American business has entered Never-Never Land, a bizarre place where our own government changes all the rules. Yahoo is the latest example.
Reuters reported last week that Yahoo (YHOO) had complied with a classified U.S. government order to scan all Yahoo Mail traffic for certain information demanded by intelligence agencies. We don’t know what kind of information they wanted.
Perhaps not coincidentally, Yahoo recently said that foreign hackers had obtained millions of user passwords. Such things happen when a company intentionally weakens or bypasses its own cybersecurity measures.
Even more interesting, it appears Yahoo hid the government-directed security breach from its own cybersecurity team. Technology news site Motherboard, citing anonymous former employees, said Yahoo security staff found the scanning tool during a routine checkup.
The company already had a mail scanning system that looked for malware, child pornography, etc. The sources said the U.S. spyware wasn’t simply an addition to that scanner. They described it as a poorly designed, buggy “rootkit.” Executives then told them about the intelligence request.
The engineers were angry, to say the least. Their own government was hacking them with their own company’s permission. Yahoo security chief Alex Stamos appears to have resigned over the issue.
I’ve mentioned Stamos before, by the way. In 2015 he confronted National Security Agency head Mike Rogers at a conference over the NSA’s information demands. Now I wonder if there was a hidden subtext to that public encounter.
So, did or did not the Yahoo security team find the NSA rootkit? Neither answer is good.
If they did find it, then the NSA is spending billions on secret cyber-spying tools that can’t even penetrate unclassified commercial networks like Yahoo without being discovered.
That’s not encouraging about their ability to breach Russian and Chinese government systems.
If Yahoo didn’t find the NSA rootkit, then we all have to wonder how much of the hacking activity we see in the news really emanates from our own government.
Network administrators and cybersecurity professionals also face a disturbing truth. It is possible, even likely, that your own company is lying to you or concealing things you need to know.
Did Yahoo’s board know this was going on? Is our own government ordering public company executives to hide major business risks from directors and shareholders?
I think the answer is almost certainly yes. Google (GOOGL), Microsoft (MSFT) and other cloud data companies who deny similar cooperation may well be lying to us – with the U.S. government’s full permission and protection.
We can’t have a normal economy under those conditions. Investors have to know they can rely on public company disclosures. This is foundational to our financial markets.
Welcome to Never-Never Land, where you never know who’s watching and you never know the whole truth.