Many people currently ask what to do against governmental surveillance (NSA spying) and some managers even think that standard security measures are useless because “the NSA has access to everything anyway”. But there are other attackers besides secret services and there are also things you can do against governmental surveillance. Here is my list of the most important things to consider:
- Use encryption. The NSA is not able to read all encrypted data with reasonable effort and if you use the algorithms and key sizes recommended by ENISA you are quite secure. Furthermore there are tools for anonymized internet browsing like Tor and JonDo.
- Choose European IT companies instead of US IT companies. It will not only help to lower the likelihood that your data leaks to the NSA, but also to put some economic pressure on US companies. US companies themselves will demand to restrict governmental spying if they lose a significant number of customers or users.
- Blow the whistle if you are aware of governmental back-doors in products or systems, unlawful eavesdropping or even attempted blackmailing. Media companies like the German SPIEGEL have set up guidelines for informants and sometimes whistle-blowing is the only way to point out serious deficits. But prepare to run and leave your family 😉
- Request independent audits and product certifications that prove the absence of data leaks for governmental bodies. Choose trusted auditors.
- Continue securing your assets because as a security consultant or manager you are mainly defending the reputation of your company. The NSA would not publish that they hacked your company. But if your customer data gets published or sold by cyber criminals, you will get huge media attention and this will damage your reputation and possibly your shareholder value. Furthermore you also have to comply with laws and regulations.
Note: There are governments from other countries besides the USA that have powerful secret services and support spying on private and company data and internet traffic without providing transparency. One self has to decide whom he or she trusts, and in how far eavesdropping is acceptable and helpful to fight terrorism.