How Edward Snowden boosted infosecurity business and...cybercrime

Whatever Snowden's motivations, Ilia Kolochenko contends that the industry has misused the resulting information and often sold kit rather than true security solutions and expertise.

Ilia Kolochenko says industry often used Snowden leaks to sell kit, not security solutions.
Ilia Kolochenko says industry often used Snowden leaks to sell kit, not security solutions.

It's been more than a year now since Edward Snowden started making the news headlines that overshadowed Julian Assange.

The true motivation for Snowden's actions still remain unclear. Many different hypotheses exist, but I will concentrate on impact on the infosecurity market following Snowden's revelations.

Sales teams at many infosecurity companies, large  and small, managed to use Snowden's revelations to frighten their customers and increase sales. The problem is that many stakeholders in the industry received erroneous information, made mistaken conclusions and took wrong actions.

Many ordinary people today tend to think now that the NSA and other governmental bodies have nothing better to do than to hack their home and work computers, mobile devices, sniff their emails and monitor their social networks accounts.

Much of the “proof” disclosed by different media in relation to Snowden's case was very suspect or even hilarious, such as a “hacking tools list” that is said to be used by secret services, where the majority of the “tools” can be downloaded from the web.

Governments employ many brilliant people and security experts (yes, hackers as well) who clearly understand the value of time and money. Governments of developed countries have enough financial, administrative and physical means to get access to your data rapidly and easily when they need.  In many cases they just don't need to involve professional hackers, purchase or develop from scratch expensive 0-day exploits and perform complex chained attacks against you – they have many more efficient means at hand. In some cases it's much easier to steal your mobile on the street than try to hack your email... Are you still using a 4-digit code on your iPhone by the way?

Many, otherwise unnecessary, infosecurity products and solutions were successfully sold on the wave of panic and fear generated by Snowden. For example, corporate DLP systems are extremely useful for some companies, but can even be dangerous to others: people spend their budgets on expensive solutions that prevent the risks they (almost) don't have, subsequently fail to implement solutions that they really need. As a result we have millions of companies that spend more and more on infosecurity, but get hacked ever more often than before.

The results of such artificially motivated sales are dramatic: ordinary people and companies spent their budgets on solutions that they didn't really need, instead of investing in the real needs of their infosecurity infrastructure or hiring competent people.

Huge spending on expensive infosecurity solutions has also provided many buyers with a false feeling of security and the belief that they are totally immune against hackers (that's what vendors often claim). As a result the buyers become less vigilant and open their doors to hackers. Later, when they are hacked, they lose their (already low) confidence in an infosecurity industry that cannot protect them.

While the NSA is reading your emails (if they do so of course) to see if you present a certain risk to “democratic society”, cyber criminals will carefully take any valuable piece of information or data from your inbox - logins and passwords for further attacks, banking/personal/financial data to use or resell, sensitive information and private photos to blackmail you later, etc. Cyber criminals think about the efficiency of their business: as soon as they get inside your device - they will try to maximise their ROI and profit. Regardless of who you are, they will steal all the digital assets you have in order to sell and resell them until total depreciation (usually about one year). They don't really care who you are and what you are doing; for them you are just a source of revenue. They are much more dangerous than the NSA - an organisation with much more important things to do than read your private emails or intercept your IM messages.

I hope both consumers and businesses will finally start prioritising infosecurity risks carefully to avoid inappropriate or inadequate spending, but rather invest in the IT security products and services that they really need to stay secure. Adequate risk evaluation and prioritisation, understanding and identification of the real enemy - and that is the key to survival on the world wide web today. 

Contributed by Ilia Kolochenko, CEO High-Tech Bridge.