It’s all over the news at this point, and worse than I thought. This new information actually makes PRISM seem like a footnote.
The NSA (US spy agency) and the GCHQ (UK spy agency) actively subvert the encryption standards themselves; they team up with corporations to provide cryptographic keys and possibly plant backdoors in software; they might have a program aimed at subverting hardware (or more likely, the firmware that runs atop the hardware). All in all, the intell agencies are making the world of commerce and connectivity less secure, according to the Guardian.
The NY Times reports on this topic as well.
This is much worse than I thought when Snowden’s original revelations came to light. I can understand why reporters were threatened/detained. The more information we’re getting on this, the more disturbing the narrative.
What I’ve gleaned so far is that the intell agencies are taking steps to subvert security of running systems (to facilitate online attacks as needed) and of encryption (to facilitate spying on data in-transit as well as data at rest, such as stored on devices or in the cloud). Anything that the NSA has touched is suspect at this point, echoing Bruce Schneier’s fears. Contributions that the NSA has made (“for security”) to SELinux and encryption and hashing algorithms should be considered untrustworthy.
The most alarming and insidious concern perhaps is the partnership with corporations. Any large company, including Microsoft and Google, should logically be considered untrustworthy. It’s possible that the NSA has backdoor access (in some respect) to Windows computers. The NSA might conspire with manufacturers to clandestinely infect hardware (firmware, most likely) ordered by an “adversary” prior to shipment. The largest impact is the systemic loss of security that any backdoor or other security-weakening mechanism imposes. If there is a backdoor or weakness of any kind in an operating system or encryption algorithm, it could surely be exploited by others, including foreign governments. This means the “system” as a whole is more vulnerable.
- The first item for politicians is to immediately augment oversight on National Security Letters, if not ban them altogether. Companies shouldn’t face immediate gag order upon being issued NSLs, and the secret courts aren’t nearly sufficient in dealing with NSLs.
- Next, politicians should hold James Clapper accountable for lying to Congress and to the public. He should at least be fired. He should also be investigated for perjury, not to mention violations against statutes forbidding NSA spying on Americans.
- Lastly, politicians should better define what intell agencies are and are not allowed to do, and give companies protection in the event that they object to legitimate abuses of power by the NSA and others. One thing that no intell agency should ever be able to do is force any company to install a backdoor in their software, for any reason. Soliciting data on a suspect with court order is fine and is a normal law enforcement practice; planting backdoors affects innocent and guilty alike, and reduces the security of everyone.
In addition to the public, American companies should really be shocked at these revelations. US corporations stand to lose long term credibility whether they were involved or complicit with the NSA’s spying efforts or not. Effort to move away from US based services and product vendors might not be immediate, but could mark the beginning of a long road away from the US, especially as emerging markets continue to develop. At risk of sounding dramatic, this could be the start of the end of American’s golden age of tech; the countries and companies that come out of this mess in a stronger position are ones without NSA baggage and with strong, enforced, and transparent privacy laws that forbid many of the very things that the NSA has been doing against the American people and against the people of many other nations.