The latest Edward Snowden-powered exposé published by the New York Times, ProPublicaand the Guardian is, to me, the most frightening. It reveals that the National Security Agencyhas moved beyond its historic role as a code-breaker to become a saboteur of the encryption systems. Its work has allegedly weakened the scrambling not just of terrorists’ emails but also bank transactions, medical records and communications among coworkers.
Here’s the money graf:
“The NSA hacked into target computers to snare messages before they were encrypted. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.”
I’d be disappointed if the NSA hadn’t figured out how to do that hacking trick. But adding vulnerabilities to standard encryption techniques? That’s just making the job easier for hackers to make sense of the scrambled data they steal.
The outrage is still pouring in from various advocacy groups. Here’s a succinct condemnation by the Center on Democracy and Technology, one of the more centrist of these organizations:
“These revelations demonstrate a fundamental attack on the way the Internet works,” senior staff technologist Joseph Lorenzo Hall wrote in a statement. “In an era in which businesses, as well as the average consumer, trust secure networks and technologies for sensitive transactions and private communications online, it’s incredibly destructive for the NSA to add flaws to such critical infrastructure. The NSA seems to be operating on the fantastically naïve assumption that any vulnerabilities it builds into core Internet technologies can only be exploited by itself and its global partners.”
Every form of encryption can theoretically be cracked, given enough time and processing power. But the mere use of encryption has encouraged data thieves to look elsewhere for targets, on the same principle that even weak bike locks are effective when there are unlocked bikes nearby.
The easier it is to pick the electronic locks used online, the less of a deterrent they become.
The NSA’s efforts appear to be the Plan B implemented after the Clinton administration failed to persuade the communications industry in the mid-1990s to use government-developed encryption technologies for voice and data transmissions. The decryption keys would have been held by the government, available to the NSA as necessary. But industry ultimately rejected the plan because of a fundamental vulnerability: a stolen or cracked “master key” could have unlocked every bit of scrambled data.
The latest Snowden-leaked documents outline a multi-pronged assault by the NSA on the various forms of encryption used online. Its techniques included more traditional code-breaking as well as the aforementioned hacking and weakening efforts. Thursday’s stories didn’t identify the forms of encryption that the NSA undermined, saying more generally that the agency had targeted the secure version of HTTP, Secure Sockets Layer, virtual private networking technology and the encryption used on 4G smartphones.
In short, the implication of the mass of documents leaked thus far is that the NSA is not just monitoring seemingly every utterance on the planet, it is planting weaknesses in the security technology that protects legitimate online communications for the sake of decrypting illegitimate ones.
I’m looking forward to hearing the NSA’s defenders explain why we should feel safer now.