The debate over security rages on as recent terrorist attacks at Brussels airport have redoubled calls for greater electronic surveillance and stimulated more discussion about Brexit.
Hillary Clinton, currently running to be the Democrat nominee in November's presidential election, put out her own video calling for greater electronic surveillance. “We have to toughen our surveillance, our interception of communication,” she said. “There is no getting around that.”
Current frontrunners for the Republican nomination, Ted Cruz and Donald Trump, went even further, calling for the surveillance of all Muslims on American soil.
Back across the Atlantic, the calls for Brexit and bulk collection have come thick and fast.
Sir Richard Dearlove, former head of MI6, said in an article for Prospect magazine, “Brexit would bring two potentially important security gains: the ability to dump the European Convention on Human Rights and, more importantly, greater control over immigration from the European Union.”
Meanwhile, Sir Max Hastings, a veteran war correspondent and historian, told the media, “Our tolerance of electronic surveillance, subject to legal and parliamentary oversight, seems a small price to pay for some measure of security against threats that nobody – today of all days – can doubt are real."
SCMagazineUK.com reached out to the cyber-security industry, classically a committed foe of backdoors and electronic surveillance, to find out what the leaders of our world think.
Edd Hardy, head of consultancy at CNS group, put it plainly: “No, from the media reports, they already knew that one suspect had been deported from Turkey, so the services presumably knew about him, but did not have the resources to track. If we had bulk data collection, how would it work, we have limited resources, people will be able to hide in the noise and data.”
Trent Telford CEO of Covata told SC that failing to secure bulk data may, in itself, be a national security problem, “and terrorists such as those in Brussels will be looking into this as a way to cause further devastation. It's critical, therefore, that if data is collected, it's put through rigorous security controls such as robust encryption which takes into account geo-location and key fragmentation. Failing to do this only opens up an additional attack vector for terrorists.”
Brian Chappell, director of technical services at BeyondTrust, told SC, “The question becomes not should we collect more data but rather, would it have made a difference in the attacks that have taken place? There is a lot of data being captured about all of us, all of the time and I've no doubt that if the governments had access to every possible piece of data they could, in time, work out exactly how these attacks were orchestrated.”
Mind you, that is never going to happen, added Chappell, “It's a bit like trying to work out fish movements in the Atlantic by staring at 100 square miles of ocean and wanting to see to the bottom, it's probably not going to help as much as being able to see the first few 100m into the entire ocean. Data sharing and analysis sharing is likely to yield more than heaping more data into the mix especially when you consider that ISIS is using encrypted communications.”
Thierry Bettini, director of international strategy at Ilex International, said, “Bulk data is not necessary relevant and can reduce the ability to pinpoint the right information and stop potential attacks. In addition, during the last attacks, response time as been a crucial factor in identifying and stopping terrorists. If bulk data slows down the investigators and analysts, it may end up having the opposite effect.”
Peter Stewart, senior pentration tester from CNS Group, said bulk collection is useless without human intervention. “Bulk collection of SIGINT is great for lead generation, but you need strong HUMINT to actually get things done. The faults in Belgium and Paris are far more to do with HUMINT failures than SIGINT. For all its faults, MI5 & Special Branch penetration of the various IRA groups was a pretty good example of the disruption that covert human sources can do,” he said.
There is a great deal of operational data shared between European countries that helps with counter-terrorism operations, he said. “This isn't limited to MI5 and the police, but includes the Border Agency, ports, and prisons for example. This is the really useful data for security services (rather than pure intelligence services) as it allows them to get data on flight manifests, passport records, etc. This is the day-to-day stuff that is incredibly useful but only if it can be factored into analysis quite quickly (within 24 hours say). Intelligence services such MI6 don't really care about this (on the most part), but if used properly can make-or-break a CT operation.”
Adrian Hayter, senior penetration tester at CNS Group, told SC that these attacks did not strengthen the argument for bulk collection of data.
“The problem with bulk collection of data isn't that it doesn't collect enough data to detect terrorist attacks,” Hayter said. “If you record all phone calls, all Internet communications, etc. then the data related to the planning of terrorist attacks will be in there somewhere. The problem is, the amount of data being collected would be so vast, you wouldn't be able to search through it accurately in real-time. Data would have to be stored for indefinite periods of time and analysed, so now you have delays and a storage problem. If the attackers use throwaway cell phones, the information you glean from their communications is limited anyway.
“What we ultimately see is terrorists moving away from regular methods of communication, as they know governments are watching. There are countless apps that provide encrypted communication between two or more people; most of them would not have to comply with any future UK or US laws concerning government backdoors.”