The latest case of government data snooping revealed by whistleblower Edward Snowden still has the power to shock. According to German publication Der Spiegel, a top-secret document in the Snowden archive shows GCHQ staff based in Bude, Cornwall infiltrated the networks of “several” German high-tech companies in order to spy on the internet traffic passing through their communications nodes, as well as monitor their employees and customers.
The undated 26-page document explicitly names three German firms – Stellar, Cetel and IABG - who Spiegel says were targeted for surveillance by listening stations in Bude operated jointly by GCHQ and America's NSA. It claims that the surveillance was carried out in order to spy on the internet traffic flowing through their high-speed nodes.
The document identifies the key customers of internet communications firm Stellar, and the names and email addresses of 16 employees, including CEO Christian Steffen, in order to “task” or monitor them.
GCHQ also identified the servers and customers of German internet service provider Cetel, which has customers in Africa and the Middle East as well as one “northern European country that uses Cetel to connect its diplomatic outposts to the internet”.
Finally the document quoted by Spiegel – and so far not questioned by those named - shows GCHQ interested in German aerospace firm IABG, saying it may have already been targeted by the NSA in a case of what could be “industrial” rather than “political” espionage. IABG's customers include the German Defence Ministry and armed forces, and it was involved in projects like the Airbus A380 super jumbo jet and the Ariane European space rocket.
In the wake of the revelations, Steve Durbin, global vice president of the Information Security Forum (ISF) industry body, says organisations should toughen up their information security controls.
He told SCMagazineUK.com via email: “Revelations that governments and their agencies are monitoring voice and data communications, and cracking encryption algorithms through ‘backdoors' has fundamentally undermined trust in cyberspace.”
As a result, Durbin said: “Organisations should reinforce basic information security arrangements. This means understanding what and where the most critical information assets are and their key vulnerabilities and the main threats against them. Standards and controls should be in place to mitigate the associated risks to these assets. Going up against a nation-state backed adversary is not a fair fight.”
The revelations come shortly after a Lieberman Software survey showed that the rising level of government surveillance has already driven a third of organisations away from using cloud storage for their data.
Security expert Professor John Walker, a director of cyber security service firm ISX, agreed companies should be cautious but should not necessarily rule out cloud storage.
He told SCMagazineUK.com: “Security in the cloud can be strong, but only when it is provisioned with a wide understanding of the adverse conditions.”
For example, he said, companies considering cloud-based solutions such as Office 365 should examine whether they are subject to legislation like the US Patriot Act “that may imply the right-to-access”.
Walker said the increased focus on information security in business was a good thing, advising: “Expect to be breached – and then work toward mitigating that expectation. And if you are deploying to cloud, then understand where your data is stored, what legislations are applicable, and ask the question about backing out and the complete data destruction of ‘your' assets.”
Durbin added that organisations should stay up-to-date with government activities in all jurisdictions in which they operate. He also suggested joining in threat intelligence-sharing forums, and “cultivating a culture of information risk to build information security capabilities within the organisation”.
GCHQ issued its standard statement in response to the Spiegel claims, saying it does not comment on intelligence-related issues but "all of its work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate".
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout