“The files show,” reported the Guardian this morning, “that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.”
A decade ago internet rights groups had thought they had won what has become known as the First Crypto Wars. Governments had sought to control encryption through a combination of stringent export laws and enforced crypto key escrow so that it could decrypt anything it wished whenever it felt it was necessary. Faced with huge opposition, it seemed as if government had backed off and the Crypto Wars were won. But now the latest leaks show they simply chose a different route – to defeat encryption itself.
The files show three primary methods: NSA control and influence over the setting of encryption standards; the use of supercomputers to ‘brute-force’ crypto keys; and most disturbingly, “the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.”
There appears to have been some sort of breakthrough in crypto cracking around 2010. "For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used internet encryption technologies," stated a 2010 GCHQ document. "Vast amounts of encrypted internet data which have up till now been discarded are now exploitable." The nature of this breakthrough is not made clear, but an internal NSA memo says that British analysts “were gobsmacked!”
The overall extent of the NSA’s crypto success can be seen in a ‘top secret’ GCHQ document that says it is exempt from disclosure under the Freedom of Information Act. It states, “For the past decade, NSA has lead an aggressive, multi-pronged effort to break widely used internet encryption technologies. Cryptanalytic capabilities are now coming on line. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable. Major new processing systems, SIGDEV efforts and tasking must be put in place to capitalize on this opportunity.”
One of the most worrying methods for this crypto subversion has been to collaborate with the industry. Snowden said back in June, "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.” The implication is that the NSA and GCHQ have prevented or subverted that proper implementation at the vendor level.
Key to this would appear to be the NSA’s Project Bullrun, which, says one of the leaked documents, “deals with NSA's abilities to defeat the encryption used in specific network communication technologies. Bullrun involves multiple sources, all of which are extremely sensitive." Noticeably, both the NSA and GCHQ run schemes for vendors to have their security products assessed. But the NSA’s Commercial Solutions Center, says the Guardian, “is used by the NSA to ‘to leverage sensitive, co-operative relationships with specific industry partners’ to insert vulnerabilities into security products.”
'NSA- and GCHQ-certified' could take on a new meaning for security products.
Bruce Schneier, a cryptographer who combines a role as CTO with BT (named as one of the UK companies that has co-operated with GCHQ’s Tempora surveillance program) and a board member of the EFF, has called for engineers to take back the internet. "The US government has betrayed the internet. We need to take it back," he wrote in the Guardian yesterday.
Schneier offers a three-point plan. "One, we should expose... We need whistleblowers.
"Two, we can design... In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert.
"Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better... we need to demand transparency, oversight, and accountability from our governments and corporations.
"Generations from now," he concludes, "when people look back on these early decades of the internet, I hope they will not be disappointed in us."