Security Think Tank: Prism fallout could be worse than security risks

Does the data collected by Prism put the US Government at risk from other state or non-state sponsored activists?

In considering whether the data collected by Prism puts the US government at risk, it is worth considering whether the vulnerability comes as a result of it being apparent that all of this data has been collected and therefore presents a target, or the reaction to the will on the part of the US to collect it. 

With regard to the data collection itself, few truly understand just how deep this exercise goes, and many speculate that it is not as deep as has been projected in the media furore.  

The risks here are therefore not clear and it is probably premature to speculate about them.  

We are facing a situation with the potential to undermine US intelligence activities across the world and as such expose agents to some degree.   

It is however hard to say if it is as damaging as the Wikileaks scandal or FBI spy Robert Hansen’s revelations of our secrets, the latter of which resulted in nine reported executions of US agents. 

The investigation on the US side continues at full-tilt. What leaves US authorities uneasy is the lack of clarity about what Snowden has or has not done, what he remains capable of and to whom he may ally himself in the future.

This is also a situation that has polarised society. 

No one sees this as a trivial incident. Privacy advocates continue to project him as a hero, while the rest of the community wants to hang him. 

It is sure to motivate vigilante response from both sides with the potential to have significant impact. WikiLeaks, for example, motivated many cyber-activists to act, not just on authorities but also companies, such as Mastercard, who responded to demands to withdraw their service from this site.

States, extremist groups and civil protesters alike may feel morally justified by this case to launch disruptive cyber-attacks. The intended victims may feel justified to turn to vigilantism as they go on the offensive themselves.

Developments with Stuxnet and Flame illustrate we are already at a point in time when global corporations and international governments are intensely re-evaluating their organisations’ security strategies – no longer based on keeping hackers out but based on the assumption that hackers will penetrate their systems. 

It is less clear whether this developing offensive mentality and the potential for a cyber arms race represents an improvement or deterioration in our security posture. 

As we continue to watch the Prism revelations unfold, I imagine there are many asking themselves, not whether we are more at risk, but rather whether we have the ability to govern the fallout. 

Hord Tipton is a former US Government CIO and the current executive director of (ISC)2

Read more on Privacy and data protection