Are you worried that you are personally under surveillance?
Yes, 100 per cent: I'm a target. If the FBI tried to get a warrant on my computer based on the fact that I have worked with Snowden documents then the odds they would get it are 100 per cent. And I do take pains. But look at that NSA Tailored Access Operations catalogue from 2008. The fact that I'm running an air-gapped computer is irrelevant – if the NSA wanted in, they would get in.
The reason they are not is because they know that if it ever got out that they attacked US journalists, the shit-storm would be ginormous. I do think the NSA tries to follow the law, and the Attorney General has said [the US government] is not going to prosecute the journalists.
Do you think the NSA knows what Snowden took?
They have no idea. That duty damage report made some big assumptions that everything Snowden touched he took, and everything he took he gave to journalists. We know both of those are not true, but if you're doing a prudent damage assessment then that's what you assume – you have to.
What we learned about stealing is that if you break into a server and want 10 documents and the server contains 10,000, it is easier, faster and safer to take them all. Control-A, control-C, and control-V and you're done. In this world where search is cheaper than sort, taking them all is the best way.
We believe he no longer has any documents himself. We believe that before he left for Russia he encrypted them in a way that he could not decrypt them. That was a self-defense mechanism, as protection, and we can do that, we have mathematical ways to do that. It's not hard. He's savvy.
How do you think this situation will look five years down the line?
I think five years is too soon. I think ten years from now this will be looked back on as the start of restoring privacy and security. In five years it's going to be in the middle of the process.
You left Counterpane recently. For the record, that wasn't because BT was unhappy with what you've been saying about the NSA?
Absolutely not. BT was largely supportive of all my writings and outspokenness. The only thing they would get antsy about is when I talked about UK politics, which honestly is fine because between Ross Anderson and Privacy International, they have [that topic] pretty much covered. I didn’t feel I was missing anything because I didn't understand the complexities of UK politics; I was happy to not have opinions on that.
Besides from that, they were nothing but supportive and it was time to do something new.
I formed Counterpane in 1999 and BT took it over in 2006, so it was all running for a long time. Honestly, I was itching to go back to a startup. I wanted something new.
So what's your new role as CTO of Co3 systems about?
Co3 provides coordination software for incident response. You remember a decade ago I was talking about protection, detection and response. I founded Counterpane to do detection, and Co3 is about response and coordination.
It turns out that's a really big area now. Look at the Target breach, their response was incompetent. So the CO3 system automates coordination - you put in your policies, or if you're a small firm it knows best practice, it knows the laws and regulations, and it sends the emails, tracks the actions and makes sure that the FBI as alerted and laws are followed and then documents it all so that when you're sued afterwards you can prove you did it.
We have feeds from threat intelligence and detection systems, and the software makes instant response not a disaster. The problem with people's emergency response plans is that they only ever look at them in an emergency, and that's not when you want to start looking for this stuff - you want it to be as automated as possible so you don’t forget anything.
Two things are going on here. Attacks are getting more complicated and the laws are getting more complicated. Both have to be covered to handle litigious lawsuits after the effect. So it's kind of a no brainer. ®