Coordinated stories from the Guardian, the New York Times, and ProPublica reveal that the National Security Agency and its British counterpart the Government Communications Headquarters (GCHQ) have undertaken systematic efforts to defeat online encryption standards, compromising the Internet’s fundamental integrity. No brief summary can do these stories justice. Anyone who uses the Internet should definitely read the Guardian one at least.
The rub is that NSA and GCHQ both control web security standards, designing in flaws that only they are supposed to know about. These “backdoors” give direct access to encrypted communications. An example from the Guardian:
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.
“Eventually, NSA became the sole editor,” the document states.
Without exaggeration, these are the most important leaks from former NSA contractor Edward Snowden to date. Intelligence agencies’ methods have unraveled the fabric of cyberspace. Remember, Snowden was not a mere network administrator, but an infrastructure analyst, a hacker charged with finding flaws in NSA systems and recommending preventative measures. He understood these risks.
In an interview with Glenn Greenwald, Edward Snowden noted that certain strong encryption standards can still defeat the NSA, but service providers are easily coerced into surrendering raw, unencrypted data. However, intelligence agencies are increasingly able to decrypt unilaterally. Either way, companies are cooperating, and the NSA is depending on it. The documents naming firms that enabled the NSA to bake flaws into their services are even more classified than those revealed yesterday. Despite his supposedly junior status, Snowden could have burned the Internet to the ground with this information.
Security experts worry about backdoors because anyone can use them. The NSA and GCHQ know where the treasure is buried, but anyone can find it. Most if not all of web services, with reassuring labels like “HTTP Secure,” are fundamentally compromised. My non-expert speculation is that malicious black hat hackers are already racing to find the access points staring them in the face. But it took the NSA and GCHQ — professionals, public servants — to fracture the Internet’s bedrock. Furthermore, I wonder whether they would even allow white hat hackers to patch the flaws they find. Previous reports stated that Microsoft and others would share security holes with the NSA before fixing them, creating a window of exploitability. But these backdoors are always unlocked.
The NSA is also focusing its unparalleled arsenal of supercomputers on cracking encryption standards with brute force. Snowden used his coming out to express concern that the NSA is waging a war on privacy itself. Whether his worst fears are confirmed, they now appear firmly grounded in reality.