Report: NSA Circumvented Encryption

Snowden Leaks Unveil One of NSA's Most Guarded Secrets

By , September 6, 2013.
Report: NSA Circumvented Encryption

The National Security Agency has cracked or circumvented much of the encryption that shields global commerce and banking systems, trade secrets and medical records and Internet communications, according to a published report.

See Also: Cloud Infrastructure: Same Security Needs, Dynamic New Environment

The NSA used supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine encryption, The New York Times and ProPublica reported on Sept. 5.

"The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun," the publications report, citing documents provided by former NSA contractor Edward Snowden, who fled the country earlier after releasing other NSA documents.

Revelation Called 'Explosive'

Bruce Schneier, a widely followed cryptography expert, author and blogger, characterizes the revelation as explosive. "Basically, the NSA is able to decrypt most of the Internet," he writes in his blog. "They're doing it primarily by cheating, not by mathematics. ... Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted."

According to the news report, some of NSA's most exhaustive efforts have concentrated on encryption widely used in the United States, including Secure Sockets Layer, virtual private networks and the protection used on fourth generation smart phones.

Richard Stiennon, author of "Surviving Cyberwar," depicts the news report as the most "trust-shattering revelation of NSA over-reach yet. We can fix weak encryption, but re-establishing trust with certificate authorities that apparently are assisting the NSA will be much harder. The very foundation of trust in computing, communications and commerce has just been kicked out from beneath us. A disastrous crisis of confidence is upon us."

The news report reveals that the NSA worked with American and foreign technology companies to introduce weaknesses into commercial encryption products, allowing backdoor access to data that users believe is secure, which could cause problems for America's technology sector.

Impact on Foreign Trade

"Global commerce depends on trust in the underlying technical infrastructure that enables it," says Jacob Olcott, former cybersecurity counsel to the Senate Commerce, Science and Transportation Committee. "The system is jeopardized when trust is broken."

Allan Friedman, research director at the Brookings Institute Center for Technology Innovation, picks up on that theme: "With foreign governments already suspicious - and jealous - of the U.S. IT industry, this couldn't have come at a worse time. This could have huge implications for foreign trade."

The publications report that the NSA, beginning in 2000, began investing billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. "Having lost a public battle in the 1990s to insert its own 'back door' in all encryption, it set out to accomplish the same goal by stealth," the news report says.

Citing documents and interviews with industry officials, the Times and ProPublica say the NSA deployed custom-built, superfast computers to break codes and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

The NSA breached target computers to snare messages before they were encrypted, according to the news report. And the agency used its influence as the world's most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world, the report states.

An intelligence budget document reveals the program continues. "We are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic," the director of national intelligence, James R. Clapper Jr., wrote in his budget request for the current year, according to the news report.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Card Breaches: Retailers Doing Enough?

The debate between leading retail and banking associations over accountability for card fraud has...

Latest Tweets and Mentions

ARTICLE Card Breaches: Retailers Doing Enough?

The debate between leading retail and banking associations over accountability for card fraud has...

The ISMG Network