Earlier this year, the director of national intelligence told Congress that cybersecurity is now a bigger threat to the security of this country than terrorism, echoing a similar point previously made by the head of the FBI. Members of Congress have heard this message loud and clear, holding numerous hearings, proposing legislation, and repeatedly stressing that cybersecurity is a high-priority issue.
Yet just last week, the New York Times, Guardian and ProPublica revealed that the National Security Agency has leveraged its “cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products. Similarly, newspapers reported that “the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.”
NSA has two, often conflicting roles. (1) It steals the secrets of foreign governments and other intelligence targets (which, we’ve recently learned, includes all Americans), and (2) it is responsible for protecting the security of American government computers and networks from foreign threats.
Traditionally, one of the main ways that NSA achieved its offensive signals intelligence role was by breaking the codes used by intelligence targets. For example, during world war II, the US and UK governments worked together to discover critical flaws in the cryptography used by the German and Japanese militaries. In 1945, there were limited uses of cryptography outside of the government. However, today, cryptographic technology is in widespread use: our credit card numbers are encrypted as they are transmitted over the Internet when we make online purchases; our electronic health care records are encrypted by hospitals; the searches we enter into Google are encrypted, preventing others from learning what we’re searching for; and the video calls we conduct with our loved ones using Skype and FaceTime are encrypted as they are transmitted over the Internet.
Not only do we all rely on encryption to protect our private information, but the same encryption technologies are widely used around the world. A journalist in New York and a human rights activist in Egypt will likely use the same encryption technology to protect their communications. Terrorists, drug kingpins, foreign government ministers, and millions of Americans all use the same technologies to secure their communications and private data. It would be one thing if the NSA had discovered and exploited unintentional design flaws in the encryption and security technologies we all use. However, the media reports last week suggest that NSA has in fact worked to insert intentional flaws into security software, both by manipulating the technical standards setting process and by collaborating with “patriotic” American technology software companies.
NSA is prioritizing its own foreign intelligence collection goals over the security of the Internet. The agency is gambling that the flaws it is exploiting will never be discovered by other governments’ intelligence services, or by hackers. As Howard Schmidt, the former White House cybersecurity czar observed earlier this year, when governments quietly exploit, rather than fix security vulnerabilities “we all fundamentally become less secure.”
During a hearing last fall on the risks associated with Chinese networking technology, House Intelligence Committee Chairman Mike Rogers observed that that “Americans have to trust our telecommunications networks” and that “when vulnerabilities in the equipment, such as backdoors and malicious code can be exploited by another country, it becomes a priority and a national security concern.” Chairman Roger’s point about the risks associated with vulnerabilities and backdoors is just as valid if those backdoors have been placed there intentionally by the NSA as the Chinese.