In its myopic quest to ensure that no digital communication remains hidden from its panoptic gaze, the National Security Agency has worked to undermine the security of all Internet users, a new story in the New York Times reveals. As security expert Bruce Schneier aptly summarizes the report, “Government and industry have betrayed the internet, and us.”
In this case, the Times notes, the NSA has not just arrogated power to itself in secret, but has done so after unambiguously losing an extended public political debate in the 1990s over whether the government should be legally provided with backdoor access to encrypted communications, or attempt to prevent strong encryption software from being available to users around the world. As security experts understood, and successfully argued at the time, ensuring that companies and individual users around the world could trust the security of their communications was vastly more important than ensuring the NSA or FBI would never encounter a message they couldn’t decipher—something that, in any event, would be impossible to guarantee.
Having justly lost the public debate, the NSA secretly decided to sacrifice the rest of the world’s interests to its own goals anyway:
According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” Sigint is the acronym for signals intelligence, the technical term for electronic eavesdropping. […]
Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.
Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”
In some cases, it sounds as though the NSA has arranged for backdoors to be placed in equipment used by specific adversaries, such as foreign goverments, which may well be a reasonable tactic. But here we are talking about something much worse: the deliberate introduction of vulnerabilities in widely used commercial products and, even more far reaching, into the abstract technical standards followed by the designers of security software.
This is a bit like publishing faulty medical research just to prevent a particular foreign dictator from being cured. It makes everyone on the Internet more vulnerable, increasing the chances that dissidents will be uncovered by despotic regimes and that corporations will fall victim to cybercriminals. It’s in the nature of the Internet that sensitive data will sometimes flow in unpredictable ways, through untrustworthy systems, on the way to its destination—which means our ability to use the Internet for anything remotely sensitive, whether it’s an intimate conversation or just an online credit card purchase—depends critically on our trust in the strength of the encryption systems protecting that data. The NSA has been doing its best to ensure that trust is unwarranted—which is an additional shame for U.S. tech companies, whose corproate clients must already be busy looking for providers who won’t sell them deliberately broken security products.
Bear this in mind the next time you see people on Capitol Hill wringing their hands about the threat of a possible “Digital Pearl Harbor”—especially if they think the solution is to give more data and authority to the NSA. Because the agency is apparently perfectly happy to hand weapons to criminals and hostile governments, as long as it gets to keep spying too.