New details about the National Security Agency’s ability and efforts to decrypt digital information could raise concerns not only about the security of data held by business, but also the software and services marketed to protect that data. And as with previous information about the American agency’s activity, Canada is likely more involved than one might think.
On Sept. 5, both The Guardian and The New York Times published bombshell reports identifying programs run by the NSA and its U.K. counterpart, the Government Communications Headquarters. The reports point to documents leaked by former NSA employee Edward Snowden and reveal how the NSA has spent hundreds of millions of dollars to defeat encryption technologies, insert vulnerabilities (commonly called “backdoors”) into commercial software products and covertly subvert international security standards.
One critical detail noted that the NSA “actively engages U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs.” While Canada is part of the so-called “Five Eyes” information sharing alliance that includes the West’s English-speaking countries, it’s still a foreign nation from the U.S. standpoint.
It’s unknown which Canadian companies might be working with the NSA, but Wayne Gudbranson, head of tech consultancy Branham Group, says it’s a near certainty that the agency has engaged the Canadian IT industry. Noting that nearly 65% of revenues for Canadian firms come from outside markets, the biggest of which is the U.S., he says he’s “sure they’ve been contacted.” The Branham Group is the publisher of the Branham300, an annual ranking of Canada’s top information and communications tech companies.
Another analyst, who declined to be named because of the sensitivity of the topic, says the issue is and isn’t problematic. On one hand, he says security has appeared to trump all other issues post 9-11 and that Canada has willingly ceded its sovereignty in this regard. But “for businesses it’s an issue because if [the NSA is] data mining this and it’s not just about national security, it’s about national competitiveness for major contracts, say a Bombardier against an Embraer or whatever. I think it poses fundamental questions about who’s controlling the gateway.”
What financial impact this could have on Canadian technology vendors remains to be seen, but at the moment clients have few alternatives. “Will it have an impact on technology vendors, their revenue and their growth? Will organizations say, ‘No, I don’t want to buy that anymore’?” reflects Gudbranson. “I don’t think so.”
He says society has become used to the idea of putting deeply personal information on sites like Facebook. “As an individual am I concerned about the NSA cracking into information about Wayne Gudbranson or the various companies that I own? Yes and no. There’s nothing illegal about what we do. There’s nothing special about what we do in the sense that we are just a business trying to raise money and sell business to technology companies around the world and do market research for them.
“Is some of that information privileged to the account? Absolutely, but would they use it in any way other than identifying ‘Is this a security threat?’ This is just the reality we live in now.”
That may be fine for some on a personal level, but for the enterprise, where multi-billion-dollar deals, earnings and strategies hinge on confidential information, that might be far from good enough. The unnamed source says there’s a “pecking order” and that it’s unlikely participating companies get nothing in return, and that this is where Canadian companies could be disadvantaged. Previous NSA document leaks suggest there could be a quid pro quo with the U.S. government passing along to companies information that could help the latters’ bottom line.
Gudbranson does say buyers have a right to know if their data is or can be compromised. “If Canadian technology firms, or any firms, have agreed silently with some of these security organizations to assist them without the buyer knowing that, then I think that’s fundamentally wrong.”
There could also be legal ramifications, for both Canadian and American tech firms. Barry Sookman, partner at McCarthy Trétault, expects to see class action lawsuits in the U.S. where litigation is easier to initiate. In Canada, even if it is found that companies have worked with the NSA to exploit or create vulnerabilities in software, the higher standard for bringing legal action could prove a significant hurdle (although he says Quebec has slightly different laws that make such action more likely to succeed).
However, vendor warranties are often carefully worded and damages hard to prove, even in the U.S., meaning such cases will be far from a “slam dunk,” he says.