Jon Swartz

USA TODAY

Reports of NSA surveillance raised have concerns among tech customers overseas

Tech companies were frustrated that Obama ignored two recommendations by his surveillance panel

Is it possible to make any data NSA-proof%3F

SAN FRANCISCO — It used to be that tech titans such as Cisco Systems and IBM could bank on fertile markets in Asia and Europe in their quest for worldwide financial domination. Not so much anymore.

The National Security Agency, and revelations about its extensive surveillance operations — sometimes with the cooperation of tech firms — have undermined the ability of many U.S. companies to sell products in key foreign countries, creating a fissure with the U.S. government and prompting some to scramble to create "NSA-resistant" products. The fallout could cost the tech industry billions of dollars in potential contracts, which has executives seething at the White House.

"Suspicion of U.S. vendors is running at an all-time high," says Andrew Jaquith, chief technology officer at cloud-security firm SilverSky.

Cisco, IBM, Microsoft and Hewlett-Packard have reported declines in business in China since the NSA surveillance program was exposed. The Information Technology & Innovation Foundation estimates the NSA imbroglio will cost U.S. businesses $22 billion through 2016. Forrester Research pegs potential losses at $180 billion, which includes tech firms and managed service providers

The conflagration took on political tones this month when German Chancellor Angela Merkel — whose mobile phone was tapped by U.S. spy agencies — said she would press France President Francois Hollande to back a push for EU-based alternatives to the current U.S.-dominated Internet infrastructure.

"We'll talk with France about how we can maintain a high level of data protection," Merkel said in her weekly podcast in mid-February. "Above all, we'll talk with European providers that offer security for our citizens, so that one shouldn't have to send e-mails and other information across the Atlantic."

The situation is more combustible at home. Disclosures that the NSA routinely cracked encryption, or data-scrambling, technology has heightened the anxiety of industry leaders. But in their pursuit of NSA-proof products, they've alarmed some intelligence officials, who argue that without the ability to break encryption and create "back doors" to enter computer systems abroad, the USA would be disarming at a moment of heightened cyberconflict.

During a speech on NSA reforms on Jan. 17, President Obama angered tech leaders when he did not embrace two recommendations by a panel he appointed to review the surveillance that are of pressing concern to Silicon Valley and the business community. It had recommended the NSA "not in any way subvert, undermine, weaken or make vulnerable" commercial software, and that it move away from exploiting flaws in software to conduct cyberattacks or surveillance.

NSA-resistant products

Many tech companies feel they have no choice but to try to develop NSA-resistant products because customers from China to Germany threaten to boycott American hardware and cloud services they view as compromised.

It's already happening, with large corporate deals either lost or in danger of falling by the wayside.

The United Arab Emirates is threatening to scrap a $926 million intelligent-satellite deal with two French firms unless they remove U.S.-built components. The UAE fears the equipment would contain digital backdoors that compromise the security of data.

About 25% of 300 British and Canadian businesses surveyed by Canadian cloud firm Peer 1 Hosting said they intend to move their computer-hosting operations out of the U.S.

While Internet service providers question the practicalities of how e-mail between the U.S. and other countries would work in such an undefined new service suggested by Merkel, American tech companies caution secure regional networks would fragment the Internet.

With the exception of Microsoft — which says it will let overseas customers have personal data stored on servers outside the U.S. — tech companies such as Facebook and Google have opposed such private European clouds. Their fear: Regional data systems could Balkanize the Internet and undercut its efficiency.

Because they are not U.S. companies, "larger telecoms in Europe can rapidly take advantage of the situation," to the detriment of a Google, Yahoo and Dropbox, says Eric Cowperthwaite, vice president of advanced security and strategy at Core Security.

Silicon Valley's biggest players are loath to publicly discuss their efforts to counter government snooping, but several have taken significant steps.

Yahoo plans to have all its data encrypted by March to make it more difficult for unauthorized parties to decipher data. Google intensified its program to encrypt data passed between data centers — physical facilities scattered across the globe that house computer systems — and telecommunications and storage systems. It also employs network links between data centers that run at high speeds — typically on its own fiber-optic lines — that are harder to tap, according to a source familiar with the company's plans but not authorized to speak publicly about them. Facebook has added an encryption method that limits access to data even if a security key is breached.

Start-ups such as SGP Technologies, meanwhile, have created products such as BlackPhone, touted as one of the most secure smartphones ever. Others are looking into ways to more efficiently encrypt — or scramble — data that's stored on hard drives, network storage devices and clouds. But nothing is impenetrable, especially if faced with a court order or determined hackers, says Carson Sweet, CEO of CloudPassage, a 4-year-old cloud-security company.

"The only way to really make anything that is NSA proof is to not have it connect to the Internet," says Domingo Guerra, co-founder of Appthority, which helps organizations analyze iOS and Android apps for security risks. "There are several apps that are self-contained and don't need to send and receive data to online servers to operate."

Customers need to be aware that as much as they might worry about the NSA, the agency can always use its signals-intelligence capabilities and links with broadband carriers to understand who, when and how often parties communicate without knowing what the contents actually are, says SilverSky's Jaquith.

Analyzing that "metadata" remains the most powerful tool in the NSA arsenal — and it will continue to be so regardless of whatever "NSA-proof" gear vendors convince customers to buy, he says.

Safer in the USA?

In trying to avoid the prying ears and eyes of the NSA in America, companies may face a worse situation overseas.

"Where is the safest place to house your data? It may be the United States," says Trevor Timm, executive director of Freedom of the Press Foundation. "The natural reaction is to move outside the U.S. if you are trying to get away from the NSA. But mass surveillance happens with more frequency overseas, because the NSA thinks there are little to no legal protections for data overseas."

Indeed, the NSA secretly spied on the main communications links that connect Google and Yahoo data centers around the world, according to a report in TheWashington Post last October.

Every country has its rationale for digital snooping, says Matthew Prince, CEO of CloudFlare, maker of a website security product. "In the U.S., it's terrorism; in Germany, it's hate crimes."

"Unless you are a nation-state, there aren't any nation-state proof products," says Greg Young, a network security analyst at market researcher Gartner. "Some operating systems and browsers we see having a lot of exploits used on them today got their start as small alternatives. ... But as they grew in popularity, they, too, entered the mainstream and became the targets of general attacks."