Microsoft nein danke: snoop scares dog US IT in Europe
And really, it doesn't matter how true it is
IDG's Berlin bureau today secured a denial of Der Spiegel's 'Bundeswehr to ban Microsoft software' story. But actually, it looks to us like one of those denials - the ones that deny something slightly but materially different, while tacitly confirming the original story. And a closer examination of the role of Buckley, Colorado, does kind of suggest the Germans have a point.
The Spiegel report, according to a German Defence Ministry spokesman, "is wrong." The Ministry has "a general licence contract" (presumably of the enterprise variety) with Microsoft, and that remains in force. So the German defence forces will continue to buy Microsoft software, as normal. But, ahem, the Spiegel report didn't say they wouldn't, actually. He went on to tell IDG that the German federal IT security agency, Bundesamt für Sicherheit in der Informationstechnik (BSI), was being consulted about the implementation of various security measures, but he declined to specify what they are.
So, it would appear Germany is concerned about the security of its software systems, and is looking around for alternatives. If there are major contracts up for negotiation in this area it would be surprising if the two companies named by Spiegel, Siemens and Deutsche Telekom, weren't strong contenders, not would it be ludicrous to surmise that the reputations of US suppliers might get non-attributably blackened during the bidding process. On the other hand, it would be difficult to imagine a German Defence Ministry spokesman saying flat out: "That's right, we're dumping Microsoft software because the US government is using it to snoop on us."
The claim that the US National Security Agency (NSA) has access to Microsoft source code does seem to have been bandied about too, and the NSAKEY 'back door' claim may have done service. Neither of these is directly relevant or important, but the (almost certainly correct) general European perception that US IT companies are too damn close to the NSA, and the US government is too damn cavalier about privacy, are.
A Microsoft EMEA spokeswoman covered this for IDG in a positively world-weary tone. There are no back doors in Microsoft products, she said, adding that the old NSAKEY story kept coming back around every two or three months. "We are used to answering these questions." But she did say that Microsoft is talking to the French government (the other major European 'most likely to' when it comes to ditching Microsoft software) about granting it access to source code.
Pause for thought there, team. Microsoft has been bashing the source code access drum for all it's worth for some months now, already gives numbers of its major customers 'look but not touch' access, and is now apparently willing to give the French access - also, presumably, on the basis that they can look, but have to ask Redmond for modifications. Under those circumstances is it in the slightest bit credible that the NSA doesn't have source access? (Which is meaningless, yes, we know that)
One of the more plausible explanations of the NSAKEY incident, by the way, is that it was inserted by Microsoft at the NSA's behest so that the NSA could change secret US government CSP verification keys without having to go to Microsoft each time for a signature for the update. Perfectly reasonable in some lights, but the sort of buddies relationship other security services might look askance at.
You don't even have to be the French security service, which a few years back was embarrasingly spotted spying on US IT execs on behalf of French IT companies, to be pretty convinced that when push comes to shove, US IT companies will strive to be special friends with the US government and US security agencies. This is perfectly plausible, even without statements from the likes of Congressman Curt Weldon (quoted here, a year ago, link below) that the then deputy secretary of defense John Hamre had briefed him that "in discussions with people like Bill Gates and Gerstner from IBM that there would be... an unstated ability to get access to systems if we needed it."
It's perfectly rational for non-US security agencies to suspect US IT companies of being overly friendly with the US agencies, and those of our American readers who have difficulty grasping that might care to try to imagine the reverse. What if, say, France Telecom was lead supplier of videoconferencing technology to the Pentagon? Cast your mind back to France Telecom's and Deutsche Telekom's involvement with Sprint.
Which leads us neatly on to Buckley. Spiegel cited the role of a major satellite ground station in Buckley, Colorado as being why the German foreign service was revising its videoconferencing plans. The magazine quoted a source as saying that by going through Buckley they might as well hold their video conferences in Langley.
The Denver Business Journal comes up with some useful information on the upgraded Buckley Air Force Base in Aurora, Colorado Springs. It gathers information from a fleet of satellites that intercept communications and monitor radar signals, its ostensible role being one of military monitoring (unimportant stuff like missile launches, that kind of crap). But, says the Journal, intelligence experts "are relatively certain that the covered dishes monitor several key communications spy satellites operated by the National Reconnaissance Office or NRO.
"Colorado is a hub for the nation's intelligence-gathering mission. It supports thousands of federal and private-sector jobs and likely brings billions of dollars quietly into the state each year." Well if you were the German foreign ministry considering whacking your discussions around the globe via satellite, you might be a tad concerned about that, mightn't you?
According to our very own Duncan Campbell, who we regret is taken slightly less seriously by The Register than by, say, the European Parliament, "it is becoming common for the U.S. to intersperse radomes for Star Wars purposes and intelligence purposes, as it is doing at Pine Gap in Australia and Menwith Hill in England. This way, local parliamentarians in England and Australia can be kept away from these bases so that they can't observe Star Wars upgrades." His point (he was speaking on a visit to Buckley) was that this is what's being done there too.
Buckley probably does scoop communications traffic as well as waiting for the missile launches that never come, but even if it doesn't, something else does - on behalf of the US government. This is neither disgraceful nor surprising, because any other government would do it if they could. We believe our very own government has a nasty tendency to find itself on the non-European side of this particular pallisade, and we also have some recollection of Siemens being in some way involved in contracting for, er, Echelon. But that's another story, and if true, no doubt another department of the spotless German giant.
So to sum up, we've got in one corner a superpower with the means to snoop on the communications traffic of its allies, and the allies who're sure it does. We've got a bunch of IT companies who would surely do their government's bidding the moment the password "national security" is uttered, and we've got deep European suspicions of this being a two-way buddies street. For example, US agencies have been accused of tipping off US companies when European companies have allegedly (probably/certainly, actually) used bribes to gain contracts.
Forget the rights and wrongs, life's too short. The bottom line is that there exists a climate of suspicion, and that as all of the data goes onto the wires or into the air, there is as inevitability to the move away from US suppliers for government and security purposes. There's a commercial reason for the non-US suppliers to bash the tub like crazy, too, we don't deny that... ®
German armed forces ban MS software, citing NSA snooping
The Register explains why the NSAKEY was a crypto own-goal
Congressman blurts about security-friendly Gates and Gerstner
Our initial take on the NSAKEY stuff
Globenet's view on Buckley
The Business Journal on Buckley
Reality check on the NSAKEY stuff (but we knew that)
(Thanks to all the readers for your input)
Sponsored: Network DDoS protection