BUDAPEST—A number of security companies with some of the newest and most effective technology available for fighting cyber-threats against enterprises are working outside the United States and some of its closest allies.
The reasons aren’t particularly surprising, given the attention in Europe to the efforts by the Federal Bureau of Investigation to force Apple to reveal the contents of an iPhone used by a terrorist in a California mass killing.
Then, there is the effort by the U.S. Department of Justice to force Microsoft to disgorge the contents of email services running in Europe. European companies have watched these developments with considerable alarm and they’re doing what they can to keep their work beyond the reach of the FBI and the Justice Department.
For that matter, so are some U.S. companies. Microsoft announced during CeBIT in March of 2015 that the company was opening new data centers in Europe that would not be accessible from the U.S.
Those data centers would support cloud computing and storage for European customers, while remaining beyond the reach of the U.S. Government. This move was in direct response to the efforts by the DoJ to force Microsoft to reveal the contents of messages stored servers stored in Europe.
Balázs Scheidler, CTO and co-founder of Balabit Corp, an IT security company whose customers include Facebook, T-Mobile and the European Aeronautic Defense and Space Company (EADS), said that while he understands that the U.S. and its allies have to protect their citizens, it’s not necessarily fair to companies outside of their borders.
Scheidler said that he is concerned that if Balabit developed its products in the U.S. he could be forced to implement back doors or other means of access into his products.
He cited the case of the now defunct Texas-based Lavabit encrypted email service, which went out of business in August, 2013 after the U.S. government demanded the company turn over the secure sockets layer encryption keys to enable it to gain access to the email of fugitive former National Security Agency analyst Edward Snowden.
And Balabit isn’t the only European company with those concerns. I’ve spoken with several security companies in the Middle East and Europe, and while they declined to speak on the record, those companies said privately that they didn’t want to be in the position of having to comply with U.S. court orders, or with National Security Letters from the FBI.
Scheidler said that the Apple case was especially worrying, “The FBI wants to force them to embed a back door.” He said that in the security industry they always try to create secure solutions, and “this is exactly the opposite.”
“I’m not sure that anti-terrorism efforts really need that kind of leverage in order to fight it,” Scheidler said. He noted that while some companies may have difficulty fighting off terrorists and cyber-attackers, he thinks that a nation with the resources of the U.S. shouldn’t have much trouble.
“Embedding back doors into security products is not required,” he said, adding that if the U.S. did start mandating such things, every other nation could require the same thing.
U.S. Cyber-Surveillance Demands Keep IT Innovation Offshore
Part of the problem, Scheidler said, is that government security agencies seem to feel they need a back door for any eventuality, but he said that this also isn’t necessary.
As an example, he pointed to Tor, which is designed for secure communications, and which was developed and is maintained by the Naval Research Laboratory in Washington, DC. Several U.S. government agencies including the U.S. State Department to distribute access to the Tor network to help oppressed minorities or human rights advocates in foreign nations avoid surveillance and oppression by their governments.
It also happens that the Tor network has also been used by pedophiles for child exploitation, a fact which has been revealed in several high-profile FBI investigations and criminal prosecutions.
However the result of the U.S. government’s strong-arm tactics against the technology industry is that some ground-breaking technology, especially in security, simply isn’t happening in the United States. Companies don’t want to find themselves forced to embed back doors, disclose encryption keys or take other actions that would weaken their products’ security to comply with government demands.
While a few companies such as Apple and Microsoft are big enough to resist government demands to weaken product security, most companies are not. The choice is clear for companies that are already located outside the U.S. They can avoid complying with such demands by staying out.
This is also no surprise. When the Edward Snowden leaks revealed the extent of U.S. cyber- surveillance, predictions were rife that this would hurt the U.S. technology sector. When the demands for surveillance expanded to include iPhones and foreign email servers, those predictions were stronger and more frequent. Revelations that the FBI’s National Security Letters were arriving at IT and communication service providers’ offices by the thousands have raised the concerns even higher.
While there is some legislative relief in the works, the mood outside the U.S. is that the government can’t be trusted to honor established international agreements or to respect privacy. While those companies developing products outside the U.S. may still sell their products here, many do not. Worse, in some cases, products from the U.S. aren’t trusted because of the potential for back doors in much the same way that the U.S. doesn’t trust networking or communications products produced in China because of similar fears.
The result of those concerns is that U.S. companies lose their competitiveness in international markets because it becomes more difficult to sell their products. Meanwhile U.S. service providers find that they have to contend with regulations that have become increasingly onerous.
In one sense, the U.S. has found itself in a predicament of its own making. But that’s only part of the story. The companies that are being hurt by foreign reluctance to trust the U.S. didn’t make the rules and they aren’t willing participants in the over-reaching demands of U.S. surveillance efforts. But U.S. companies are now paying the price for their own government’s actions.