Skip to content

Could PRISM Improve Enterprise Security Response?

Dispersion prismWhile we’re all up in arms about the unwarranted data collection that the NSA has been performing, and the potential issues around privacy and legality of the PRISM program, one intrepid reportert stopped to ask the question of how much this is costing the US Taxpayers. “The program was expected to cost $278 million in the current fiscal year, down nearly one-third from its peak of $394 million in 2011.”

It turns out that the US Federal Government is required to provide appropriate compensation for complying with legal orders for data. That makes perfect sense, if you think about it. It costs money, either in the form of equipment or people, to collect the data requested. It’s not a revenue generating event or tied to revenue, so it’s pure cost to the company; they should get some compensation. There’s some disagreement about this, but I think the logic is sound.

The interesting part to me is what hasn’t been reported. I’m interested in how this system afftected the organizations involved. After all, it’s another kind of compliance. Information Security teams have learned how to wield the compliance stick in order to get things done, usually by applying compliance budget in ways that are useful beyond a specific regulation or policy. While the amount of money spent on complying with data collection orders is interesting, we should ask what other capabilities these compliance activities have enabled.

For example, if Verizon or AT&T successfully argued that they needed more expansive full packet capture capabilities across their infrastructure to comply with government surveillance requests, like those associated with PRISM, or to do so more cost effectively, they very well may have simultaneously put themselves in a better position to conduct accurate forensics on malicious attacks. Is there more to this? I don’t know, but if I were an industry journalist, I might just ask a few people.

Post a Comment

Your email is never published nor shared. Required fields are marked *