at the Council on Foreign Relations (CFR), in a phone interview. "That's all lost steam as everyone struggles to deal with the Snowden revelations."
Distraction amid US cyber-insecurity
Bills in Congress to safeguard from cyberattack America's critical infrastructure – telecommunications networks, the electricity grid, natural-gas pipelines, financial systems, and so forth – were never zipping along. Now, with lawmakers' attention riveted on the NSA, they are immobilized, security analysts say.
A sticking point: corporate wariness. Most such bills promote "information sharing" between companies that run essential networks and the federal government, and the firms are now disinclined to share any data with the government. They see media reports documenting the NSA's secret hacking into tech companies' systems, for instance, and say, "no thank you."
Under the proposed information-sharing regimen, the NSA would share with, say, an electric utility the "threat signatures" – or digital fingerprints – affiliated with malicious software that could damage the utility's network and, thus, its ability to function properly within the power grid. Access to those signatures would enable the utility to better scan its networks for threats. It, in turn, would share with the NSA information about the threats detected. But such a system is built on trust – and that is now in short supply in corporate offices.
"Information sharing has been severely damaged because the companies are ticked off, feeling they've been used," says Dr. Segal of the CFR. "Congress, too, is more suspicious now and trying to roll back NSA authority.... So it's hard to see any sort of two-way, real-time information sharing happening right now."
Death knell for military cyberdefense plan
Imagine a "star wars"-type defense shield for cyberspace – one that could identify an incoming attack and intercept it before it lays waste to a subway system, shuts down the West Coast power grid, or confounds the banking network. The NSA did imagine it, and its director, Gen. Keith Alexander (also chief of the Pentagon's Cyber Command), was arguing in favor of building just such a defense system, The New York Times reported in August.
The plan reportedly called for the NSA to sift through massive streams of data entering the US through fiber-optic lines for malicious software. As it turned out, the technology needed for that hunt is not much different from what the NSA already uses in its mass cybersurveillance programs, as revealed in the formerly top-secret documents.
The appetite in Congress is slim to none for expanding the NSA's authority to collect and analyze broad streams of data, experts say. Thus, the cyberdefense shield – a technologically unworkable enterprise in the eyes of some experts and a flawed concept in the eyes of others – now has no chance of moving ahead.
"The NSA's role on domestic cybersecurity is definitely on hold," says Lewis. "People in Congress don't want to take the political risk of unleashing a wave of objections over giving the NSA access to more data."
Loss of US moral suasion
The NSA-Snowden episode has undermined US arguments on the international stage in favor of wide access to information via the Internet and against censorship and government surveillance of citizens, experts in the US say.
Though the Internet operates largely in accordance with those American principles, other nations – such as China, Russia, and some Arab states – advocate greater government control over the flow of information on the World Wide Web and access to it.
"To many other countries, cybersecurity is all about governments protecting themselves from what people might be saying about them," says Mr. Borg of the US Cyber Consequences Unit. "Many want to clamp down on Internet freedoms. Doing so means wresting control of it from Americans and organizations set up by America. Snowden's revelations have given them a lot of ammunition to do that."
Broad repudiation of the US position could result in an Internet that is less open than it is today, and more geared toward surveillance.
"There's been this pressure for a long time," Segal says. The US has "argued the current system works and beyond expectations – and not to mess it up. But those arguments aren't going to be very powerful any longer."