Earlier this month a story went round that the GCHQ (responsible for Britain’s SIGINT activities) wants to monitor Britain’s most vital private networks for unusual network traffic. Prime Minister David Cameron invited a number of large companies at Downing Street to discuss these plans. A somewhat disturbing thought at first: wiretapping with permission? And what about the permission of the owner of the data passing, as this initiative would also involve companies moving third party data?
But a more recent event may tick the scale. Three days ago, the executive chairman of RSA published an open letter warning customers about a successful hack (APT) which targeted RSA’s flagship SecureID product. SecureID is one of the most widely used products for strong authentication using tokens.
At first, this open letter looks like what is a responsible disclosure. But with statements like “..we are confident that the information extracted does not enable a successful direct attack..” you can see the wording have been chosen carefully. There is very little detail about the true consequence to the integrity of SecureID and the customers installations, which of course leads to speculation. Although third parties do their best at assessing the risk, RSA release more advice directly to customers only. From what has leaked, this advice is mostly stating the obvious..
So where does this leave us? Should vital organisations allow governments to actively monitor their communications? And what if these organisations don’t agree, whose interests prevail? Can we expect organisations to protect our interests themselves, given the recent news on RSA? Food for thought on a Sunday morning.