While there is no foolproof defense against government spying, snooping by entities like the National Security Agency could be made far more difficult through the use of Internet infrastructure built on open-source hardware, an academic researcher says.
In an Op-Ed piece published Tuesday in The New York Times, Eli Dourado, a research fellow at George Mason University, argued that companies using open hardware would be in a better position to detect backdoors or vulnerabilities planted by the NSA or any other government agency.
"To make the Internet less susceptible to mass surveillance, we need to recreate the physical layer of its infrastructure on the basis of open-source principles," wrote Dourado, who is with the technology policy program at George Mason's Mercatus Center.
Some experts were skeptical of the idea, saying the NSA would find other means to compromise systems, whether it was through the cooperation of software vendors or finding unknown vulnerabilities in the hardware.
"I don't see how this attempt at disintermediation would succeed," Al Pascual, analyst for Javelin Strategy & Research, said.
According to Dourado, success would come from the fact that anyone could fully audit the hardware, make changes and then distribute the modifications to others. This model has driven the success of open source software used across the Internet today. Such technology includes the Linux operating system and the Apache Web server.
Mistrust over the security of proprietary technology has been fed by revelations that the NSA collaborated with companies like Microsoft, Apple and Google to program encryption weaknesses into popular consumer products and services, which gave the agency the ability to siphon user data. The revelations are based on documents leaked to the media by former NSA contractor Edward Snowden.
The documents have also described how the NSA has been able to tap into the infrastructure of the Internet, intercepting traffic flowing through cables, routers and switches.
Such hardware would be much more difficult to tap undetected, if the companies using it could see all of the underlying technology, including the firmware, Dourado says.
"There is reason to be skeptical about the security of these networking products. The hardware firms that make them often compete for contracts with the United States military and presumably face considerable pressure to maintain good relations with the government. It stands to reason that such pressure might lead companies to collaborate with the government on surveillance-related requests," he wrote.
Examples of U.S. companies that make such hardware include Cisco, Hewlett-Packard and Juniper Networks. However, the same reasoning could apply to competitors based in foreign countries.
While the ability to fully audit hardware sounds good, the reality is many organizations do not have the people with the expertise to continuously examine updates of low-level code in hardware, Murray Jennex, a professor of information system security at San Diego State University, said.
Sign up for Computerworld eNewsletters.