News

Security Think Tank: Prism – Sitting duck or elaborate honeypot?

Robert Newby

As I write, a handful of slides have been published, appearing to detail websites that are being monitored by the US National Security Agency (NSA), including Google, Facebook, Yahoo, Hotmail, Apple and Skype.

What appears to be an acronym – Prism – appears throughout, along with the official seals and protective markings to suggest it is a bona fide US government presentation.

And so rumours abound about Prism. 

What has been reported, in the Guardian and the Washington Post, is that Edward Snowden, a former CIA technician for the National Security Agency (NSA), leaked information about Prism “because the public needed to decide whether it was right or wrong”.

The slides mention a cost of $20m per year to run Prism. 

This is small in terms of government projects. It does not represent complete monitoring of all the data found on the sites mentioned in the slides. 

By my (very crude) calculations it could cover around 5% of the data created in any year, maximum, on all of these sites – that is without having to apply any secure processes or monitoring to the system itself, which a government system would typically require.

Snowden is reported in the Guardian to have said "I do not want to live in a world where everything I do and say is recorded." 

Although it seems unlikely that that has happened, if the figures he leaked are to be believed.

This is where something does not quite add up: Snowden, reportedly a fastidious technical man, does not seem to have known how the system works, or exactly what it is monitoring.

A source at Facebook has reported that nothing is sent back automatically to Prism and everything has to pass through company lawyers, who decide whether a FISA [Foreign intelligence surveillance act]request is compliant with US law. The US director of national intelligence has confirmed this with a statement containing the following paragraph: 

“Prism is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s statutorily authorised collection of foreign intelligence information from electronic communication service providers under court supervision, as authorised by Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 USC § 1881a).”

None of this contradicts anything I have seen or read and yet it is not making the headlines like the initial whistle-blow. So what has Snowden actually achieved?

He has managed to make a confidential capability a very public information store. 

Now that this is public knowledge, state-sponsored hackers will be looking for this as well. If Snowden had the safety of the American public at the forefront of his mind, he did not think it through very far. 

Again, he was reportedly a very fastidious technical man – one of the NSA’s finest. How can he not have realised the consequences of his actions?

When we sign up to government programs we are vetted, cleared and asked to signed things which tell us exactly this – that national security is paramount.

So am I questioning Edward Snowden’s credentials or the story itself?

Politically the US is now drawing in attack from all sides as to how it could be so underhand, but are they in reality assessing their allies’ responses for evidence of their allegiances, their own capabilities, their weaknesses?

Electronically, they are drawing in their enemies, but this is certainly being monitored by something far bigger than Prism; Will it be captured, analysed and used against them. A sprat to catch a mackerel.

So, the consequences may be to draw in attack from around the world, both political and electronic, but what if these are both honeypots? 

What if the story is the trap?


Robert Newby is an analyst and managing partner at KupingerCole UK


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy