In the 21st century, anyone who uses the Internet—from terrorists plotting jihad to teenagers trading cat photos—relies to some extent on encryption. And that makes us all targets.
The NSA’s actions and policies are a threat to the Constitution and to the very future of the internet. Many in the privacy and civil liberties community are coming to terms with the reality that they are up against a hostile intelligence service that has used and will continue to use every means at its disposal to break open source encryption technologies. That became apparent in December 2014 when Der Spiegel, drawing on documents in the Snowden archive, revealed the extent of the NSA’s assault on core internet technologies and protocols used for all manner of secure communications online, including banking. While some of those technologies still appear to be viable for ordinary internet users, “hacktivists,” journalists, and privacy advocates recognized they were now in a digital arms race against NSA.
NSA uses multiple tried‐and‐true methods to achieve its goal, from the least expensive to the most:
Legislation: The de facto legalization of mass surveillance through laws like the PATRIOT Act and the Foreign Intelligence Surveillance Amendments (FISA) Act helps NSA’s overall collection process. But as we know from revelations about NSA’s activities under the Reagan‐era Executive Order 12333, they are just a few of the tools at NSA’s disposal and not necessary ones for targeting individuals or organizations outside of the U.S., including organizations employing U.S. citizens.
Source recruitment/penetration: NSA’s successful efforts to subvert the encryption standards processes at the National Institutes for Standards and Technology were documented in 2013. In late 2014, we learned of more NSA efforts to electronically or physically penetrate key global telecommunications companies and international standards organizations. The goal is always the same: find the right people who will compromise encryption keys, encryption standards, or entire networks to facilitate and maintain NSA access to all available traffic, regardless of type or mode of transmission.
Invest in new brute‐force attack methods. When I worked on the U.S. Commission on Research and Development in the U.S. Intelligence Community, it became clear that NSA’s obsession with certain emerging technologies was driven by a palpable sense of fear that the spread of encryption globally would cause NSA to “go dark.” That obsession will continue to drive NSA’s efforts for ever‐larger, always secret appropriations to find the next best technology and techniques to allow it to make all communications—by foreign governments or by me and you over the internet—readable in as close to real‐time as possible.
If these efforts were focused only against actual or potential enemies of the United States, Americans would strongly support it. Indeed, it was that kind of focus that allowed American military cryptographers to break key Japanese codes in the Pacific theater and British codebreakers to crack Nazi Germany’s “Enigma” cypher machine in World War II, the latter achievement depicted in the 2014 movie “The Imitation Game.” But the NSA’s new “imitation game” threatens the very foundations of our democracy and our tech‐reliant economy. Hoarding secret vulnerabilities doesn’t just preserve NSA’s capabilities against its adversaries, it also preserves their adversaries’ capabilities against all the innocent users of cryptographic tools—including gay people like Alan Turing living in surveillance states that still consider homosexuality a crime. It’s a game none of us can afford to play.