September 5, 2013
U.S. and British intelligence agencies have cracked the encryption designed to provide online privacy and security, documents leaked by former intelligence analyst Edward Snowden show.
In a clandestine, decade-long effort to defeat digital scrambling, the National Security Agency, along with its British counterpart, the Government Communications Headquarters (GCHQ), have used supercomputers to crack encryption codes through “brute force” and have inserted secret “back doors” into software with the help of technology companies,The Guardian,The New York Times and ProPublicareported Thursday.
The NSA has also maintained control over international encryption standards.
As the Times points out, encryption “guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world.”
The American Civil Liberties Union, which has filed a federal suit challenging the government’s collection of telephone communications data, immediately called the NSA’s efforts to defeat encryption “recklessly shortsighted” and are making the Internet less secure for all.
In a statement, the ACLU said the actions will “further erode not only the United States’ reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.”
“The encryption technologies that the NSA has exploited to enable its secret dragnet surveillance are the same technologies that protect our most sensitive information, including medical records, financial transactions and commercial secrets,” said Christopher Soghoian, principal technologist of the ACLU’s Speech, Privacy and Technology Project. “Even as the NSA demands more powers to invade our privacy in the name of cybersecurity, it is making the Internet less secure and exposing us to criminal hacking, foreign espionage, and unlawful surveillance.”
The spy agencies have focused on compromising encryption found in Secure Sockets Layer (SSL), virtual private networks (VPNs) and 4G smartphones and tablets. The NSA spent $255 million this year on the decryption program — code named Bullrun — which aims to “covertly influence” software designs and “insert vulnerabilities into commercial encryption systems” that would be known only to the agency.
The documents leaked by Snowden, who has been granted temporary asylum in Russia, do not name specific companies or encryption technologies, and refer to customers and users as “adversaries.”
The NSA calls its decryption efforts the “price of admission for the U.S. to maintain unrestricted access to and use of cyberspace.”
A 2010 memo describing an NSA briefing to British agents about the secret hacking said, “For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies. Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
The GCHQ is working to penetrate encrypted traffic on what it called the “big four” service providers – Google, Yahoo, Facebook and Microsoft’s Hotmail.
One document shows that by 2012, the British agency had developed “new access opportunities” into Google’s systems.
Major tech companies did not immediately respond. In the past, they have said they cooperate with government agencies only as prescribed by law.
The NSA says code-breaking is fundamental to its mission of protecting national security by deciphering communications from terrorists, spies or other U.S. adversaries.
During the 1990s, the agency fought unsuccessfully to have a secret government portal included in all encryption protocols.
Experts and critics say that while “back doors” may help intelligence gathering, they weaken the Web’s overall security and trust, and could be used against Americans.
“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” Matthew Green, a cryptography researcher at Johns Hopkins University, told the Times. “Those back doors could work against U.S. communications, too.”
Bruce Schneier, a security technologist, examined the documents before they were published and authored an analysis for the Guardian. He told USA TODAY that they are the biggest revelations yet from the documents leaked by Snowden and said they show NSA has “subverted” much of the Internet and tech companies that form its backbone.