Researcher argues for open hardware to defend against NSA spying

While there is no foolproof defense against government spying, snooping by entities like the National Security Agency could be made far more difficult through the use of Internet infrastructure built on open-source hardware, an academic researcher says.

In an Op-Ed piece published Tuesday in The New York Times, Eli Dourado, a research fellow at George Mason University, argued that companies using open hardware would be in a better position to detect backdoors or vulnerabilities planted by the NSA or any other government agency.

[NSA chief seeks more data from private sector in sharing offer]

"To make the Internet less susceptible to mass surveillance, we need to recreate the physical layer of its infrastructure on the basis of open-source principles," wrote Dourado, who is with the technology policy program at George Mason's Mercatus Center.

Some experts were skeptical of the idea, saying the NSA would find other means to compromise systems, whether it was through the cooperation of software vendors or finding unknown vulnerabilities in the hardware.

"I don't see how this attempt at disintermediation would succeed," Al Pascual, analyst for Javelin Strategy & Research, said.

According to Dourado, success would come from the fact that anyone could fully audit the hardware, make changes and then distribute the modifications to others. This model has driven the success of open source software used across the Internet today. Such technology includes the Linux operating system and the Apache Web server.

Mistrust over the security of proprietary technology has been fed by revelations that the NSA collaborated with companies like Microsoft, Apple and Google to program encryption weaknesses into popular consumer products and services, which gave the agency the ability to siphon user data. The revelations are based on documents leaked to the media by former NSA contractor Edward Snowden.

The documents have also described how the NSA has been able to tap into the infrastructure of the Internet, intercepting traffic flowing through cables, routers and switches.

Such hardware would be much more difficult to tap undetected, if the companies using it could see all of the underlying technology, including the firmware, Dourado says.

"There is reason to be skeptical about the security of these networking products. The hardware firms that make them often compete for contracts with the United States military and presumably face considerable pressure to maintain good relations with the government. It stands to reason that such pressure might lead companies to collaborate with the government on surveillance-related requests," he wrote.

Examples of U.S. companies that make such hardware include Cisco, Hewlett-Packard and Juniper Networks. However, the same reasoning could apply to competitors based in foreign countries.

While the ability to fully audit hardware sounds good, the reality is many organizations do not have the people with the expertise to continuously examine updates of low-level code in hardware, Murray Jennex, a professor of information system security at San Diego State University, said.

"In principle a good idea, but in practice not so much," he said.

"Auditing code is always difficult, this will be low-level code that is difficult to follow. I think it will create an illusion of openness that will still be relatively easy to conceal backdoors and such in."

Dourado has his supporters. James W. Gabberty, a professor of information systems at Pace University, said "no other information security control trumps the importance of regular and comprehensive auditing."

"Moving towards an Internet infrastructure that is 100% auditable by both governments and companies alike makes the most sense since, after all, we live in an era of increasing paranoia exacerbated by highly publicized regular hacking incidents of our most important societal systems," he said.

Trust of U.S. technology in light of the NSA revelations has become a concern for vendors selling overseas. Malcolm Harkins, vice president and chief information security and privacy officer for Intel, recently told Network World that customers have expressed a lack of confidence in U.S.-based tech vendors.

[Senator vows fierce defense of NSA data collection surveillance programs]

Brazil's president, Dilma Roussef, was so angered after learning that she, the state-owned oil company and citizens were spied on by the NSA that she postponed attending a state dinner in her honor in Washington, D.C. Brazil is considering laying fiber optic cable to avoid having its Internet traffic run through the U.S.

Even if governments, universities and private organizations switched to hardware and software that was "100 percent open and auditable," they wouldnt be completely safe from spying, Dourado conceded. However, they would make surveillance efforts more difficult and less effective.

"A 100 percent open-infrastructure Internet -- a trustworthy Internet -- would be an important step in the empowerment of individuals against their governments the world over," he concluded.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityhardware systemsU.S. National Security Agency

More about ApacheAppleCiscoGoogleHewlett-Packard AustraliaIntelJavelinJuniperJuniperLinuxMicrosoftNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place