Thursday, September 5, 2013

NSA Breaks Internet Security

The New York Times reports on the NSA's attempts to circumvent encryption designed to make internet communications secure:
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. 
...The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated. 
... Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware. 
... By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors or by surreptitiously exploiting existing security flaws, according to the documents. The agency also expected to gain full unencrypted access to an unnamed major Internet phone call and text service; to a Middle Eastern Internet service; and to the communications of three foreign governments. 
In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.
The 2013 N.S.A. budget request highlights “partnerships with major telecommunications carriers to shape the global network to benefit other collection accesses” — that is, to allow more eavesdropping.
The article goes on to say that the NSA has also coerced or stolen encryption keys from companies and uses its power to weaken encryption systems. This, of course, will have economic consequences. The story concludes:
Ladar Levison, the founder of Lavabit, wrote a public letter to his disappointed customers, offering an ominous warning. “Without Congressional action or a strong judicial precedent,” he wrote, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”
I can guarantee that the ripples from this will continue to expand. I would not be surprised to see foreign governments begin to refuse to use communication products or services connected with U.S. companies, and eventually, to require their contractors to not use such products and services. I would anticipate more legal action in foreign venues, as well. It is naive to think that an intelligence agency doesn't need decryption capabilities, but it was also naive of those "in the know" to think that the NSA could indefinitely continue subverting global communications without being caught.

No comments:

Post a Comment