In its myopic quest to ensure that no digital communication remains hidden from its panoptic gaze, the National Security Agency has worked to undermine the security of all Internet users, a new story in the New York Times reveals. As security expert Bruce Schneier aptly summarizes the report, “Government and industry have betrayed the internet, and us.”
In this case, the Times notes, the NSA has not just arrogated power to itself in secret, but has done so after unambiguously losing an extended public political debate in the 1990s over whether the government should be legally provided with backdoor access to encrypted communications, or attempt to prevent strong encryption software from being available to users around the world. As security experts understood, and successfully argued at the time, ensuring that companies and individual users around the world could trust the security of their communications was vastly more important than ensuring the NSA or FBI would never encounter a message they couldn’t decipher—something that, in any event, would be impossible to guarantee.
Having justly lost the public debate, the NSA secretly decided to sacrifice the rest of the world’s interests to its own goals anyway:
According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” Sigint is the acronym for signals intelligence, the technical term for electronic eavesdropping. […]
Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.
Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”