Security Think Tank: Prism fallout could be worse than security risks

Does the data collected by Prism put the US Government at risk from other state or non-state sponsored activists?

In considering whether the data collected by Prism puts the US government at risk, it is worth considering whether the vulnerability comes as a result of it being apparent that all of this data has been collected and therefore presents a target, or the reaction to the will on the part of the US to collect it. 

With regard to the data collection itself, few truly understand just how deep this exercise goes, and many speculate that it is not as deep as has been projected in the media furore.  

The risks here are therefore not clear and it is probably premature to speculate about them.  

We are facing a situation with the potential to undermine US intelligence activities across the world and as such expose agents to some degree.   

It is however hard to say if it is as damaging as the Wikileaks scandal or FBI spy Robert Hansen’s revelations of our secrets, the latter of which resulted in nine reported executions of US agents. 

The investigation on the US side continues at full-tilt. What leaves US authorities uneasy is the lack of clarity about what Snowden has or has not done, what he remains capable of and to whom he may ally himself in the future.

This is also a situation that has polarised society. 

No one sees this as a trivial incident. Privacy advocates continue to project him as a hero, while the rest of the community wants to hang him. 

It is sure to motivate vigilante response from both sides with the potential to have significant impact. WikiLeaks, for example, motivated many cyber-activists to act, not just on authorities but also companies, such as Mastercard, who responded to demands to withdraw their service from this site.

States, extremist groups and civil protesters alike may feel morally justified by this case to launch disruptive cyber-attacks. The intended victims may feel justified to turn to vigilantism as they go on the offensive themselves.

Developments with Stuxnet and Flame illustrate we are already at a point in time when global corporations and international governments are intensely re-evaluating their organisations’ security strategies – no longer based on keeping hackers out but based on the assumption that hackers will penetrate their systems. 

It is less clear whether this developing offensive mentality and the potential for a cyber arms race represents an improvement or deterioration in our security posture. 

As we continue to watch the Prism revelations unfold, I imagine there are many asking themselves, not whether we are more at risk, but rather whether we have the ability to govern the fallout. 

Hord Tipton is a former US Government CIO and the current executive director of (ISC)2

Read more on Privacy and data protection

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

"Privacy advocates continue to project him as a
hero, while the rest of the community wants to hang him. "

Wow, you must live in a very small community! This story is far bigger than that now. Just look at how Latin America is responding to the "kidnapping" of the Bolivian president. Apparently Obama WILL scramble jets to get a 29yr old hacker. How many more enemies does the US need?


Shame this article is so rushed it doesn't really make sense after the first 6 paragraphs, which are actually pretty clear and well reasoned. Does the author realise that most people on the planet are neither privacy advocates nor "out to hang" anybody?

Snowden's revelations and any possibly related increase in vigilante hacktivism aren't really connected to the general increase in internet security threats.

If I have understood it, the last paragraph supports my belief that transparency is inherently a good thing for governments, as for everyone, not least because the the impact of people eventually finding out what they are doing in the name of their citizens can be so harmful. You can't "govern the fallout" because you can't delete the information the world now has.


The main risk is that the non-Nato countries will decide that they cannot afford to leave the Internet in the hands of the IETF, ICANN and W2C (with all their communications monitored by the US) and will vote, via the United Nations, to hand control "back" to the ITU - and thus replace its evolution (in response to a tangled mix of technology push and market pull) by the "governance by government appointed committees" from which it escaped after the collapse of X25. Those who do wish this to happen have some hard thinking to do in advance of the IGF in Bali. Otherwise that will not be a "talking shop" but a "wake".