Three months since the first Snowden story and the operational picture for the engagement work has settled into a shape that is going to last. Bradley Manning — Chelsea Manning, since the announcement on Thursday — was sentenced to thirty-five years on Wednesday. Snowden has been granted temporary asylum in Russia and is, as I write this, somewhere in Moscow rather than at Sheremetyevo airport. Lavabit is shut. The Guardian and Washington Post are continuing to publish. The engagement implications I have been adapting through June and July are now stable enough to write down in summary.
The first thing is that the data-residency question has shifted from a theoretical concern to an operational requirement. Three of the four secondment clients now have explicit projects to identify and migrate sensitive data away from US-jurisdictional cloud platforms. The destinations are, in order of preference: on-premise infrastructure (where the client has the operations capacity), UK-or-European-headquartered cloud providers with explicit contractual undertakings about data handling (which is what most clients are actually choosing), or — for the smaller, less sensitive workloads — staying on the existing platforms with end-to-end encryption added at the application layer. The third option is the structurally correct answer but it is not, in 2013, deployable for most categories of data because the application-layer encryption tooling for SaaS workloads is not yet mature enough.
The second thing is that the trust assumptions about commercial security vendors have tightened further. The Snowden disclosures so far have included material that suggests broader NSA work on encryption-defeat — through corporate cooperation, supply-chain compromise, and standards-body manipulation — though the deeper analysis is still working through the document set. The implication for the engagement-team material on encryption is that the question of "which encryption products can we trust" needs to be answered with reference to which ones have NSA-relationship exposure, which ones have FIPS-validation exposure (the FIPS process has historically had NSA influence), and which ones have been built and audited outside the US-influenced standards regime. The list of products in the third category is shorter than the engagement-team material would like.
The third thing is what the post-Snowden environment looks like operationally for a UK-based vCISO advising UK organisations. The honest answer is that we do not have substantially more information about UK-domestic surveillance than we had three months ago. The Tempora disclosure was UK-relevant but is about communications transit rather than about domestic-targeting; the GCHQ-internal documents that have surfaced have been fragmentary. What I have been telling clients with operational specificity is that the UK threat model from the perspective of state-actor concern has not changed in the past three months — we have always had to assume sustained intelligence-services interest in particular industries and particular organisations, and the Snowden disclosures have confirmed this rather than introducing it. What has changed is the threat model from US-state perspective for non-US data subjects, which is where the data-residency conversation matters.
The fourth thing is what this does to the SOC's detection content. I wrote in June that the post-Snowden SOC additions were limited to "anomalous patterns at the SaaS-platform integration layer" and similar SaaS-side signals; that has held. The detection content for state-level surveillance against client networks is, in 2013, still bounded by what we can credibly observe — anomalous outbound connections, certificate-chain anomalies that suggest TLS interception, unusual query patterns against client-internal infrastructure. We cannot detect the GCHQ-or-NSA-grade equivalent of what Tempora is doing; we can detect the post-exploitation phase if it lands in client networks, which is the same detection content I wrote against APT1 earlier this year. The structural problem of "we cannot detect what is happening at the carrier level" is unchanged; the answer there is data-architecture (encryption-everywhere) rather than detection.
The fifth thing is the political and reputational dimension at the engagement clients. Several of the boards I have briefed have asked, in various forms, "should we be going on the record about Snowden". The answer I have been giving is "no, not unless the political question is your business". The engagement clients are mostly not technology companies and have no substantive position on the underlying questions; the obligation to brief their boards on the operational implications is real, but the obligation to take a public political position is not. Some of the technology vendors and platform companies are obviously in different positions. The political conversation that is happening at the major US cloud providers is one I have been watching from outside; my tentative read is that the providers will be substantially more transparent about FISA-court compulsion than they have been historically, but not radically so.
The wider piece I have been outlining for two months — about commercial security infrastructure and state-level surveillance infrastructure — is being finished this week. I will probably post it in mid-September. The Snowden material is the most substantial primary source any practitioner working on this question has had, and the piece will draw on it heavily.
The next post is probably the Adobe breach that has been quietly developing through August — there are persistent rumours of a major Adobe compromise and what is in the public discussion suggests it is going to be substantial — or whatever falls out of the continuing Snowden disclosures.