Trust, Safety, And The NSA

2013-09-05 21:32:11 by chort

If you have any interest in security or privacy, you've probably read the revelations today that the NSA has been actively trying to subvert commonly available and commercial crypto. If for some reason you haven't read Bruce Schneier's essays on the topic, you should do so now.

The NSA is supposed to be protecting Americans and keeping us safe from threats. One way of doing that is to surveil adversaries and get advanced warning of their plans to do harm. The NSA has unparalleled ability to collect intelligence, does pioneering research into threat detection, and has vast resources to bring to bear. As a result, they see a lot more threats than anyone else, and they can see the failings of many domestic victims who are being attacked. It appears that the NSA has lost faith in the ability of domestic organizations to protect themselves, and thus feels that the NSA is the last, best, and only chance to protect Americans.

If you allow that premise, then any development which limits the NSA's ability to gather intelligence is a threat to their ability to protect domestic entities. Since strong encryption is extremely difficult to break, there's a very real possibility that encryption could be developed that's so strong even the NSA wouldn't be able to defeat it directly. That's a threat to their collection ability. If the NSA believes the most important thing is that they have access to all secrets, and that protection of US data from other adversaries is secondary, it's easy to see how "good enough" encryption could be the goal of the NSA. In other words, encryption that's good enough to defeat most threats, but not so good that the NSA can't break it. Since few agencies in the world exist with the resources of the NSA, "good enough" crypto might beat all but the most determined nation-states.

Viewed from a certain angle, this almost makes sense. As long as the NSA doesn't get caught intentionally weakening cryptography, everything seems fine. The NSA can keep surveilling all the network traffic it wants to, keeping an eye on every fiber strand for signs of trouble. They can, in their minds, keep acting as the nobel guardians of US safety. As long as they don't get caught... And then Snowden happened.

To be fair, this isn't a completely new development. As Schneier points out, cryptographers have long suspected potential foul-play by the NSA, but no one has had conclusive proof. Now we have very close to clear evidence that the NSA has been tampering with security of systems to intentionally weaken them, in order to allow spying--is it any coincidence they've been warning about foreign powers doing the exact same thing? The result has been a massive loss of trust in US institutions. Not only has the NSA lost the trust of the public, but now standards bodies like NIST are also losing trust. The US was once a leader in international technical standards, but now that is in jeopardy as even friendly foreign nations are becoming wary of US spying.

Herein lies the great irony: Apparently it was lack of trust in US private institutions that lead the NSA to tamper with encryption and embark on domestic surveillance, but in order for public institutions to have legitimacy the citizens have to trust them. Now it's been shown that the NSA and the executive branch are wholly unworthy of the trust that was placed in them. As we're seeing with the Syria situations, despite the President's insistence that we must intervene and citing all kinds of intelligence to support this, the vast majority of American's don't believe him. The NSA cannot operate effectively without public support, and by overstepping their bounds in an attempt to bring greater safety and further US interests, the NSA has achieved exactly the opposite.

Secrecy is proving to be a great enemy of democracy. If drastic steps are not taken soon to reverse course, the very underpinnings of our society and our global standing are at grave risk.

Add a comment:




max length 1000 chars