I am very careful when writing about security. There is a fine line between an objective discussion on security and engaging in what we often term “FUD” – fear, uncertainty and doubt.
Very often people see security discussions as FUD attempts and nothing more than an exercise to scare people and compel them to buy products they do not really need. At times, it can be pretty hard even for people in the industry to see FUD for what it is and what a legitimate security argument is.
The recent media outpouring over espionage and leaked files is a perfect example of how thin the line is between fact and FUD. Just type in “Edward Snowden” or “industrial espionage” and you’ll get enough reading material to last you weeks. But how much of what has been written is based on fact and not pure supposition?
The problem is that while some of the stories written theorize on industrial espionage others have been reporting it as fact. Different countries have been accused of spying on their neighbors, with allegations focusing on big business to give local companies an edge during trade negotiations.
Is this classic FUD (which appears to be the case at the beginning) or is there genuine cause for concern? It’s really hard to say. I think it’s an undeniable fact that actual data-gathering has taken place. It has been reported that high-profile services like Google were targets of data-gathering efforts. What that data is being used for is anybody’s guess but analysts do have a point when they fear data might be used for industrial espionage. Without getting into the debate whether these practices are endorsed by the governments involved, it’s not a far-fetched idea that a patriotic employee working for one of the national intelligence agencies, and with access to such data, could pass it on to companies to ensure they or the country they are based in would have an edge on deals worth billions of dollars. Is it happening? Yes or no, it doesn’t really matter because the risk is real and one that cannot be avoided or dismissed easily.
That said, I don’t believe this is something that every company needs to worry about. Someone may do so when there are billions at stake but would someone risk imprisonment, career and family and infamy over a small deal? I doubt it.
It’s worth noting that data interception/industrial espionage is not something governments alone do. Industrial espionage has been around for many years.
For the majority of businesses, it’s not as big a problem as the media often makes it. At the same time, every business can do something to prevent it. Encrypting traffic and emails whenever possible can be done even using free tools. And it’s a good idea to consider – regardless of the risk governments may pose to your communication infrastructure.