NSA spying could prove costly to Internet businesses, experts say

The continuing revelations about National Security Agency spying on sensitive data kept by Silicon Valley companies are feeding fears that Internet companies in this country could suffer billions of dollars in lost business.

Following disclosures earlier this year that the National Security Agency's Prism program had spied on Apple Inc., Google Inc., Facebook and Yahoo Inc., an industry group put the potential cost at up to $35 billion a year by 2016, while an influential tech research firm estimated the damage at a staggering $180 billion a year. And since then, worries about the potential for lost business have stayed high amid the seemingly endless stream of news stories about other NSA snooping.

Any economic fallout is likely to add to the growing tensions between Silicon Valley and the U.S. intelligence community, with major tech companies joining a growing chorus of critics who want to limit the NSA's extensive data-gathering. And lost revenue could hurt one of the country's most dynamic industries as it continues to recover fully from the Great Recession.

The level of anxiety is especially high in Europe, where the NSA's reported activities have prompted a governmental investigation and a widespread view that it's unsafe to do business with U.S. "cloud companies," which offer software products over the Internet.

"In Europe there is very much a notion of, 'Hey, can I even deal with this American company, especially with cloud providers?' " said Andreas Baumhof, chief technology officer at ThreatMetrix in San Jose, Calif., which provides cybersecurity services via the Internet. Noting that he just returned from a European trip, he added, "This is at the top of everyone's minds."

In surveying its members this summer about the NSA disclosures, the Cloud Security Alliance - which develops security standards for Internet firms - found that 10 percent of the 207 foreign respondents had "canceled a project to use U.S.-based cloud providers" and 56 percent were "less likely" to use U.S. cloud providers in the future.

Such attitudes could prove expensive for companies here, according to the Information Technology & Innovation Foundation, an industry research group. Declaring that "Europeans in particular are trying to edge out their American competitors" in Internet services, it estimated in August that the NSA revelations could cost U.S. cloud providers up to $35 billion in 2016.

That estimate was deemed "too low" by James Staten, an analyst with Forrester Research, which studies business trends. He predicted the potential cost to U.S. cloud providers could reach $180 billion, noting that the NSA disclosures could derail business from potential customers in this country as well as overseas.

Some industry observers have dismissed those reports, arguing that there is little evidence so far of a drop-off of business for U.S. cloud providers. Officials at Google, Twitter, Yahoo, Oracle, Dropbox and Salesforce - which provide Internet-based products - either declined to comment or didn't immediately respond to a San Jose Mercury News query about the impact of the NSA revelations.

But David Castro, a senior analyst who wrote the Information Technology & Innovation Foundation study, said he's heard from overseas companies that their "sales are definitely up" because of the NSA news.

Another group - the Information Technology Industry Council - last week warned that "U.S. government data collection and surveillance programs threaten the innovative vitality of the global digital economy," adding, "many U.S. tech companies are experiencing troubling repercussions in the global marketplace."

Several cybersecurity experts said foreigners are especially worried because U.S. data networks often aren't encrypted to prevent unauthorized access to sensitive information. Just this week it was revealed that the NSA had accessed information from fiber-optic networks used by Google and Yahoo. That prompted Google to say it was encrypting more of its network. Yahoo said it had no announced plans to encrypt its data-center links.

"It is clear that any such traffic must be encrypted if any kind of confidentiality is expected," said Tatu Ylonen, CEO of Finland-based SSH Communications Security.

Indeed, several experts said one benefit that could result from the NSA disclosures is that cybersecurity firms could see increased business, as Internet companies shore up their networks from prying eyes.

"Absolutely, our business is growing very rapidly," said Jeff Hudson, CEO of Venafi, a Utah security company with an office in Palo Alto, Calif. Referring to the repeated revelations about NSA spying, he added, "People are starting to wake up because this keeps happening over and over again."

©2013 San Jose Mercury News (San Jose, Calif.)
Distributed by MCT Information Services