Cyber after Snowden

Since Edward Snowden leaked classified information from the National Security Agency (NSA) in 2013, the FBI and Apple had a public battle around privacy, Shadow Brokers leaked some of the NSA's hacking tools, and Hal Martin, an ex-NSA contractor was arrested for stealing classified information.

To ask what has been the impact on the cybersecurity industry at large in the aftermath of the Snowden leaks, feels almost ironic given that these aftershocks continue.

The NSA leaks shook the public trust and called policies and procedures into question. Ongoing conversations around government surveillance, privacy, and security resulted in President Obama issuing a directive mandating that the Office of the Director of National Intelligence release an annual report on the changes that the intelligence community will continue to implement to signal intelligence (SIGINT) activities.

Three years after the Snowden leaks, one thing is for certain: The greatest impact of Snowden is "Snowden". A name unfamiliar to most prior to 2013, Edward Snowden is now globally synonymous with so many aspects of cybersecurity from espionage to privacy.

He's the poster child for insider threats. What security practitioners struggle with when trying to defend against insider threats, "Is finding the balance between providing users what they need to significantly increase competence while at the same time ensuring that they do no harm," said Chris Inglis, former deputy director at the NSA during the Snowden revelations and chairman of the Securonix strategic advisory board.

Without monitoring every key stroke, which would indeed compromise morale and productivity, "They are increasingly doing more to understand what people are doing in real time with privileges," said Inglis.

Because they can't just check at the exit points, said Inglis, there needs to be more tracking and more analysis in real time. "There were 260 million attacks on the DOD last year. Most of those were DDoS from outsiders, which is not unusual, but there is disproportionate leverage given to insiders," Inglis said.

Many government agencies and enterprise alike have implemented policy changes that allow them to establish a solid foundation of trust for their employees and contractors.

"You determine through extensive background checks that they are trustworthy, but then you verify that they made good use of that trust. Look at their transactions in real time," said Inglis.

Jim Christy vice president investigations and digital forensics at Cymmetria, said that the scar tissue that remains in the aftermath of Snowden is not technical but personal. "Everybody is probably scurrying around trying to beef up their technical security, but they need to focus on people."

Polygraphs, Christy said, work as deterrents and should be a part of any background check. "Decades ago, all of the bad actors were motivated by greed and money. Now, people are motivated more by social issues than by financial issues. That is a huge ship the government is trying to turn."

Change is a slow process, though, and while cyber plays a role in protecting data, the weak link is people. "If you look at the last two spies--the big ones--both had clearances, both were insiders, both did it for social not financial motivations. The generations have changed. Communications have changed," said Christy.

The reality is that in today's digital world, a cybercriminal has a great advantage. Instead of releasing 200 documents on a microdot, they can release hundreds of thousands to the entire world.

Michael Borohovski, co-founder of Tinfoil Security

Christy said, "Known associates today are people you have never met because it's easy to be anonymous and spoof or catfish using social media. Only this year has the government included social media in background checks."

Michael Borohovski, co-founder of Tinfoil Security, said, "These leaks emboldened other actors, whether insiders or hackers. The line of what is acceptable to leak is currently up to the attackers."

As a result, the mindset of security practitioners has also had to change. "People are starting to focus on encrypting all data, especially customer data. They are focusing on the insider, using more training and additional safeguards," said Borohovski.

Encryption is one of those safeguards that will continue to be a part of the ongoing clean up in a cyber after Snowden world. "End to end encrypted messaging. Encrypting information that passes through their servers to ensure that a government can’t intercept the information," said Borohovski.

Joseph Carson, head of global strategic alliances at Thycotic, agreed that many enterprises have had to evaluate and modify their data collection and privacy policies. "We have seen continuous legal situations with Microsoft, Apple and Facebook when they have been subpoenaed for data about their users and have appealed those on several occasions," Carson said.

Trust is the pain point

Trust seems to be the pain point that reverberates the loudest as the world continues to grapple with privacy regulations and the digital exchange of information. Carson said that the revelations that EU privacy laws weren't being met under NSA surveillance practices has impacted international relations as well.

"Snowden’s actions have had huge extensive damage across the globe, it even continues to strain the relationship with Russia as they have given Snowden asylum and many are concerned about what Snowden has shared," Carson said.

One effort toward rebuilding that trust is the EU-US Privacy Shield, which has been temporarily implemented. "It will determine whether or not US companies can continue to provide services to European citizens from the US," said Carson.

Still, simmering beneath the surface is the pertinent question of whether secrets can stay secret any more. Certainly this year's Presidential election has shown the world how vulnerable anyone is to cyber attacks. Moreover, Christy's assertion that known actors are not always financially motivated also rings true.

Jason Matlof, executive vice president at LightCyber said, "A post-Snowden world suggests that secrets cannot remain secrets anymore. Such a conclusion is based largely on security models that are 20 years old."

In order for information to ever be kept secret, the cyber after Snowden clean up campaign has to be more proactive. "Security has largely been reactive, based on encountering a threat and then developing ways to identify and block it. Today’s challenges demand adding a new approach, one that is based on real behavior as manifested on the network," Matlof said.

Enterprises need to evolve in a way that allows them to detect the low and slow adversary before damage is done.

"Today very few organizations have the ability to find an active attacker, whether it originates internally or externally. Dwell times still average about five months, giving attackers plenty of time to accomplish their goals without being caught," Maltof said.

Expect the unexpected should become the mantra of security practitioners. "While nightmare scenarios are becoming realities, the old guard of security is still clinging to the hope that somehow protection and preventative measures will keep them safe from disaster," said Maltof.

In the post-Snowden world, hope is not a strategy. "The Yahoo! breach and even the theft of hacking tools and information from the NSA make it clear that companies are still generally blind to attacker activities," Maltof said.