By Cindy Cohn and Trevor Timm
Electronic Frontier Foundation
“Computers are everywhere. They are now something we put our whole bodies into—airplanes, cars—and something we put into our bodies—pacemakers, cochlear implants. They HAVE to be trustworthy.”
–EFF Fellow Cory Doctorow
Cory’s right, of course. And that’s why the recent New York Times story on the NSA’s systematic effort to weaken and sabotage commercially available encryption used by individuals and businesses around the world is so important—and not just to people who care about political organizing, journalists or whistleblowers. Thanks to additional reporting, we now know it matters deeply to companies including Brazil’s Petrobras and Belgium’s Belgacom, who are concerned about protecting their infrastructure, negotiating strategies and trade secrets. But really, it matters to all of us.
We all live in an increasingly networked world. And one of the preconditions of that world has to be basic computer security—freedom to use strong technologies that are fully trustworthy.
Every casual Internet user, whether they know it or not, uses encryption daily. It’s the “s” in https and the little lock you see in your browser—signifying a secure connection—when you purchase something online, when you’re at your bank’s website or accessing your webmail, financial records, and medical records. Cryptography security is also essential in the computers in our cars, airplanes, houses and pockets.
What is the NSA Doing to Make Us Less Safe?
By weakening encryption, the NSA allows others to more easily break it. By installing backdoors and other vulnerabilities in systems, the NSA exposes them to other malicious hackers—whether they are foreign governments or criminals. As security expert Bruce Schneier explained, “It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create.”
The New York Times presented internal NSA documents with some specifics. They are written in bureaucratese, but we have some basic translations:
- “Insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets”— Sabotage our systems by inserting backdoors and otherwise weakening them if there’s a chance that a “target” might also use them.
- “actively engages US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” — Secretly infiltrate companies to conduct this sabotage, or work with companies to build in weaknesses to their systems, or coerce them into going along with it in secret.
- “Shape the worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS — Ensure that the global market only has compromised systems, so that people don’t have access to the safest technology.
- “These design changes make the systems in question exploitable through Sigint collection … with foreknowledge of the modification. To the consumer and other adversaries, however, the systems’ security remains intact.” — Make sure no one knows that the systems have been compromised.
- “influence policies, standards and specifications for commercial public key technologies” — Make sure that the standards that everyone relies on have vulnerabilities that are hidden from users.
Each of these alone would be terrible for security; collectively they are a nightmare. They are also a betrayal of the very public political process we went through in the 1990s to ensure that technology users had access to real security tools to keep them safe.
Crypto Wars, Part I
Ensuring your ability to have real security and privacy online was one of EFF’s earliest goals and protecting your ability to use strong encryption was one of our first victories.
In the 1990s, the Clinton administration tried several things to ensure that our technologies were not very safe, including proposing the now-infamous “Clipper Chip,” which sought to compel companies insert backdoors into commercial encryption technologies and enforcing export regulations that effectively prevented the development and distribution of strong encryption.
But in the 1990s, we had a long list of supporters for strong security online, including then-Senator (later Bush Attorney General) John Ashcroft, Senator (current Secretary of State) John Kerry, the National Association of Manufacturers, the U.S. Public Policy Committee of the Association for Computer Machinery, National Computer Security Association and the American Association For The Advancement Of Science.
At the time, the Internet Architecture Board and the Internet Engineering Steering Group, the bodies that oversee architecture and standards for the Internet, put it best, stating:
[a]s more and more companies connect to the Internet, and as more and more commerce takes place there, security is becoming more and more critical. Cryptography is the most powerful single tool that users can use to secure the Internet. Knowingly making that tool weaker threatens their ability to do so, and has no proven benefit.
(emphasis added). These risks have only increased substantially over the past 15-20 years, as virtually all records, both public and private are maintained electronically and stored in networked environments.
The Clipper Chip proposal was defeated in the late 1990s and the encryption regulations were rolled back shortly thereafter. And we thought the matter was settled: the government had no business sabotaging the security of digital devices or communications.
Cryto Wars Part II, Secrets and Lies
That’s why the revelations last week were so shocking and, frankly, angering. Having lost its efforts to make us less safe in Congress, in the public debate, and in the courts, the NSA simply thumbed its nose at our democratic mechanisms and proceeded to sabotage our security anyway—in secret.
Making matters worse, the NSA put itself on the front lines of “cybersecurity” debate, ostensibly because it was concerned about computer security of ordinary people and businesses. That is supposed to be one of NSA’s roles. Yet, one of the most disturbing anecdotes from the New York Times story on encryption was the NSA meeting confidentially with companies under the guise of helping with cybersecurity but then using information they gleaned to weaken systems or induce the companies to do so:
Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.
This should give any company pause. It should give Congress pause when crafting dangerous new laws, like an “information sharing” bill just proposed by Sen. Feinstein, that give the NSA new powers. And it should give all of us pause as we consider whether the NSA has become an agency that believes itself to be above the law and beyond our democratic processes.
Time for Action
Thankfully, the recent disclosures have led to at least some change. The National Institute of Standards and Technology (NIST), the government agency in charge of one of the cryptographic standards the NSA has alleged to have secretly weakened, has reopened public comment on its standard and has even gone as far as to recommend people do not use it anymore.
And we’re beginning to see the international computer security community come to grips with this disturbing news.
But we must do more.
- We must rebuild the broad coalition that fought the first crypto wars, including cryptographers, investors, businesses, developers, civil liberties groups, scientists and ordinary people.
- We must expose the vulnerabilities that have been secreted into our technologies. Then we must demand that they be fixed in a way we can confirm on an ongoing basis.
- We must ask standards bodies, companies and individual developers to pledge, publicly and unequivocally, to reject efforts to build backdoors or insert known vulnerabilities into their products—and create transparency so that they can’t secretly cooperate with these efforts in the future.
- We must build our own tools, and support the tools that already exist that are independently verifiable as secure (most prominently, open source tools).
- We must support efforts in Congress to rein in the NSA and bring it back under the rule of law, and we must make sure that Congress specifically forbids the NSA from working to make our technologies less safe.
- And we must not succumb to privacy nihilism.
But the public debate must start from a fundamental principle: The NSA has been making us less safe and it must stop. Now.