Security Think Tank: Snowden likely to prompt security reviews

How should Edward Snowden's revelations about the NSA and GCHQ influence future information security strategies in the UK?

Will we see further Snowden or similar revelations about the NSA and GCHQ in 2014? Probably, writes Peter Wenham.

One thing these revelations have done is to raise awareness of IT security and that is no bad thing – but will companies and organisations change their information security strategies?

Some companies will take the “what will be” approach and carry on as before. Others will take a long, hard look at both their purchasing and operational policies and undertake changes as they see fit. Professional bodies, such as the BCS, and publications, such as Computer Weekly, will help inform their reviews and decisions.

Some companies will be looking to increasing their use of open source software, believing that such software will be free of any “back-doors” and thus more “trustable” but, in so doing, they will need to recognise that they need to increase their in-house open source skill sets to use and support these products effectively.

The two flags that I raise with respect to open source is that: 1) the code itself must be sourced from a known, reputable source and that code integrity checks must be performed before use, and; 2) in the early days of open source encryption, there were security agency variants (from multiple countries) of the main code, and these were generally undetectable from the real code, fully functional and inter-operable – but a lot easier to break. 

This brings me to the question of whether companies are likely to increase their adoption of encryption technologies. My view is that yes, companies will be more likely to use encryption, mainly because of rising security awareness and improvements in the cost and performance of the products (and of course open source encryption is free to acquire) and improvements in ease of use.

Will the Snowden revelation affect the move to greater use of encryption? The answer is both yes and no – it will depend on the organisation involved and its view of the risks to the company but, on balance, I believe that encryption use will continue to increase. It does have a beneficial “due diligence” impact on a company’s image, particularly where data at rest is involved (for example, on a laptop’s hard drive, USB sticks and so on).

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Privacy and data protection