The companies are adopting harder-to-crack code to protect their networks and data, after years of largely rebuffing calls from the White House and privacy advocates to improve security. The new measures come after documents from Snowden revealed how U.S. spy programs gain access to the companies’ customer data -- sometimes with their knowledge, sometimes without -- and that’s threatening profits at home and abroad.
“These companies actively fought against numerous mechanisms that would have mandated far more secure data,” Sascha Meinrath, director of the Open Technology Institute at the New America Foundation in Washington, said in a phone interview. “Now they are paying the literal price.”
While Google (GOOG), Yahoo, Microsoft and Facebook Inc. (FB) provide data to the government under court orders, they are trying to prevent the NSA from gaining unauthorized access to information flowing between computer servers by using encryption. That scrambles data using a mathematical formula that can be decoded only with a special digital key.
The NSA has tapped fiber-optic cables abroad to siphon data from Google and Yahoo, circumvented or cracked encryption, and covertly introduced weaknesses and back doors into coding, according to reports in the Washington Post, the New York Times and the U.K.’s Guardian newspaper based on Snowden documents. He is now in Russia under temporary asylum.
Microsoft is the latest company considering measures to ensure the protection of customer data and strengthen security “against snooping by governments,” according to Brad Smith, general counsel for the Redmond, Washington-based company.
Microsoft’s networks and services were allegedly hacked by the NSA, the Washington Post reported Nov. 26. Documents disclosed by Snowden suggest, without proving, that the NSA targeted Microsoft’s Hotmail and Windows Live Messenger services under a program called MUSCULAR, the newspaper said.
“These allegations are very disturbing,” Smith said in an e-mailed statement. “If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.”
Smith didn’t provide details about what the company is considering doing.
Microsoft lags behind other major companies when it comes to protecting “users against extralegal attacks on its networks to obtain user data without a warrant,” said Kurt Opsahl, senior staff attorney for the digital-rights group Electronic Frontier Foundation, based in San Francisco.
The nonprofit has compiled a report providing a side-by-side comparison of the encryption measures companies have adopted.
“We have asked companies to implement encryption on every step of the way for a communication on its way to, or within, a service provider’s systems,” Opsahl said in an e-mail. “The news about the NSA’s MUSCULAR program served as a wakeup call, and it’s encouraging to see so many companies working to ensure that user data is not stolen out the backdoor.”
Internet companies resisted efforts to be included under an executive order Obama issued in February to better secure vital U.S. computer networks.
The Feb. 12 order said the government can’t designate “commercial information technology products or consumer information technology services” as critical U.S. infrastructure. That exempted services like Mountain View, California-based Google’s Gmail, Microsoft’s Windows and Cupertino, California-based Apple Inc. (APPL)’s iPhone software.
The difference now is the companies are responding to market pressure, said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, a Washington nonprofit.
“They’ve got to do something to show the foreign customers they’re protecting them from surveillance,” Lewis said in a phone interview. “The administration was looking for incentives and it appears they found one.”
The Obama administration and members of Congress say cybersecurity legislation is still needed to secure the networks of power grids, banks and pipelines, which haven’t been affected by the Snowden disclosures. Legislation has been proposed in the Senate to establish voluntary cybersecurity standards for companies, while the House passed a bill that would give companies legal protections for sharing hacking threat data with each other and the government.
News about the spy programs has “great potential for doing serious damage to the competitiveness” of U.S. companies, Richard Salgado, Google’s director for law enforcementand information security, told a U.S. Senate panel Nov. 13.
Revelations of NSA spying may cost the U.S. cloud industry as much as $35 billion by 2016, according to the Information Technology Industry Council and the Software Information Industry Association, two Washington trade associations.
Even after the NSA revelations to date, it isn’t clear whether the agency bypassed or received cooperation from companies that provide the fiber-optic cables and other equipment that make up the Internet’s backbone, such as Broomfield, Colorado-based Level 3 Communications Inc. (LVLT) and Sunnyvale, California-based Juniper Networks Inc. (JNPR)
The NSA collects “the communications of targets of foreign intelligence value, irrespective of the provider that carries them,” agency spokeswoman Vanee Vines said in an e-mail.
Level 3 is constantly “monitoring, testing, adapting and improving our security measures to protect against the ever-evolving threat landscape,” Dale Drew, the company’s chief security officer, said in an e-mailed statement.
“Our top priority remains to protect our customers and our network infrastructure -- the source of an attack is immaterial,” he said.
Juniper products are “designed to meet the high security and privacy standards that users require” and the company has “multiple layers of security, including the right policies, protocols and technologies to counter a variety of security risks and vulnerabilities,” spokeswoman Cindy Ta said in an e-mailed statement.
Meinrath, with the Open Technology Institute, said companies that claim to secure data while allowing it to be intercepted due to lax security should face legal liabilities.
“The smartest minds in these companies completely fell down on the job in terms of identifying risks to these business models,” Meinrath said. “The fact that the Snowden revelations can act as a catalyst to implement best practices for secure communications and data integrity is a great outcome.”