Privacy advocates Monday slammed the National Security Agency for conducting surveillance in a way they say undermines cybersecurity for everyone and harms U.S. tech companies.
“We have examples of the NSA going in and deliberately weakening security of things that we use so they can eavesdrop on particular targets,” said Bruce Schneier, a prominent cryptography writer and technologist. Schneier referenced a Reuters report that the NSA paid the computer security firm RSA $10 million to use a deliberately flawed encryption standard to facilitate easier eavesdropping, a charge RSA has denied. “This very act of undermining not only undermines our security. It undermines our fundamental trust in the things we use to achieve security. It’s very toxic,” Schneier said.
In the year since former NSA contractor Edward Snowden's first leaks, attention has focused on the Agency's surveillance itself, fueling debates over whether it is legal and ethical to spy on American citizens or to eavesdrop on the leaders of allied countries. NSA policies that intentionally undermine cybersecurity too often get left out of the debate, said panelists Monday at a New American Foundation event titled “National Insecurity Agency: How the NSA’s Surveillance Programs Undermine Internet Security.”
“If the Chinese government had proposed to put in a backdoor into our computers and then paid a company $10 million to make that the standard we would be furious,” said Joe Hall, chief technologist at the Center for Democracy and Technology. “That’s exactly what the NSA has become: the best hacker in the entire world.”
In a statement to TIME, the NSA denied it had made the Internet less secure.
“While we cannot comment on specific, alleged intelligence-gathering activities, NSA’s interest in any given technology is driven by the use of that technology by foreign intelligence targets. The United States pursues its intelligence mission with care to ensure that innocent users of those same technologies are not affected,” spokesperson Vanee’ Vines said. “Our participation in standards development has strengthened the core encryption technology that underpins the Internet. NSA cannot crack much of the encryption that guards global commerce – and we don’t want to.”
The tension arises due to the two competing missions of the National Security Agency: electronic surveillance and protecting U.S. systems from cyberattacks.
Nearly all of our online communications are encrypted in some way against cyberattack, to protect our bank accounts from thieves and our intimate lives from nosy neighbors. This poses a challenge for the NSA as the agency, since September 11, 2001, has focused less on agents of foreign governments and more on ferreting out terrorist threats. Inevitably the data of innocent people gets caught its dragnet. A Washington Post report Sunday estimated that 90 percent of those caught in the agency’s data surveillance net—including intimate communications like family photographs and emails between lovers—are everyday Internet users not suspected of wrongdoing, many of them American citizens.
The agency has sought to install “backdoors,” hardware and software systems with deliberately weakened security, into some of the most commonly used tech products, as it did in the program codenamed PRISM. American tech companies say this hurts their business in the international marketplace, where users aren’t keen to use software that comes bugged by an American intelligence agency. Major tech firms, including Google, supported an amendment to the defense budget in May to prohibit the NSA from using funds for this kind of backdoor surveillance.
Critics, like panelist Amie Stepanovich, senior policy counsel for the web freedom group Access, say NSA has also worked to crack and undermine encryption standards set by the National Institute of Standards and Technology (the body that establishes the security standards that help protect our email accounts, banking websites, etc.), and hoarded indexes of computer bugs the agency uses to hack into machines rather than reveal the vulnerabilities so they can be fixed.
In the wake of apparently unfounded accusations that the NSA knew about the Heartbleed bug and didn't help fix it, the administration announced this spring it has “re-invigorated” existing policy on how it decides whether or not to disclose or exploit security vulnerabilities it finds. “Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection,” White House Cybersecurity Coordinator Michael Daniel wrote in April.
At its core the question comes down to a cost benefit analysis. “The fundamental issue,” Schneier said, “is should we compromise the security of everybody in order to access the data of the few.”