NSA Breaks Data Encryption, Tech Firms Break Trust
Sep 7, 2013 5:00 AM PT
News that the U.S. National Security Agency has worked steadily for at least the past decade to systematically undermine security has sparked an uproar on the Internet.
The agency -- whose motto is "Defending Our Nation. Securing the Future" -- has circumvented or cracked much of the encryption used to protect global commerce and banking systems, medical records and other sensitive data, and the communications of Americans and others, according to a report published in ProPublica.
It apparently also has worked with high-tech companies in the U.S. and abroad to introduce backdoors into commercial encryption products, and weakened the international encryption standards adhered to by developers worldwide.
The latest revelations, following disclosures about the NSA Prism surveillance program, might "significantly impact U.S. sales of encryption software and hardware to other countries," Joseph Lorenzo Hall, senior staff technologist at the Center for Democracy & Technology, told TechNewsWorld.
To Mis-Serve and Unprotect
In addition to working with high-tech companies to build backdoors into their products, the NSA reportedly has deployed custom-built supercomputers to break encryption.
It also has hacked into target computers to grab messages prior to their encryption, and covertly introduced weaknesses into encryption standards.
The news makes the NSA's security configuration guide statement ring hollow. It also makes the agency's statement about developing consensus-based security guidance jointly with OS vendors and security experts suspect.
Encryption technology, including SSL, VPNs and the protection used on fourth-generation smartphones, is a major area of focus for the NSA.
"The math behind cryptography still appears solid, but insecure implementations, weak keys, or human vulnerabilities are being used to circumvent it," Steve Weis, chief technology officer at PrivateCore, told TechNewsWorld.
The agency is still investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic, Director of National Intelligence James Clapper reportedly said in his budget request for the current year.
Racking Up the US Trade Deficit
"I suspect that U.S.-based technology vendors selling outside of the U.S. will face extra scrutiny in the aftermath of these revelations," PrivateCore's Weis said.
The NSA's partnership with high-tech companies to undermine encryption "will have huge economic ramifications, as worldwide consumer and business trust in U.S. products decline," Dan Auerbach, a staff technologist at the Electronic Frontier Foundation, told TechNewsWorld.
That could hit the U.S. economy hard -- U.S. Department of Commerce statistics show that the U.S. exported nearly US$204 billion worth of computer and electronics products in 2012, while importing more than $355 billion worth of those products, to chalk up a deficit of more than $151 billion.
That deficit could balloon astronomically if U.S. sales of hardware, software and other electronics should fall because of these latest revelations about the NSA.
To combat this risk, technology companies need to offer visibility into how their products work and provide customers the means to control their privacy, Weis said.
"It's unlikely that there are backdoors in everything. The reports haven't given us great insight into exactly what hardware is compromised," Auerbach pointed out.
"I don't see businesses and consumers throwing up their hands and just giving up [on purchasing] encryption or security products," Daniel Castro, senior analyst for the Information Technology & Innovation Foundation, told TechNewsWorld.
Users can turn to end-to-end encrypting technologies such as PGP and S/MIME, which "appear to be strong and safe," or to startups such as Silent Circle and Gryphn.co, which offer highly secure end-to-end encrypted products, the CDT's Hall said.
Companies may need to take a serious look at whom they are trusting and why, and take steps to reassert control over their own data," PrivateCore's Weis suggested. Enterprises "need to take ownership for establishing trust in untrustworthy environments."
Businesses should use the most up-to-date open security products and should fight requests to modify their technology to facilitate wholesale surveillance, CDT's Hall maintained.
Likewise, they should fight requests that have no judicial oversight, such as National Security Letters, he said.
The EFF has set up an online petition to stop NSA surveillance.