The National Security Agency has gone to extraordinary lengths to foil encryption used in commercial technology. A new report in Sunday’s Der Spiegel revealed that the agency’s elite hacker group, known as Tailored Access Operations, infiltrated networks of European telecommunications companies and accessed and read emails that “were believed to be securely encrypted.” From the NSA’s perspective, counter-encryption efforts have led to important intelligence breakthroughs.
That’s why of the 46 recommendations offered by a presidential review panel on government surveillance activities, the one that suggests that the NSA ramp down its efforts against encryption may be met by with a mixture of outrage and laughter in the halls of the agency.
“The U.S. government should take additional steps to promote security, by … fully supporting and not undermining efforts to create encryption standards,” the report’s authors recommend.
Undermining encryption, of course, is precisely what the NSA does. It’s a code-breaking organization. It develops methods and techniques to “subvert, undermine, weaken or make vulnerable” — to borrow from the list of things the panel said the agency should stop doing — the codes that governments, terrorist networks, criminal organizations, businesses and everyday people use to shield their communications from prying eyes.
“Encryption is an essential basis for trust on the Internet; without such trust, valuable communications would not be possible,” the review panel writes. “For the entire system to work, encryption software itself must be trustworthy.”
That may be. But the NSA doesn’t want the entire system to work — at least not all the time. Part of its mission is to capture, read and analyze information. A trustworthy, reliable encryption system can be an obstacle to global surveillance.
The NSA has tried to obscure the lengths to which it goes to undermine encryption standards, a good indication that it won’t abandon that work without a fight. In September, when The New York Times and ProPublica were preparing to report on the NSA’s counter-encryption efforts, the Obama administration tried to persuade the news organizations not to publish their articles, arguing that the revelations might prompt NSA’s targets to switch to new methods of encryption that would be harder to crack. Surely officials have and will continue to make the same argument to President Obama, who has already disregarded one of the panel’s recommendations that the director of the NSA no longer be “dual-hatted” as the commander of U.S. Cyber Command, which oversees computer warfare operations. Those operations, by the way, rely on breaking encryption.
In some respects, the NSA is torn between two competing missions. It breaks codes. But it also makes them, mostly for the purpose of protecting the government’s information. In a recent interview with the national security blog Lawfare, Anne Neuberger, the senior official who manages the NSA’s relationships with technology companies, was asked about news reports that the agency had secretly included a vulnerability into an encryption standard that was developed by the National Institute of Standards and Technology and then adopted by more than 160 countries.
Neuberger didn’t confirm or deny the reports. She called NIST an “incredibly respected close partner on many things,” including setting encryption standards, some of which the agency itself uses. But, she added, NIST “is not a member of the intelligence community.”
“All work that they do is … pure white hat,” Neuberger said, meaning not malicious and oriented solely around defending encryption. “Their only responsibility is to set standards” and “to make them as strong as they possibly can be.” That left out the work that NSA does to defeat those standards, which has included buying privileged access into encryption products sold commercially. On Friday, Reuters reported that the agency paid RSA, a major computer security vendor, $10 million to promulgate an encryption weakness that the NSA had developed.
© 2013, Foreign Policy