/ 9 September 2013

How the NSA sabotaged the internet

President Barack Obama says that the information gathered by the National Security Agency is subject to restrictions.
President Barack Obama says that the information gathered by the National Security Agency is subject to restrictions.

Trust is the world's most valuable intangible commodity. Economies, political systems, partnerships and marriages rise or fall based on it. All commerce – both online and offline – rests on it. And yet the US's National Security Agency (NSA) is actively and recklessly undermining the fabric of trust that holds the internet together.

The New York Times, along with the Guardian and Pro Publica, has revealed that the NSA spent more than a decade compromising and sabotaging the encryption systems that underpin secure communications via the internet. Since 2010, it has been able to decrypt vast swathes of this supposedly private information at will, and often in realtime as it flows over the communication cables that the NSA now routinely taps.

Anyone who's used internet banking or shopped online is familiar with the comforting green padlock that appears in our browsers when we transact online. This padlock tells us "don't worry – the details of this transaction are scrambled so thoroughly that no criminal will be able to get at them."

Were technology the only factor at play, you would be able to trust that green padlock implicitly. The only way to unscramble such encrypted data is with the key. One way to do this is through "brute force" – tasking legions of computers with "guessing" every possible combination until they hit on the right one. Even with millions of computers at your disposal the 128-bit encryption that is now standard on the web would require literally billions of years to crack.

So how is the NSA managing to unscramble these billion-year keys? Simple – it is attacking the people who design and maintain them and the infrastructure that holds them, rather than the keys themselves.

One way it does this is to coerce the large internet companies that maintain security systems into handing over the master encryption keys. The NSA maintains a database of these master keys which it uses to decrypt communications on demand. In cases where coercion fails, the New York Times's security sources speculate that keys are "probably collected by hacking into companies' computer servers".

Another vector of attack is to force hardware companies to secretly alter their devices in ways that give the NSA "back door" access to private communications. These chips allow the NSA to grab the data before it is encrypted. The New York Times only has evidence for one such occurrence so far, but the chances of it being an isolated incident are extremely slim.

But perhaps the most heinous breach of trust and common sense is the NSA's efforts to influence the very standards on which security systems are built. The agency has successfully planted vulnerabilities in security standards and then surreptitiously steered them to acceptance by international bodies.

In the late 1990s, the NSA insisted that a back door be added to all security systems. The security industry refused outright, and so the NSA spent the next decade and a half doing so without the industry's consent or knowledge.

By far most troubling thing about these revelations isn't the calculated attack on privacy, or even the troubling closeness of government agencies and corporations, it's the very real chance that technical details of these vulnerabilities will fall into the wrong hands.

If Chelsea Manning or Edward Snowden could publically leak highly classified information for a good cause, what's to stop a more unscrupulous renegade from using these vulnerabilities to covertly steal millions or even billions of dollars?

Forget mere crime, what's to stop the Iranians or the North Koreans playing the same game? These are nuclear (or near nuclear) states run by dictatorial fanatics. Does the US government really believe intentionally sabotaging the bedrock of encryption technology will not benefit them in the long run?

Doomsday prophecies aside, if the general public loses trust in security and privacy on the internet, the economic and social effects will be catastrophic. The industry spent two decades convincing people that transacting online is safe. Hundreds of billions of dollars in commercial transactions now flow over the internet each year. The NSA and its encryption cowboys would snuff that out in a heartbeat with their reckless and short-sighted snooping.

If the Barack Obama administration has any sense it will immediately call for a halt to these practices and launch an enquiry into them. The American public, and indeed the world, needs to rise up and condemn this unconscionable attack on one of the world's most important resources.

The goal of terrorism is to sow fear and discord in your enemies' ranks, and in so doing divide and weaken them. The NSA's actions are proof that the terrorists are currently winning the long game: they may be killing fewer people, but they are slowly but surely strangling a whole way of life – and the NSA is helping them do so.