I am still putting my personal thoughts together on the recent NSA revelations. The short version is that when you look at it in the context of developments in vulnerability disclosure and markets, we are deep into a period of time where our benign government has actively undermined the security of citizens, businesses, and even other arms of government, at scale, in order to develop and maintain offensive capabilities. (Yes, I’m a patriotic type who considers our government benign).

They traded one risk for another, with the assumption that the scale and scope of their activities would remain secret. Now that they aren’t, we will see a free for all.

That’s why I am even writing about this on Securosis. Those of us in security need to prepare for both system/design vulnerabilities and specific implementation flaws. We may have to replace hardware, as foreign governments and criminals find these flaws (they will).

I don’t believe this was done maliciously. It appears to be mission creep as individual units worked towards their mission without considering the overall implications. Someone at the top decided it was better to leave us exposed to widespread exploitation than lose monitoring capabilities and miss another terrorist attack (these programs existed to some degree before 9/11, but clearly have exploded since then). It was a calculated risk decision. One I may not agree with, but can sympathize with.

But the end result is that we may be in the first days of cleaning up some very fundamental messes.

Now that we have direct evidence, the risks of external attack have increased for organizations and consumers. The issue has gone beyond monitoring and data collection to affect every security professional, and our ability to do our jobs.